Rowland Penny
2015-Jan-06 08:56 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 06/01/15 06:17, Jason Long wrote:> Thanks. > My domain name is "jasondomain.jj" and backend is "jasondomaini".No, your realm name is "jasondomain.jj" and it would seem that your domain name is "jasondomaini", the domain name can also be known as the 'workgroup' name. Set smb.conf to match this: [global] workgroup = JASONDOMAINI security = ADS realm = JASONDOMAIN.JJ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config JASONDOMAINI : backend = ad idmap config JASONDOMAINI : range = 10000-999999 idmap config JASONDOMAINI : schema_mode = rfc2307 printcap name = cups cups options = raw usershare allow guests = yes domain master = no local master = no preferred master = no os level = 20 map to guest = bad user set /etc/krb5.conf to this: [libdefaults] default_realm = JASONDOMAIN.JJ dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes set /etc/resolv.conf nameserver <ip of your windows server> search jasondomain.jj If /etc/krb5.keytab exists, delete it. make sure the time on the client matches the server. then try to join the domain: net ads join -U Administrator at JASONDOMAIN.JJ Rowland> > > > On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 05/01/15 11:09, Jason Long wrote: >> >> Thank you. >> >> My Windows is Windows server 2008 R2. >> About realm name, My domain name is "JASONDOMAIN.JJ". >> My Windows not have any Workgroup Name. It is Domain. >> >> >> Thanks >> >> >> >> >> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 05/01/15 07:02, Jason Long wrote: >>> Thanks a lot. >>> I changed the below lines to correct domain name : >>> >>> idmap config JASONDOMAIN : range = 10000-999999 >>> idmap config JASONDOMAIN : schema_mode = rfc2307 >>> >>> and after join, the command "net rpc testjoin" show same error : >>> >>> Unable to find a suitable server for domain JASONDOMAINI >>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>> >>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " >>> >>> [logging] >>> default = FILE:/var/log/krb5libs.log >>> kdc = FILE:/var/log/krb5kdc.log >>> admin_server = FILE:/var/log/kadmind.log >>> >>> [libdefaults] >>> default_realm = JASONDOMAIN.JJ >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> ticket_lifetime = 24h >>> renew_lifetime = 7d >>> forwardable = yes >>> default_keytab_name = /etc/krb5.keytab >>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> pkinit_kdc_hostname = <DNS> >>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>> pkinit_eku_checking = kpServerAuth >>> pkinit_win2k_require_binding = false >>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >>> >>> [realms] >>> EXAMPLE.COM = { >>> kdc = kerberos.example.com >>> admin_server = kerberos.example.com >>> } >>> JASONDOMAIN.JJ = { >>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ >>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ >>> auth_to_local = DEFAULT >>> } >>> >>> [domain_realm] >>> .example.com = EXAMPLE.COM >>> example.com = EXAMPLE.COM >>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ >>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ >>> [capaths] >>> [appdefaults] >>> pam = { >>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>> forwardable = true >>> validate = true >>> } >>> httpd = { >>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 >>> } >>> >>> >>> >>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. >>> >>> >>> Thanks. >>> >>> >>> >>> >>> >>> >>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 04/01/15 13:00, Rowland Penny wrote: >>>> On 04/01/15 10:17, Jason Long wrote: >>>>> Thanks a lot. >>>>> I enter the command and result is : >>>>> >>>>> Using short domain name -- JASONDOMAINI >>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >>>>> but after run "net rpc testjoin" : >>>>> >>>>> Unable to find a suitable server for domain JASONDOMAINI >>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>>> >>>>> I guess I understand what is my problem. I'm really sorry :(. >>>>> >>>>> On Windows OS i used "set" command and it show me : >>>>> >>>>> USERDNSDOMAIN= JASONDOMAIN.JJ >>>>> USERDOMAIN= JASONDOMAINI >>>>> >>>>> I guess that I must change "JASONDOMAINI" in below texts to >>>>> "JASONDOMAIN" : >>>>> >>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>> >>>>> Am I right? >>>>> >>>>> >>>>> >>>>> >>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >>>>> <rowlandpenny at googlemail.com> wrote: >>>>> On 03/01/15 15:08, Jason Long wrote: >>>>>> Thank you. >>>>>> I used below videos for join my Linux Box to Windows domain : >>>>>> >>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>>>>> >>>>>> Please look at this video and I used instructions in it and >>>>>> LikeWiseOpen tool. >>>>>> >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 03/01/15 12:38, Jason Long wrote: >>>>>>> Thanks. >>>>>>> >>>>>>> I enter "net ads testjoin" and it show me : >>>>>>> >>>>>>> ads_connect: No logon servers >>>>>>> Join to domain is not valid: No logon servers >>>>>> You are *not* joined to the domain, I suppose this should have been >>>>>> asked earlier, but how did you do the domain join ? >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>>> >>>>>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>>>>> As you see, I followed the steps on Video. >>>>>>> >>>>>>> :(. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 03/01/15 05:41, Jason Long wrote: >>>>>>>> Thank you. >>>>>>>> Command show below error : >>>>>>>> >>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>> >>>>>>>> :( >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>>>>> Thanks. >>>>>>>>> I changed the command as below : >>>>>>>>> >>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>>>>> >>>>>>>>> But Got below error : >>>>>>>>> >>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>> >>>>>>>>> Cheers. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>>>>> Thank you so much but I run below commands on linux : >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>>>>> >>>>>>>>>> it ask me a password for "administrator: >>>>>>>>>> >>>>>>>>>> Enter administrator's password: >>>>>>>>>> Could not connect to server 127.0.0.1 >>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>>>>> >>>>>>>>>> Must I enter windows administrator password? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>>>>> Thank you so much. >>>>>>>>>>> >>>>>>>>>>> I did some changes like below : >>>>>>>>>>> >>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>>>>> output. >>>>>>>>>>> I added below lines to [global] section too : >>>>>>>>>>> >>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>> >>>>>>>>>>> But about below commands can you tell me more? >>>>>>>>>>> >>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>>>>> >>>>>>>>>>> I hope they are not Dangerous!!!! >>>>>>>>>> No :-) >>>>>>>>>> >>>>>>>>>> The first one gives members of Domain Admins the right to change >>>>>>>>>> windows >>>>>>>>>> ACL's on a share >>>>>>>>>> The second list accounts and what rights they have. >>>>>>>>>> >>>>>>>>>>> In the >>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>>>>> Yes, but it is just easier via windows >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Thanks. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>>>>> Thank you so much. >>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>>>>> change configure as below : >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [global] >>>>>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>>>>> server string = Samba Server Version %v >>>>>>>>>>>> # logs split per machine >>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>>>>> max log size = 50 >>>>>>>>>>>> security = ADS >>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>> load printers = yes >>>>>>>>>>>> cups options = raw >>>>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>>>>> But it has two problems : >>>>>>>>>>>> >>>>>>>>>>>> 1- Why it show root partition? >>>>>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>>>>> >>>>>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>>>>> >>>>>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>>>>> >>>>>>>>>>>> #getfacl test/ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> # file: test/ >>>>>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>> user::rwx >>>>>>>>>>>> group::r-x >>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>>>>> mask::rwx >>>>>>>>>>>> other::r-x >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> and in "getent group" it show me below group : >>>>>>>>>>>> >>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>>>>> >>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>>>>> this directory!!!!!!! >>>>>>>>>>>>> What is your idea? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>>>>> example.com, >>>>>>>>>>>> then your windows AD realm should be something like >>>>>>>>>>>> internal.example.com >>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>>>>> they all >>>>>>>>>>>> rely on each other. >>>>>>>>>>>> >>>>>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>>>>> relevant one, >>>>>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>>>>> >>>>>>>>>>>> [global] >>>>>>>>>>>> workgroup = INTERNAL >>>>>>>>>>>> security = ADS >>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>>>>> .......... >>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>>>>> >>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>>>>> you can >>>>>>>>>>>> connect to the Unix machine. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>> OK, we are getting closer >>>>>>>>>>> >>>>>>>>>>> right, answers to your questions >>>>>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>>>>> not chdir >>>>>>>>>>> to home directory', in which case you will end up in the root >>>>>>>>>>> of computer. >>>>>>>>>>> >>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>>>>> running you >>>>>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>>>>> Have a >>>>>>>>>>> look here: >>>>>>>>>>> >>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>> You are trying to run the command on a client, try adding either: >>>>>>>>> >>>>>>>>> -S server name >>>>>>>>> >>>>>>>>> OR >>>>>>>>> >>>>>>>>> -I address of target server >>>>>>>>> >>>>>>>>> where 'server' is the AD DC. >>>>>>>>> >>>>>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> OK, try it like this: >>>>>>>> >>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>>>>> -UAdministrator -I 192.168.1.1 >>>>>>>> >>>>>>>> This works for me on a client joined to the domain. >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> Sounds like something is wrong with the join, what does 'net ads >>>>>>> testjoin' return ? You may have to run this command with sudo. >>>>>>> >>>>>>> >>>>>>> Rowland >>>>>>> >>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki >>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >>>>> cannot recommend using either of these, because quite simply, they are >>>>> not needed. >>>>> >>>>> Check the following files: >>>>> >>>>> /etc/samba/smb.conf >>>>> >>>>> [global] >>>>> workgroup = JASONDOMAINI >>>>> security = ADS >>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>> dedicated keytab file = /etc/krb5.keytab >>>>> kerberos method = secrets and keytab >>>>> server string = Samba 4 Client %h >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> winbind use default domain = yes >>>>> winbind expand groups = 4 >>>>> winbind nss info = rfc2307 >>>>> winbind refresh tickets = Yes >>>>> winbind normalize names = Yes >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-9999 >>>>> idmap config JASONDOMAINI : backend = ad >>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>> printcap name = cups >>>>> cups options = raw >>>>> usershare allow guests = yes >>>>> domain master = no >>>>> local master = no >>>>> preferred master = no >>>>> os level = 20 >>>>> map to guest = bad user >>>>> vfs objects = acl_xattr >>>>> map acl inherit = Yes >>>>> store dos attributes = Yes >>>>> log level = 6 >>>>> >>>>> /etc/krb5.conf >>>>> >>>>> [libdefaults] >>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> /etc/resolv.conf >>>>> >>>>> nameserver <your AD DC's ipaddress> >>>>> search jasondomaini.jasondomain.jj >>>>> >>>>> If required, alter them to match the above, check that 'hostname' >>>>> returns only the hostname of the client, check that 'hostname -f' >>>>> returns the FQDN. If either are not correct, fix them. >>>>> >>>>> Remove likewiseopen >>>>> >>>>> Once everything is correct, run the following command: >>>>> >>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >>>>> >>>>> You should be asked for the domain Administrators password, enter this >>>>> and you should join the domain >>>>> >>>>> Rowland >>>>> >>>> What Windows DC are you using ? >>>> What is the realm name * workgroup name on the Windows DC ? >>>> >>>> Rowland >>> oops, that should have been: >>> >>> >>> What is the realm name & workgroup name on the Windows DC ? >>> >>> Rowland >>> >> Hi, will you answer these questions: >> >> What Windows DC are you using ? >> What is the realm name on the Windows DC ? >> What is the workgroup name on the Windows DC ? >> >> You do not need all of what you have in /etc/krb5.conf, but please >> answer the questions above first. >> >> Rowland >> > OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ') > > Rowland >
Jason Long
2015-Jan-07 10:51 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you. I changed my "krb5.conf" as below : [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = JASONDOMAIN.JJ dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes default_keytab_name = /etc/krb5.keytab default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC pkinit_kdc_hostname = <DNS> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> pkinit_eku_checking = kpServerAuth pkinit_win2k_require_binding = false pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason". After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below : Unable to find a suitable server for domain JASONDOMAINI Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL I don't know why it see domain name as "JASONDOMAINI". How can I edit it? Thanks. On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 06/01/15 06:17, Jason Long wrote:> Thanks. > My domain name is "jasondomain.jj" and backend is "jasondomaini".No, your realm name is "jasondomain.jj" and it would seem that your domain name is "jasondomaini", the domain name can also be known as the 'workgroup' name. Set smb.conf to match this: [global] workgroup = JASONDOMAINI security = ADS realm = JASONDOMAIN.JJ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config JASONDOMAINI : backend = ad idmap config JASONDOMAINI : range = 10000-999999 idmap config JASONDOMAINI : schema_mode = rfc2307 printcap name = cups cups options = raw usershare allow guests = yes domain master = no local master = no preferred master = no os level = 20 map to guest = bad user set /etc/krb5.conf to this: [libdefaults] default_realm = JASONDOMAIN.JJ dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes set /etc/resolv.conf nameserver <ip of your windows server> search jasondomain.jj If /etc/krb5.keytab exists, delete it. make sure the time on the client matches the server. then try to join the domain: net ads join -U Administrator at JASONDOMAIN.JJ Rowland> > > > On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 05/01/15 11:09, Jason Long wrote: >> >> Thank you. >> >> My Windows is Windows server 2008 R2. >> About realm name, My domain name is "JASONDOMAIN.JJ". >> My Windows not have any Workgroup Name. It is Domain. >> >> >> Thanks >> >> >> >> >> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 05/01/15 07:02, Jason Long wrote: >>> Thanks a lot. >>> I changed the below lines to correct domain name : >>> >>> idmap config JASONDOMAIN : range = 10000-999999 >>> idmap config JASONDOMAIN : schema_mode = rfc2307 >>> >>> and after join, the command "net rpc testjoin" show same error : >>> >>> Unable to find a suitable server for domain JASONDOMAINI >>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>> >>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " >>> >>> [logging] >>> default = FILE:/var/log/krb5libs.log >>> kdc = FILE:/var/log/krb5kdc.log >>> admin_server = FILE:/var/log/kadmind.log >>> >>> [libdefaults] >>> default_realm = JASONDOMAIN.JJ >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> ticket_lifetime = 24h >>> renew_lifetime = 7d >>> forwardable = yes >>> default_keytab_name = /etc/krb5.keytab >>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> pkinit_kdc_hostname = <DNS> >>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>> pkinit_eku_checking = kpServerAuth >>> pkinit_win2k_require_binding = false >>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >>> >>> [realms] >>> EXAMPLE.COM = { >>> kdc = kerberos.example.com >>> admin_server = kerberos.example.com >>> } >>> JASONDOMAIN.JJ = { >>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ >>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ >>> auth_to_local = DEFAULT >>> } >>> >>> [domain_realm] >>> .example.com = EXAMPLE.COM >>> example.com = EXAMPLE.COM >>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ >>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ >>> [capaths] >>> [appdefaults] >>> pam = { >>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>> forwardable = true >>> validate = true >>> } >>> httpd = { >>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 >>> } >>> >>> >>> >>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. >>> >>> >>> Thanks. >>> >>> >>> >>> >>> >>> >>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 04/01/15 13:00, Rowland Penny wrote: >>>> On 04/01/15 10:17, Jason Long wrote: >>>>> Thanks a lot. >>>>> I enter the command and result is : >>>>> >>>>> Using short domain name -- JASONDOMAINI >>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >>>>> but after run "net rpc testjoin" : >>>>> >>>>> Unable to find a suitable server for domain JASONDOMAINI >>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>>> >>>>> I guess I understand what is my problem. I'm really sorry :(. >>>>> >>>>> On Windows OS i used "set" command and it show me : >>>>> >>>>> USERDNSDOMAIN= JASONDOMAIN.JJ >>>>> USERDOMAIN= JASONDOMAINI >>>>> >>>>> I guess that I must change "JASONDOMAINI" in below texts to >>>>> "JASONDOMAIN" : >>>>> >>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>> >>>>> Am I right? >>>>> >>>>> >>>>> >>>>> >>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >>>>> <rowlandpenny at googlemail.com> wrote: >>>>> On 03/01/15 15:08, Jason Long wrote: >>>>>> Thank you. >>>>>> I used below videos for join my Linux Box to Windows domain : >>>>>> >>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>>>>> >>>>>> Please look at this video and I used instructions in it and >>>>>> LikeWiseOpen tool. >>>>>> >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 03/01/15 12:38, Jason Long wrote: >>>>>>> Thanks. >>>>>>> >>>>>>> I enter "net ads testjoin" and it show me : >>>>>>> >>>>>>> ads_connect: No logon servers >>>>>>> Join to domain is not valid: No logon servers >>>>>> You are *not* joined to the domain, I suppose this should have been >>>>>> asked earlier, but how did you do the domain join ? >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>>> >>>>>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>>>>> As you see, I followed the steps on Video. >>>>>>> >>>>>>> :(. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 03/01/15 05:41, Jason Long wrote: >>>>>>>> Thank you. >>>>>>>> Command show below error : >>>>>>>> >>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>> >>>>>>>> :( >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>>>>> Thanks. >>>>>>>>> I changed the command as below : >>>>>>>>> >>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>>>>> >>>>>>>>> But Got below error : >>>>>>>>> >>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>> >>>>>>>>> Cheers. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>>>>> Thank you so much but I run below commands on linux : >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>>>>> >>>>>>>>>> it ask me a password for "administrator: >>>>>>>>>> >>>>>>>>>> Enter administrator's password: >>>>>>>>>> Could not connect to server 127.0.0.1 >>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>>>>> >>>>>>>>>> Must I enter windows administrator password? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>>>>> Thank you so much. >>>>>>>>>>> >>>>>>>>>>> I did some changes like below : >>>>>>>>>>> >>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>>>>> output. >>>>>>>>>>> I added below lines to [global] section too : >>>>>>>>>>> >>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>> >>>>>>>>>>> But about below commands can you tell me more? >>>>>>>>>>> >>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>>>>> >>>>>>>>>>> I hope they are not Dangerous!!!! >>>>>>>>>> No :-) >>>>>>>>>> >>>>>>>>>> The first one gives members of Domain Admins the right to change >>>>>>>>>> windows >>>>>>>>>> ACL's on a share >>>>>>>>>> The second list accounts and what rights they have. >>>>>>>>>> >>>>>>>>>>> In the >>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>>>>> Yes, but it is just easier via windows >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Thanks. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>>>>> Thank you so much. >>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>>>>> change configure as below : >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [global] >>>>>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>>>>> server string = Samba Server Version %v >>>>>>>>>>>> # logs split per machine >>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>>>>> max log size = 50 >>>>>>>>>>>> security = ADS >>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>> load printers = yes >>>>>>>>>>>> cups options = raw >>>>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>>>>> But it has two problems : >>>>>>>>>>>> >>>>>>>>>>>> 1- Why it show root partition? >>>>>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>>>>> >>>>>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>>>>> >>>>>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>>>>> >>>>>>>>>>>> #getfacl test/ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> # file: test/ >>>>>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>> user::rwx >>>>>>>>>>>> group::r-x >>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>>>>> mask::rwx >>>>>>>>>>>> other::r-x >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> and in "getent group" it show me below group : >>>>>>>>>>>> >>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>>>>> >>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>>>>> this directory!!!!!!! >>>>>>>>>>>>> What is your idea? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>>>>> example.com, >>>>>>>>>>>> then your windows AD realm should be something like >>>>>>>>>>>> internal.example.com >>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>>>>> they all >>>>>>>>>>>> rely on each other. >>>>>>>>>>>> >>>>>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>>>>> relevant one, >>>>>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>>>>> >>>>>>>>>>>> [global] >>>>>>>>>>>> workgroup = INTERNAL >>>>>>>>>>>> security = ADS >>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>>>>> .......... >>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>>>>> >>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>>>>> you can >>>>>>>>>>>> connect to the Unix machine. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>> OK, we are getting closer >>>>>>>>>>> >>>>>>>>>>> right, answers to your questions >>>>>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>>>>> not chdir >>>>>>>>>>> to home directory', in which case you will end up in the root >>>>>>>>>>> of computer. >>>>>>>>>>> >>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>>>>> running you >>>>>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>>>>> Have a >>>>>>>>>>> look here: >>>>>>>>>>> >>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>> You are trying to run the command on a client, try adding either: >>>>>>>>> >>>>>>>>> -S server name >>>>>>>>> >>>>>>>>> OR >>>>>>>>> >>>>>>>>> -I address of target server >>>>>>>>> >>>>>>>>> where 'server' is the AD DC. >>>>>>>>> >>>>>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> OK, try it like this: >>>>>>>> >>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>>>>> -UAdministrator -I 192.168.1.1 >>>>>>>> >>>>>>>> This works for me on a client joined to the domain. >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> Sounds like something is wrong with the join, what does 'net ads >>>>>>> testjoin' return ? You may have to run this command with sudo. >>>>>>> >>>>>>> >>>>>>> Rowland >>>>>>> >>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki >>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >>>>> cannot recommend using either of these, because quite simply, they are >>>>> not needed. >>>>> >>>>> Check the following files: >>>>> >>>>> /etc/samba/smb.conf >>>>> >>>>> [global] >>>>> workgroup = JASONDOMAINI >>>>> security = ADS >>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>> dedicated keytab file = /etc/krb5.keytab >>>>> kerberos method = secrets and keytab >>>>> server string = Samba 4 Client %h >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> winbind use default domain = yes >>>>> winbind expand groups = 4 >>>>> winbind nss info = rfc2307 >>>>> winbind refresh tickets = Yes >>>>> winbind normalize names = Yes >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-9999 >>>>> idmap config JASONDOMAINI : backend = ad >>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>> printcap name = cups >>>>> cups options = raw >>>>> usershare allow guests = yes >>>>> domain master = no >>>>> local master = no >>>>> preferred master = no >>>>> os level = 20 >>>>> map to guest = bad user >>>>> vfs objects = acl_xattr >>>>> map acl inherit = Yes >>>>> store dos attributes = Yes >>>>> log level = 6 >>>>> >>>>> /etc/krb5.conf >>>>> >>>>> [libdefaults] >>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> >>>>> /etc/resolv.conf >>>>> >>>>> nameserver <your AD DC's ipaddress> >>>>> search jasondomaini.jasondomain.jj >>>>> >>>>> If required, alter them to match the above, check that 'hostname' >>>>> returns only the hostname of the client, check that 'hostname -f' >>>>> returns the FQDN. If either are not correct, fix them. >>>>> >>>>> Remove likewiseopen >>>>> >>>>> Once everything is correct, run the following command: >>>>> >>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >>>>> >>>>> You should be asked for the domain Administrators password, enter this >>>>> and you should join the domain >>>>> >>>>> Rowland >>>>> >>>> What Windows DC are you using ? >>>> What is the realm name * workgroup name on the Windows DC ? >>>> >>>> Rowland >>> oops, that should have been: >>> >>> >>> What is the realm name & workgroup name on the Windows DC ? >>> >>> Rowland >>> >> Hi, will you answer these questions: >> >> What Windows DC are you using ? >> What is the realm name on the Windows DC ? >> What is the workgroup name on the Windows DC ? >> >> You do not need all of what you have in /etc/krb5.conf, but please >> answer the questions above first. >> >> Rowland >> > OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ') > > Rowland >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Jan-07 10:59 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 07/01/15 10:51, Jason Long wrote:> Thank you. > I changed my "krb5.conf" as below : > > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = yes > default_keytab_name = /etc/krb5.keytab > default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >My krb5.conf is: [libdefaults] default_realm = EXAMPLE.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes> > and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason". > > After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below : > > Unable to find a suitable server for domain JASONDOMAINI > Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL > > I don't know why it see domain name as "JASONDOMAINI". How can I edit it?You shouldn't because 'JASONDOMAINI' *IS* your domain name *NOT* the backend!!! The join command should be 'net ads join -U jason at JASONDOMAIN.JJ' , but does 'jason' have the required rights to join the domain ?? Try again but this time use: net ads join -U Administrator at JASONDOMAIN.JJ and enter the 'Administrator' password when prompted. Rowland> > > Thanks. > > > > > On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 06/01/15 06:17, Jason Long wrote: >> Thanks. >> My domain name is "jasondomain.jj" and backend is "jasondomaini". > No, your realm name is "jasondomain.jj" and it would seem that your > domain name is "jasondomaini", the domain name can also be known as the > 'workgroup' name. > > Set smb.conf to match this: > > [global] > workgroup = JASONDOMAINI > security = ADS > realm = JASONDOMAIN.JJ > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config JASONDOMAINI : backend = ad > idmap config JASONDOMAINI : range = 10000-999999 > idmap config JASONDOMAINI : schema_mode = rfc2307 > printcap name = cups > cups options = raw > usershare allow guests = yes > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > > set /etc/krb5.conf to this: > > [libdefaults] > default_realm = JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > set /etc/resolv.conf > > nameserver <ip of your windows server> > search jasondomain.jj > > If /etc/krb5.keytab exists, delete it. > > make sure the time on the client matches the server. > > then try to join the domain: > > net ads join -U Administrator at JASONDOMAIN.JJ > > > Rowland >> >> >> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 05/01/15 11:09, Jason Long wrote: >>> Thank you. >>> >>> My Windows is Windows server 2008 R2. >>> About realm name, My domain name is "JASONDOMAIN.JJ". >>> My Windows not have any Workgroup Name. It is Domain. >>> >>> >>> Thanks >>> >>> >>> >>> >>> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 05/01/15 07:02, Jason Long wrote: >>>> Thanks a lot. >>>> I changed the below lines to correct domain name : >>>> >>>> idmap config JASONDOMAIN : range = 10000-999999 >>>> idmap config JASONDOMAIN : schema_mode = rfc2307 >>>> >>>> and after join, the command "net rpc testjoin" show same error : >>>> >>>> Unable to find a suitable server for domain JASONDOMAINI >>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>> >>>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " >>>> >>>> [logging] >>>> default = FILE:/var/log/krb5libs.log >>>> kdc = FILE:/var/log/krb5kdc.log >>>> admin_server = FILE:/var/log/kadmind.log >>>> >>>> [libdefaults] >>>> default_realm = JASONDOMAIN.JJ >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = true >>>> ticket_lifetime = 24h >>>> renew_lifetime = 7d >>>> forwardable = yes >>>> default_keytab_name = /etc/krb5.keytab >>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> pkinit_kdc_hostname = <DNS> >>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>>> pkinit_eku_checking = kpServerAuth >>>> pkinit_win2k_require_binding = false >>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >>>> >>>> [realms] >>>> EXAMPLE.COM = { >>>> kdc = kerberos.example.com >>>> admin_server = kerberos.example.com >>>> } >>>> JASONDOMAIN.JJ = { >>>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ >>>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ >>>> auth_to_local = DEFAULT >>>> } >>>> >>>> [domain_realm] >>>> .example.com = EXAMPLE.COM >>>> example.com = EXAMPLE.COM >>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ >>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ >>>> [capaths] >>>> [appdefaults] >>>> pam = { >>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>> forwardable = true >>>> validate = true >>>> } >>>> httpd = { >>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 >>>> } >>>> >>>> >>>> >>>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. >>>> >>>> >>>> Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>> On 04/01/15 13:00, Rowland Penny wrote: >>>>> On 04/01/15 10:17, Jason Long wrote: >>>>>> Thanks a lot. >>>>>> I enter the command and result is : >>>>>> >>>>>> Using short domain name -- JASONDOMAINI >>>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >>>>>> but after run "net rpc testjoin" : >>>>>> >>>>>> Unable to find a suitable server for domain JASONDOMAINI >>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>>>> >>>>>> I guess I understand what is my problem. I'm really sorry :(. >>>>>> >>>>>> On Windows OS i used "set" command and it show me : >>>>>> >>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ >>>>>> USERDOMAIN= JASONDOMAINI >>>>>> >>>>>> I guess that I must change "JASONDOMAINI" in below texts to >>>>>> "JASONDOMAIN" : >>>>>> >>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>> >>>>>> Am I right? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 03/01/15 15:08, Jason Long wrote: >>>>>>> Thank you. >>>>>>> I used below videos for join my Linux Box to Windows domain : >>>>>>> >>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>>>>>> >>>>>>> Please look at this video and I used instructions in it and >>>>>>> LikeWiseOpen tool. >>>>>>> >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 03/01/15 12:38, Jason Long wrote: >>>>>>>> Thanks. >>>>>>>> >>>>>>>> I enter "net ads testjoin" and it show me : >>>>>>>> >>>>>>>> ads_connect: No logon servers >>>>>>>> Join to domain is not valid: No logon servers >>>>>>> You are *not* joined to the domain, I suppose this should have been >>>>>>> asked earlier, but how did you do the domain join ? >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>> >>>>>>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>>>>>> As you see, I followed the steps on Video. >>>>>>>> >>>>>>>> :(. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 03/01/15 05:41, Jason Long wrote: >>>>>>>>> Thank you. >>>>>>>>> Command show below error : >>>>>>>>> >>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>> >>>>>>>>> :( >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>>>>>> Thanks. >>>>>>>>>> I changed the command as below : >>>>>>>>>> >>>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>>>>>> >>>>>>>>>> But Got below error : >>>>>>>>>> >>>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>>> >>>>>>>>>> Cheers. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>>>>>> Thank you so much but I run below commands on linux : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>>>>>> >>>>>>>>>>> it ask me a password for "administrator: >>>>>>>>>>> >>>>>>>>>>> Enter administrator's password: >>>>>>>>>>> Could not connect to server 127.0.0.1 >>>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>>>>>> >>>>>>>>>>> Must I enter windows administrator password? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>>>>>> Thank you so much. >>>>>>>>>>>> >>>>>>>>>>>> I did some changes like below : >>>>>>>>>>>> >>>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>>>>>> output. >>>>>>>>>>>> I added below lines to [global] section too : >>>>>>>>>>>> >>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>> >>>>>>>>>>>> But about below commands can you tell me more? >>>>>>>>>>>> >>>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>>>>>> >>>>>>>>>>>> I hope they are not Dangerous!!!! >>>>>>>>>>> No :-) >>>>>>>>>>> >>>>>>>>>>> The first one gives members of Domain Admins the right to change >>>>>>>>>>> windows >>>>>>>>>>> ACL's on a share >>>>>>>>>>> The second list accounts and what rights they have. >>>>>>>>>>> >>>>>>>>>>>> In the >>>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>>>>>> Yes, but it is just easier via windows >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Thanks. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>>>>>> change configure as below : >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [global] >>>>>>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>>>>>> server string = Samba Server Version %v >>>>>>>>>>>>> # logs split per machine >>>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>>>>>> max log size = 50 >>>>>>>>>>>>> security = ADS >>>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>>> load printers = yes >>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>>>>>> But it has two problems : >>>>>>>>>>>>> >>>>>>>>>>>>> 1- Why it show root partition? >>>>>>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>>>>>> >>>>>>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>>>>>> >>>>>>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>>>>>> >>>>>>>>>>>>> #getfacl test/ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> # file: test/ >>>>>>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>> user::rwx >>>>>>>>>>>>> group::r-x >>>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>>>>>> mask::rwx >>>>>>>>>>>>> other::r-x >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> and in "getent group" it show me below group : >>>>>>>>>>>>> >>>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>>>>>> >>>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>>>>>> this directory!!!!!!! >>>>>>>>>>>>>> What is your idea? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>>>>>> example.com, >>>>>>>>>>>>> then your windows AD realm should be something like >>>>>>>>>>>>> internal.example.com >>>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>>>>>> they all >>>>>>>>>>>>> rely on each other. >>>>>>>>>>>>> >>>>>>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>>>>>> relevant one, >>>>>>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>>>>>> >>>>>>>>>>>>> [global] >>>>>>>>>>>>> workgroup = INTERNAL >>>>>>>>>>>>> security = ADS >>>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>>>>>> .......... >>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>>>>>> >>>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>>>>>> you can >>>>>>>>>>>>> connect to the Unix machine. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>> OK, we are getting closer >>>>>>>>>>>> >>>>>>>>>>>> right, answers to your questions >>>>>>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>>>>>> not chdir >>>>>>>>>>>> to home directory', in which case you will end up in the root >>>>>>>>>>>> of computer. >>>>>>>>>>>> >>>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>>>>>> running you >>>>>>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>>>>>> Have a >>>>>>>>>>>> look here: >>>>>>>>>>>> >>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>> You are trying to run the command on a client, try adding either: >>>>>>>>>> >>>>>>>>>> -S server name >>>>>>>>>> >>>>>>>>>> OR >>>>>>>>>> >>>>>>>>>> -I address of target server >>>>>>>>>> >>>>>>>>>> where 'server' is the AD DC. >>>>>>>>>> >>>>>>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> OK, try it like this: >>>>>>>>> >>>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>>>>>> -UAdministrator -I 192.168.1.1 >>>>>>>>> >>>>>>>>> This works for me on a client joined to the domain. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> Sounds like something is wrong with the join, what does 'net ads >>>>>>>> testjoin' return ? You may have to run this command with sudo. >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki >>>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >>>>>> cannot recommend using either of these, because quite simply, they are >>>>>> not needed. >>>>>> >>>>>> Check the following files: >>>>>> >>>>>> /etc/samba/smb.conf >>>>>> >>>>>> [global] >>>>>> workgroup = JASONDOMAINI >>>>>> security = ADS >>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>> kerberos method = secrets and keytab >>>>>> server string = Samba 4 Client %h >>>>>> winbind enum users = yes >>>>>> winbind enum groups = yes >>>>>> winbind use default domain = yes >>>>>> winbind expand groups = 4 >>>>>> winbind nss info = rfc2307 >>>>>> winbind refresh tickets = Yes >>>>>> winbind normalize names = Yes >>>>>> idmap config * : backend = tdb >>>>>> idmap config * : range = 2000-9999 >>>>>> idmap config JASONDOMAINI : backend = ad >>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>> printcap name = cups >>>>>> cups options = raw >>>>>> usershare allow guests = yes >>>>>> domain master = no >>>>>> local master = no >>>>>> preferred master = no >>>>>> os level = 20 >>>>>> map to guest = bad user >>>>>> vfs objects = acl_xattr >>>>>> map acl inherit = Yes >>>>>> store dos attributes = Yes >>>>>> log level = 6 >>>>>> >>>>>> /etc/krb5.conf >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>> dns_lookup_realm = false >>>>>> dns_lookup_kdc = true >>>>>> ticket_lifetime = 24h >>>>>> forwardable = yes >>>>>> >>>>>> /etc/resolv.conf >>>>>> >>>>>> nameserver <your AD DC's ipaddress> >>>>>> search jasondomaini.jasondomain.jj >>>>>> >>>>>> If required, alter them to match the above, check that 'hostname' >>>>>> returns only the hostname of the client, check that 'hostname -f' >>>>>> returns the FQDN. If either are not correct, fix them. >>>>>> >>>>>> Remove likewiseopen >>>>>> >>>>>> Once everything is correct, run the following command: >>>>>> >>>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >>>>>> >>>>>> You should be asked for the domain Administrators password, enter this >>>>>> and you should join the domain >>>>>> >>>>>> Rowland >>>>>> >>>>> What Windows DC are you using ? >>>>> What is the realm name * workgroup name on the Windows DC ? >>>>> >>>>> Rowland >>>> oops, that should have been: >>>> >>>> >>>> What is the realm name & workgroup name on the Windows DC ? >>>> >>>> Rowland >>>> >>> Hi, will you answer these questions: >>> >>> What Windows DC are you using ? >>> What is the realm name on the Windows DC ? >>> What is the workgroup name on the Windows DC ? >>> >>> You do not need all of what you have in /etc/krb5.conf, but please >>> answer the questions above first. >>> >>> Rowland >>> >> OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ') >> >> Rowland >>
Reasonably Related Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.