samba - Jan 2015 - Use Samba with ACL for read Active Directory and set Permissions via it.

On 09/01/15 08:40, Jason Long wrote:
> Thanks.
> I'm confused. Can I paste "set" command on windows for you?
> "jason" account is administrator and can join and dis-join any
computer.
>
> Cheers.
>
>
>
> On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 07/01/15 10:51, Jason Long wrote:
>> Thank you.
>> I changed my "krb5.conf" as below :
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = yes
>> default_keytab_name = /etc/krb5.keytab
>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
>
> [libdefaults]
>        default_realm = EXAMPLE.LAN
>        dns_lookup_realm = false
>        dns_lookup_kdc = true
>        ticket_lifetime = 24h
>        forwardable = yes
>
>> and removed "krb5.keytab" too. You told me that my domain
name is "jasondomaini" but it is wrong, My domain name is
"jasondomain.jj" and backend is "jasondomaini", For example,
when I want to login into Windows use "jasondomaini\jason".
>>
>> After enter the command "net ads join -U jason at
jasondomain.jj", My computer joined but when use "net rpc
testjoin" , I got same error as below :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>
>> I don't know why it see domain name as "JASONDOMAINI".
How can I edit it?
> You shouldn't because 'JASONDOMAINI' *IS* your domain name
*NOT* the
> backend!!!
>
> The join command should be 'net ads join -U jason at
JASONDOMAIN.JJ' , but
> does 'jason' have the required rights to join the domain ?? Try
again
> but this time use:
>
> net ads join -U Administrator at JASONDOMAIN.JJ
>
> and enter the 'Administrator' password when prompted.
>
> Rowland
>>
>> Thanks.
>>
>>
>>
>>
>> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 06/01/15 06:17, Jason Long wrote:
>>> Thanks.
>>> My domain name is "jasondomain.jj" and backend is
"jasondomaini".
>> No, your realm name is "jasondomain.jj" and it would seem
that your
>> domain name is "jasondomaini", the domain name can also be
known as the
>> 'workgroup' name.
>>
>> Set smb.conf to match this:
>>
>> [global]
>>            workgroup = JASONDOMAINI
>>            security = ADS
>>            realm = JASONDOMAIN.JJ
>>            dedicated keytab file = /etc/krb5.keytab
>>            kerberos method = secrets and keytab
>>            server string = Samba 4 Client %h
>>            winbind enum users = yes
>>            winbind enum groups = yes
>>            winbind use default domain = yes
>>            winbind expand groups = 4
>>            winbind nss info = rfc2307
>>            winbind refresh tickets = Yes
>>            winbind offline logon = yes
>>            winbind normalize names = Yes
>>            idmap config * : backend = tdb
>>            idmap config * : range = 2000-9999
>>            idmap config JASONDOMAINI : backend  = ad
>>            idmap config JASONDOMAINI : range = 10000-999999
>>            idmap config JASONDOMAINI : schema_mode = rfc2307
>>            printcap name = cups
>>            cups options = raw
>>            usershare allow guests = yes
>>            domain master = no
>>            local master = no
>>            preferred master = no
>>            os level = 20
>>            map to guest = bad user
>>
>> set /etc/krb5.conf to this:
>>
>> [libdefaults]
>>         default_realm = JASONDOMAIN.JJ
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         ticket_lifetime = 24h
>>         forwardable = yes
>>
>> set /etc/resolv.conf
>>
>> nameserver <ip of your windows server>
>> search jasondomain.jj
>>
>> If /etc/krb5.keytab exists, delete it.
>>
>> make sure the time on the client matches the server.
>>
>> then try to join the domain:
>>
>> net ads join -U Administrator at JASONDOMAIN.JJ
>>
>>
>> Rowland
>>>
>>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>>> On 05/01/15 11:09, Jason Long wrote:
>>>> Thank you.
>>>>
>>>> My Windows is Windows server 2008 R2.
>>>> About realm name, My domain name is "JASONDOMAIN.JJ".
>>>> My Windows not have any Workgroup Name. It is Domain.
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 05/01/15 07:02, Jason Long wrote:
>>>>> Thanks a lot.
>>>>> I changed the below lines to correct domain name :
>>>>>
>>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>>
>>>>> and after join, the command "net rpc testjoin"
show same error :
>>>>>
>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>
>>>>> I have an idea and I guess that "/etc/krb5.conf"
has some incorrect options. The file is "
>>>>>
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = JASONDOMAIN.JJ
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> ticket_lifetime = 24h
>>>>> renew_lifetime = 7d
>>>>> forwardable = yes
>>>>> default_keytab_name = /etc/krb5.keytab
>>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> pkinit_kdc_hostname = <DNS>
>>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>>> pkinit_cert_match =
&&<EKU>msScLogin<PRINCIPAL>
>>>>> pkinit_eku_checking = kpServerAuth
>>>>> pkinit_win2k_require_binding = false
>>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>>
>>>>> [realms]
>>>>> EXAMPLE.COM = {
>>>>> kdc = kerberos.example.com
>>>>> admin_server = kerberos.example.com
>>>>> }
>>>>> JASONDOMAIN.JJ = {
>>>>> auth_to_local =
RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>>> auth_to_local =
RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>>> auth_to_local = DEFAULT
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .example.com = EXAMPLE.COM
>>>>> example.com = EXAMPLE.COM
>>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>>> [capaths]
>>>>> [appdefaults]
>>>>> pam = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> forwardable = true
>>>>> validate = true
>>>>> }
>>>>> httpd = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> What is your idea? I must tell you that after removed
LikeWise and configure manually, I can't login to Linux via Windows AD
accounts.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>   
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>>> Thanks a lot.
>>>>>>> I enter the command and result is :
>>>>>>>
>>>>>>> Using short domain name -- JASONDOMAINI
>>>>>>> Joined 'PRINTMAH' to dns domain
'JASONDOMAIN.JJ'
>>>>>>> but after run "net rpc testjoin" :
>>>>>>>
>>>>>>> Unable to find a suitable server for domain
JASONDOMAINI
>>>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> I guess I understand what is my problem. I'm
really sorry :(.
>>>>>>>
>>>>>>> On Windows OS i used "set" command and it
show me :
>>>>>>>
>>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>>
>>>>>>> I guess that I must change "JASONDOMAINI"
in below texts to
>>>>>>> "JASONDOMAIN" :
>>>>>>>
>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>>
>>>>>>> Am I right?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>>> Thank you.
>>>>>>>> I used below videos for join my Linux Box to
Windows domain :
>>>>>>>>
>>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>>
>>>>>>>> Please look at this video and I used
instructions in it and
>>>>>>>> LikeWiseOpen tool.
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> I enter "net ads testjoin" and it
show me :
>>>>>>>>>
>>>>>>>>> ads_connect: No logon servers
>>>>>>>>> Join to domain is not valid: No logon
servers
>>>>>>>> You are *not* joined to the domain, I suppose
this should have been
>>>>>>>> asked earlier, but how did you do the domain
join ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> If it is incorrect, Why I can Login to
Linux via Windows account?
>>>>>>>>> As you see, I followed the steps on Video.
>>>>>>>>>
>>>>>>>>> :(.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Saturday, January 3, 2015 1:13 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>>> Thank you.
>>>>>>>>>> Command show below error :
>>>>>>>>>>
>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>
>>>>>>>>>> :(
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wednesday, December 31, 2014 2:05
AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>>>>> Thanks.
>>>>>>>>>>> I changed the command as below :
>>>>>>>>>>>
>>>>>>>>>>> #net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>> SeDiskOperatorPrivilege -U
jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>>
>>>>>>>>>>> But Got below error :
>>>>>>>>>>>
>>>>>>>>>>> Could not connect to server
192.168.1.1
>>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>
>>>>>>>>>>> Cheers.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, December 31, 2014
1:35 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>> On 31/12/14 09:17, Jason Long
wrote:
>>>>>>>>>>>> Thank you so much but I run
below commands on linux :
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>> # net rpc rights list accounts
-Uadministrator
>>>>>>>>>>>>
>>>>>>>>>>>> it ask me a password for
"administrator:
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator's
password:
>>>>>>>>>>>> Could not connect to server
127.0.0.1
>>>>>>>>>>>> Connection failed:
NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>>
>>>>>>>>>>>> Must I enter windows
administrator password?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday, December 29, 2014
5:10 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>> On 29/12/14 12:52, Jason Long
wrote:
>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did some changes like
below :
>>>>>>>>>>>>>
>>>>>>>>>>>>>
/dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>>> user_xattr,acl,defaults    
1 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>>> output.
>>>>>>>>>>>>> I added below lines to
[global] section too :
>>>>>>>>>>>>>
>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>
>>>>>>>>>>>>> But about below commands
can you tell me more?
>>>>>>>>>>>>>
>>>>>>>>>>>>> net rpc rights grant
'SAMDOM\Domain Admins'
>>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>>> net rpc rights list
accounts -Uadministrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> I hope they are not
Dangerous!!!!
>>>>>>>>>>>> No :-)
>>>>>>>>>>>>
>>>>>>>>>>>> The first one gives members of
Domain Admins the right to change
>>>>>>>>>>>> windows
>>>>>>>>>>>> ACL's on a share
>>>>>>>>>>>> The second list accounts and
what rights they have.
>>>>>>>>>>>>
>>>>>>>>>>>>> In the
>>>>>>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>>> , the other steps are in
Windows!!! Can I doing via Linux too?
>>>>>>>>>>>> Yes, but it is just easier via
windows
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>        Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, December 29,
2014 1:59 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>> On 29/12/14 06:38, Jason
Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I
>>>>>>>>>>>>>> change configure as
below :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> workgroup =
JASONDOMAINI
>>>>>>>>>>>>>> server string = Samba
Server Version %v
>>>>>>>>>>>>>> # logs split per
machine
>>>>>>>>>>>>>> log file =
/var/log/samba/log.%m
>>>>>>>>>>>>>> # max 50KB per log
file, then rotate
>>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>> idmap config *:backend
= tdb
>>>>>>>>>>>>>> idmap config *:range =
70001-80000
>>>>>>>>>>>>>> #idmap config
SAMDOM:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I use
"SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>>> It show me the root
partition and I can open "Test" directory
>>>>>>>>>>>>>> But it has two problems
:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1- Why it show root
partition?
>>>>>>>>>>>>>> 2- I can't browse
it via Windows explorer!!!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I want to know use AD
users in Linux is Hard?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In your opinion I used
a correct command to set ACL?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>>> # owner:
JASONDOMAINI\134JASON
>>>>>>>>>>>>>> # group:
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>>>
group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and in "getent
group" it show me below group :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> in your idea, Am I use
correct command to set permission?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sunday, December 28,
2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>>> On 28/12/14 15:48,
Jason Long wrote:
>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>> Thus I must change
"idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>>> " to
"idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>>> How about
Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>>> About your question
I must say that I Test this share via
>>>>>>>>>>>>>>> Linux too and
Windows and Linux has same problem.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> About "What I
would do is, install the OpenSSH server on the
>>>>>>>>>>>>>>> linux machine,
install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>>> to login via
'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>>> that Windows
clients use SSH to work with this directory? I
>>>>>>>>>>>>>>> want to made this
Linux Box as a File server and Windows
>>>>>>>>>>>>>>> Clients need
graphical browser to copy and paste file into
>>>>>>>>>>>>>>> this
directory!!!!!!!
>>>>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am loosing track here
a bit, but if your dns domain is
>>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>>> then your windows AD
realm should be something like
>>>>>>>>>>>>>> internal.example.com
>>>>>>>>>>>>>> and your
workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>>> they all
>>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So anywhere that you
come across these, you should use the
>>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>>> this is the relevant
parts from a Unix client on my domain:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>                      
workgroup = INTERNAL
>>>>>>>>>>>>>>                      
security = ADS
>>>>>>>>>>>>>>                      
realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>>>                      
..........
>>>>>>>>>>>>>>                      
idmap config * : backend = tdb
>>>>>>>>>>>>>>                      
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : backend = ad
>>>>>>>>>>>>>>                      
idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As for using
'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>>> you can
>>>>>>>>>>>>>> connect to the Unix
machine.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>>>>
>>>>>>>>>>>>> right, answers to your
questions
>>>>>>>>>>>>> 1) I think that you may
find that this is also printed 'Could
>>>>>>>>>>>>> not chdir
>>>>>>>>>>>>> to home directory', in
which case you will end up in the root
>>>>>>>>>>>>> of computer.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2) Are you running the
'nmbd' daemon ? Even if this is not
>>>>>>>>>>>>> running you
>>>>>>>>>>>>> should be able to navigate
to the share by entering the path.
>>>>>>>>>>>>> Have a
>>>>>>>>>>>>> look here:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>> You are trying to run the command
on a client, try adding either:
>>>>>>>>>>>
>>>>>>>>>>> -S server name
>>>>>>>>>>>
>>>>>>>>>>> OR
>>>>>>>>>>>
>>>>>>>>>>> -I address of target server
>>>>>>>>>>>
>>>>>>>>>>> where 'server' is the AD
DC.
>>>>>>>>>>>
>>>>>>>>>>> Yes, you need to supply the
password of the Domain Administrator.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> OK, try it like this:
>>>>>>>>>>
>>>>>>>>>> net rpc rights grant 'Domain
Admins' SeDiskOperatorPrivilege
>>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>>
>>>>>>>>>> This works for me on a client joined to
the domain.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Sounds like something is wrong with the
join, what does 'net ads
>>>>>>>>> testjoin' return ? You may have to run
this command with sudo.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> Sometimes I wonder why all the time is spent on
keeping the samba wiki
>>>>>>> updated. Likewiseopen was replaced sometime ago by
PowerBroker Open, I
>>>>>>> cannot recommend using either of these, because
quite simply, they are
>>>>>>> not needed.
>>>>>>>
>>>>>>> Check the following files:
>>>>>>>
>>>>>>> /etc/samba/smb.conf
>>>>>>>
>>>>>>> [global]
>>>>>>>                workgroup = JASONDOMAINI
>>>>>>>                security = ADS
>>>>>>>                realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>                dedicated keytab file =
/etc/krb5.keytab
>>>>>>>                kerberos method = secrets and keytab
>>>>>>>                server string = Samba 4 Client %h
>>>>>>>                winbind enum users = yes
>>>>>>>                winbind enum groups = yes
>>>>>>>                winbind use default domain = yes
>>>>>>>                winbind expand groups = 4
>>>>>>>                winbind nss info = rfc2307
>>>>>>>                winbind refresh tickets = Yes
>>>>>>>                winbind normalize names = Yes
>>>>>>>                idmap config * : backend = tdb
>>>>>>>                idmap config * : range = 2000-9999
>>>>>>>                idmap config JASONDOMAINI : backend 
= ad
>>>>>>>                idmap config JASONDOMAINI : range =
10000-999999
>>>>>>>                idmap config JASONDOMAINI :
schema_mode = rfc2307
>>>>>>>                printcap name = cups
>>>>>>>                cups options = raw
>>>>>>>                usershare allow guests = yes
>>>>>>>                domain master = no
>>>>>>>                local master = no
>>>>>>>                preferred master = no
>>>>>>>                os level = 20
>>>>>>>                map to guest = bad user
>>>>>>>                vfs objects = acl_xattr
>>>>>>>                map acl inherit = Yes
>>>>>>>                store dos attributes = Yes
>>>>>>>                log level = 6
>>>>>>>
>>>>>>> /etc/krb5.conf
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>>             default_realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>             dns_lookup_realm = false
>>>>>>>             dns_lookup_kdc = true
>>>>>>>             ticket_lifetime = 24h
>>>>>>>             forwardable = yes
>>>>>>>
>>>>>>> /etc/resolv.conf
>>>>>>>
>>>>>>> nameserver <your AD DC's ipaddress>
>>>>>>> search jasondomaini.jasondomain.jj
>>>>>>>
>>>>>>> If required, alter them to match the above, check
that 'hostname'
>>>>>>> returns only the hostname of the client, check that
'hostname -f'
>>>>>>> returns the FQDN. If either are not correct, fix
them.
>>>>>>>
>>>>>>> Remove likewiseopen
>>>>>>>
>>>>>>> Once everything is correct, run the following
command:
>>>>>>>
>>>>>>> net ads join -U Administrator at
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>
>>>>>>> You should be asked for the domain Administrators
password, enter this
>>>>>>> and you should join the domain
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> What Windows DC are you using ?
>>>>>> What is the realm name * workgroup name on the Windows
DC ?
>>>>>>
>>>>>> Rowland
>>>>> oops, that should have been:
>>>>>
>>>>>
>>>>> What is the realm name & workgroup name on the Windows
DC ?
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi, will you answer these questions:
>>>>
>>>> What Windows DC are you using ?
>>>> What is the realm name on the Windows DC ?
>>>> What is the workgroup name on the Windows DC ?
>>>>
>>>> You do not need all of what you have in /etc/krb5.conf, but
please
>>>> answer the questions above first.
>>>>
>>>> Rowland
>>>>
>>> OK, so what is your 'domain' name (and No, it is not
'JASONDOMAIN.JJ')
>>>
>>> Rowland
>>>
Your confused !!!

looking back over what you posted I found this:

Thanks a lot.
I changed the below lines to correct domain name :

idmap config JASONDOMAIN : range = 10000-999999
idmap config JASONDOMAIN : schema_mode = rfc2307

and after join, the command "net rpc testjoin" show same error :

Unable to find a suitable server for domain JASONDOMAINI
Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL

this was 05/01/15 07:02

Totally missed it then, but now it sticks out like a sore thumb, is your 
workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI' ?????

Rowland

Thank you.
I'm really sorry Bro.
You right, When I get properties from AD, "Domain name(Pre-Windows
2000)" is "JASONDOMAINI". I'm sorry :( but when I want to
join a Windows client to my domain I use "JASONDOMAIN.JJ" !!!!
I guess that we must change SAMBA configuration.

Cheers.





On Friday, January 9, 2015 1:55 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 09/01/15 08:40, Jason Long wrote:
> Thanks.
> I'm confused. Can I paste "set" command on windows for you?
> "jason" account is administrator and can join and dis-join any
computer.
>
> Cheers.
>
>
>
> On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 07/01/15 10:51, Jason Long wrote:
>> Thank you.
>> I changed my "krb5.conf" as below :
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = yes
>> default_keytab_name = /etc/krb5.keytab
>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
>
> [libdefaults]
>        default_realm = EXAMPLE.LAN
>        dns_lookup_realm = false
>        dns_lookup_kdc = true
>        ticket_lifetime = 24h
>        forwardable = yes
>
>> and removed "krb5.keytab" too. You told me that my domain
name is "jasondomaini" but it is wrong, My domain name is
"jasondomain.jj" and backend is "jasondomaini", For example,
when I want to login into Windows use "jasondomaini\jason".
>>
>> After enter the command "net ads join -U jason at
jasondomain.jj", My computer joined but when use "net rpc
testjoin" , I got same error as below :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>
>> I don't know why it see domain name as "JASONDOMAINI".
How can I edit it?
> You shouldn't because 'JASONDOMAINI' *IS* your domain name
*NOT* the
> backend!!!
>
> The join command should be 'net ads join -U jason at
JASONDOMAIN.JJ' , but
> does 'jason' have the required rights to join the domain ?? Try
again
> but this time use:
>
> net ads join -U Administrator at JASONDOMAIN.JJ
>
> and enter the 'Administrator' password when prompted.
>
> Rowland
>>
>> Thanks.
>>
>>
>>
>>
>> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 06/01/15 06:17, Jason Long wrote:
>>> Thanks.
>>> My domain name is "jasondomain.jj" and backend is
"jasondomaini".
>> No, your realm name is "jasondomain.jj" and it would seem
that your
>> domain name is "jasondomaini", the domain name can also be
known as the
>> 'workgroup' name.
>>
>> Set smb.conf to match this:
>>
>> [global]
>>            workgroup = JASONDOMAINI
>>            security = ADS
>>            realm = JASONDOMAIN.JJ
>>            dedicated keytab file = /etc/krb5.keytab
>>            kerberos method = secrets and keytab
>>            server string = Samba 4 Client %h
>>            winbind enum users = yes
>>            winbind enum groups = yes
>>            winbind use default domain = yes
>>            winbind expand groups = 4
>>            winbind nss info = rfc2307
>>            winbind refresh tickets = Yes
>>            winbind offline logon = yes
>>            winbind normalize names = Yes
>>            idmap config * : backend = tdb
>>            idmap config * : range = 2000-9999
>>            idmap config JASONDOMAINI : backend  = ad
>>            idmap config JASONDOMAINI : range = 10000-999999
>>            idmap config JASONDOMAINI : schema_mode = rfc2307
>>            printcap name = cups
>>            cups options = raw
>>            usershare allow guests = yes
>>            domain master = no
>>            local master = no
>>            preferred master = no
>>            os level = 20
>>            map to guest = bad user
>>
>> set /etc/krb5.conf to this:
>>
>> [libdefaults]
>>         default_realm = JASONDOMAIN.JJ
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         ticket_lifetime = 24h
>>         forwardable = yes
>>
>> set /etc/resolv.conf
>>
>> nameserver <ip of your windows server>
>> search jasondomain.jj
>>
>> If /etc/krb5.keytab exists, delete it.
>>
>> make sure the time on the client matches the server.
>>
>> then try to join the domain:
>>
>> net ads join -U Administrator at JASONDOMAIN.JJ
>>
>>
>> Rowland
>>>
>>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>>> On 05/01/15 11:09, Jason Long wrote:
>>>> Thank you.
>>>>
>>>> My Windows is Windows server 2008 R2.
>>>> About realm name, My domain name is "JASONDOMAIN.JJ".
>>>> My Windows not have any Workgroup Name. It is Domain.
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 05/01/15 07:02, Jason Long wrote:
>>>>> Thanks a lot.
>>>>> I changed the below lines to correct domain name :
>>>>>
>>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>>
>>>>> and after join, the command "net rpc testjoin"
show same error :
>>>>>
>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>
>>>>> I have an idea and I guess that "/etc/krb5.conf"
has some incorrect options. The file is "
>>>>>
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = JASONDOMAIN.JJ
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> ticket_lifetime = 24h
>>>>> renew_lifetime = 7d
>>>>> forwardable = yes
>>>>> default_keytab_name = /etc/krb5.keytab
>>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> pkinit_kdc_hostname = <DNS>
>>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>>> pkinit_cert_match =
&&<EKU>msScLogin<PRINCIPAL>
>>>>> pkinit_eku_checking = kpServerAuth
>>>>> pkinit_win2k_require_binding = false
>>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>>
>>>>> [realms]
>>>>> EXAMPLE.COM = {
>>>>> kdc = kerberos.example.com
>>>>> admin_server = kerberos.example.com
>>>>> }
>>>>> JASONDOMAIN.JJ = {
>>>>> auth_to_local =
RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>>> auth_to_local =
RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>>> auth_to_local = DEFAULT
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .example.com = EXAMPLE.COM
>>>>> example.com = EXAMPLE.COM
>>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>>> [capaths]
>>>>> [appdefaults]
>>>>> pam = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> forwardable = true
>>>>> validate = true
>>>>> }
>>>>> httpd = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> What is your idea? I must tell you that after removed
LikeWise and configure manually, I can't login to Linux via Windows AD
accounts.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>  
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>>> Thanks a lot.
>>>>>>> I enter the command and result is :
>>>>>>>
>>>>>>> Using short domain name -- JASONDOMAINI
>>>>>>> Joined 'PRINTMAH' to dns domain
'JASONDOMAIN.JJ'
>>>>>>> but after run "net rpc testjoin" :
>>>>>>>
>>>>>>> Unable to find a suitable server for domain
JASONDOMAINI
>>>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> I guess I understand what is my problem. I'm
really sorry :(.
>>>>>>>
>>>>>>> On Windows OS i used "set" command and it
show me :
>>>>>>>
>>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>>
>>>>>>> I guess that I must change "JASONDOMAINI"
in below texts to
>>>>>>> "JASONDOMAIN" :
>>>>>>>
>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>>
>>>>>>> Am I right?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>>> Thank you.
>>>>>>>> I used below videos for join my Linux Box to
Windows domain :
>>>>>>>>
>>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>>
>>>>>>>> Please look at this video and I used
instructions in it and
>>>>>>>> LikeWiseOpen tool.
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> I enter "net ads testjoin" and it
show me :
>>>>>>>>>
>>>>>>>>> ads_connect: No logon servers
>>>>>>>>> Join to domain is not valid: No logon
servers
>>>>>>>> You are *not* joined to the domain, I suppose
this should have been
>>>>>>>> asked earlier, but how did you do the domain
join ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> If it is incorrect, Why I can Login to
Linux via Windows account?
>>>>>>>>> As you see, I followed the steps on Video.
>>>>>>>>>
>>>>>>>>> :(.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Saturday, January 3, 2015 1:13 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>>> Thank you.
>>>>>>>>>> Command show below error :
>>>>>>>>>>
>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>
>>>>>>>>>> :(
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wednesday, December 31, 2014 2:05
AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>>>>> Thanks.
>>>>>>>>>>> I changed the command as below :
>>>>>>>>>>>
>>>>>>>>>>> #net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>> SeDiskOperatorPrivilege -U
jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>>
>>>>>>>>>>> But Got below error :
>>>>>>>>>>>
>>>>>>>>>>> Could not connect to server
192.168.1.1
>>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>
>>>>>>>>>>> Cheers.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, December 31, 2014
1:35 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>> On 31/12/14 09:17, Jason Long
wrote:
>>>>>>>>>>>> Thank you so much but I run
below commands on linux :
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>> # net rpc rights list accounts
-Uadministrator
>>>>>>>>>>>>
>>>>>>>>>>>> it ask me a password for
"administrator:
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator's
password:
>>>>>>>>>>>> Could not connect to server
127.0.0.1
>>>>>>>>>>>> Connection failed:
NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>>
>>>>>>>>>>>> Must I enter windows
administrator password?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday, December 29, 2014
5:10 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>> On 29/12/14 12:52, Jason Long
wrote:
>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did some changes like
below :
>>>>>>>>>>>>>
>>>>>>>>>>>>>
/dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>>> user_xattr,acl,defaults    
1 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>>> output.
>>>>>>>>>>>>> I added below lines to
[global] section too :
>>>>>>>>>>>>>
>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>
>>>>>>>>>>>>> But about below commands
can you tell me more?
>>>>>>>>>>>>>
>>>>>>>>>>>>> net rpc rights grant
'SAMDOM\Domain Admins'
>>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>>> net rpc rights list
accounts -Uadministrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> I hope they are not
Dangerous!!!!
>>>>>>>>>>>> No :-)
>>>>>>>>>>>>
>>>>>>>>>>>> The first one gives members of
Domain Admins the right to change
>>>>>>>>>>>> windows
>>>>>>>>>>>> ACL's on a share
>>>>>>>>>>>> The second list accounts and
what rights they have.
>>>>>>>>>>>>
>>>>>>>>>>>>> In the
>>>>>>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>>> , the other steps are in
Windows!!! Can I doing via Linux too?
>>>>>>>>>>>> Yes, but it is just easier via
windows
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>        Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, December 29,
2014 1:59 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>> On 29/12/14 06:38, Jason
Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I
>>>>>>>>>>>>>> change configure as
below :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> workgroup =
JASONDOMAINI
>>>>>>>>>>>>>> server string = Samba
Server Version %v
>>>>>>>>>>>>>> # logs split per
machine
>>>>>>>>>>>>>> log file =
/var/log/samba/log.%m
>>>>>>>>>>>>>> # max 50KB per log
file, then rotate
>>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>> idmap config *:backend
= tdb
>>>>>>>>>>>>>> idmap config *:range =
70001-80000
>>>>>>>>>>>>>> #idmap config
SAMDOM:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I use
"SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>>> It show me the root
partition and I can open "Test" directory
>>>>>>>>>>>>>> But it has two problems
:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1- Why it show root
partition?
>>>>>>>>>>>>>> 2- I can't browse
it via Windows explorer!!!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I want to know use AD
users in Linux is Hard?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In your opinion I used
a correct command to set ACL?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>>> # owner:
JASONDOMAINI\134JASON
>>>>>>>>>>>>>> # group:
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>>>
group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and in "getent
group" it show me below group :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> in your idea, Am I use
correct command to set permission?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sunday, December 28,
2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>>> On 28/12/14 15:48,
Jason Long wrote:
>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>> Thus I must change
"idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>>> " to
"idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>>> How about
Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>>> About your question
I must say that I Test this share via
>>>>>>>>>>>>>>> Linux too and
Windows and Linux has same problem.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> About "What I
would do is, install the OpenSSH server on the
>>>>>>>>>>>>>>> linux machine,
install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>>> to login via
'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>>> that Windows
clients use SSH to work with this directory? I
>>>>>>>>>>>>>>> want to made this
Linux Box as a File server and Windows
>>>>>>>>>>>>>>> Clients need
graphical browser to copy and paste file into
>>>>>>>>>>>>>>> this
directory!!!!!!!
>>>>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am loosing track here
a bit, but if your dns domain is
>>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>>> then your windows AD
realm should be something like
>>>>>>>>>>>>>> internal.example.com
>>>>>>>>>>>>>> and your
workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>>> they all
>>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So anywhere that you
come across these, you should use the
>>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>>> this is the relevant
parts from a Unix client on my domain:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>                      
workgroup = INTERNAL
>>>>>>>>>>>>>>                      
security = ADS
>>>>>>>>>>>>>>                      
realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>>>                      
..........
>>>>>>>>>>>>>>                      
idmap config * : backend = tdb
>>>>>>>>>>>>>>                      
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : backend = ad
>>>>>>>>>>>>>>                      
idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As for using
'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>>> you can
>>>>>>>>>>>>>> connect to the Unix
machine.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>>>>
>>>>>>>>>>>>> right, answers to your
questions
>>>>>>>>>>>>> 1) I think that you may
find that this is also printed 'Could
>>>>>>>>>>>>> not chdir
>>>>>>>>>>>>> to home directory', in
which case you will end up in the root
>>>>>>>>>>>>> of computer.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2) Are you running the
'nmbd' daemon ? Even if this is not
>>>>>>>>>>>>> running you
>>>>>>>>>>>>> should be able to navigate
to the share by entering the path.
>>>>>>>>>>>>> Have a
>>>>>>>>>>>>> look here:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>> You are trying to run the command
on a client, try adding either:
>>>>>>>>>>>
>>>>>>>>>>> -S server name
>>>>>>>>>>>
>>>>>>>>>>> OR
>>>>>>>>>>>
>>>>>>>>>>> -I address of target server
>>>>>>>>>>>
>>>>>>>>>>> where 'server' is the AD
DC.
>>>>>>>>>>>
>>>>>>>>>>> Yes, you need to supply the
password of the Domain Administrator.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> OK, try it like this:
>>>>>>>>>>
>>>>>>>>>> net rpc rights grant 'Domain
Admins' SeDiskOperatorPrivilege
>>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>>
>>>>>>>>>> This works for me on a client joined to
the domain.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Sounds like something is wrong with the
join, what does 'net ads
>>>>>>>>> testjoin' return ? You may have to run
this command with sudo.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> Sometimes I wonder why all the time is spent on
keeping the samba wiki
>>>>>>> updated. Likewiseopen was replaced sometime ago by
PowerBroker Open, I
>>>>>>> cannot recommend using either of these, because
quite simply, they are
>>>>>>> not needed.
>>>>>>>
>>>>>>> Check the following files:
>>>>>>>
>>>>>>> /etc/samba/smb.conf
>>>>>>>
>>>>>>> [global]
>>>>>>>                workgroup = JASONDOMAINI
>>>>>>>                security = ADS
>>>>>>>                realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>                dedicated keytab file =
/etc/krb5.keytab
>>>>>>>                kerberos method = secrets and keytab
>>>>>>>                server string = Samba 4 Client %h
>>>>>>>                winbind enum users = yes
>>>>>>>                winbind enum groups = yes
>>>>>>>                winbind use default domain = yes
>>>>>>>                winbind expand groups = 4
>>>>>>>                winbind nss info = rfc2307
>>>>>>>                winbind refresh tickets = Yes
>>>>>>>                winbind normalize names = Yes
>>>>>>>                idmap config * : backend = tdb
>>>>>>>                idmap config * : range = 2000-9999
>>>>>>>                idmap config JASONDOMAINI : backend 
= ad
>>>>>>>                idmap config JASONDOMAINI : range =
10000-999999
>>>>>>>                idmap config JASONDOMAINI :
schema_mode = rfc2307
>>>>>>>                printcap name = cups
>>>>>>>                cups options = raw
>>>>>>>                usershare allow guests = yes
>>>>>>>                domain master = no
>>>>>>>                local master = no
>>>>>>>                preferred master = no
>>>>>>>                os level = 20
>>>>>>>                map to guest = bad user
>>>>>>>                vfs objects = acl_xattr
>>>>>>>                map acl inherit = Yes
>>>>>>>                store dos attributes = Yes
>>>>>>>                log level = 6
>>>>>>>
>>>>>>> /etc/krb5.conf
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>>             default_realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>             dns_lookup_realm = false
>>>>>>>             dns_lookup_kdc = true
>>>>>>>             ticket_lifetime = 24h
>>>>>>>             forwardable = yes
>>>>>>>
>>>>>>> /etc/resolv.conf
>>>>>>>
>>>>>>> nameserver <your AD DC's ipaddress>
>>>>>>> search jasondomaini.jasondomain.jj
>>>>>>>
>>>>>>> If required, alter them to match the above, check
that 'hostname'
>>>>>>> returns only the hostname of the client, check that
'hostname -f'
>>>>>>> returns the FQDN. If either are not correct, fix
them.
>>>>>>>
>>>>>>> Remove likewiseopen
>>>>>>>
>>>>>>> Once everything is correct, run the following
command:
>>>>>>>
>>>>>>> net ads join -U Administrator at
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>
>>>>>>> You should be asked for the domain Administrators
password, enter this
>>>>>>> and you should join the domain
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> What Windows DC are you using ?
>>>>>> What is the realm name * workgroup name on the Windows
DC ?
>>>>>>
>>>>>> Rowland
>>>>> oops, that should have been:
>>>>>
>>>>>
>>>>> What is the realm name & workgroup name on the Windows
DC ?
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi, will you answer these questions:
>>>>
>>>> What Windows DC are you using ?
>>>> What is the realm name on the Windows DC ?
>>>> What is the workgroup name on the Windows DC ?
>>>>
>>>> You do not need all of what you have in /etc/krb5.conf, but
please
>>>> answer the questions above first.
>>>>
>>>> Rowland
>>>>
>>> OK, so what is your 'domain' name (and No, it is not
'JASONDOMAIN.JJ')
>>>
>>> Rowland
>>>
Your confused !!!

looking back over what you posted I found this:

Thanks a lot.
I changed the below lines to correct domain name :

idmap config JASONDOMAIN : range = 10000-999999
idmap config JASONDOMAIN : schema_mode = rfc2307

and after join, the command "net rpc testjoin" show same error :

Unable to find a suitable server for domain JASONDOMAINI
Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL

this was 05/01/15 07:02

Totally missed it then, but now it sticks out like a sore thumb, is your 
workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI' ?????

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Any Idea?



On Friday, January 9, 2015 11:14 PM, Jason Long <hack3rcon at yahoo.com>
wrote:
Thank you.
I'm really sorry Bro.
You right, When I get properties from AD, "Domain name(Pre-Windows
2000)" is "JASONDOMAINI". I'm sorry :( but when I want to
join a Windows client to my domain I use "JASONDOMAIN.JJ" !!!!
I guess that we must change SAMBA configuration.

Cheers.





On Friday, January 9, 2015 1:55 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 09/01/15 08:40, Jason Long wrote:
> Thanks.
> I'm confused. Can I paste "set" command on windows for you?
> "jason" account is administrator and can join and dis-join any
computer.
>
> Cheers.
>
>
>
> On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 07/01/15 10:51, Jason Long wrote:
>> Thank you.
>> I changed my "krb5.conf" as below :
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = yes
>> default_keytab_name = /etc/krb5.keytab
>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
>
> [libdefaults]
>        default_realm = EXAMPLE.LAN
>        dns_lookup_realm = false
>        dns_lookup_kdc = true
>        ticket_lifetime = 24h
>        forwardable = yes
>
>> and removed "krb5.keytab" too. You told me that my domain
name is "jasondomaini" but it is wrong, My domain name is
"jasondomain.jj" and backend is "jasondomaini", For example,
when I want to login into Windows use "jasondomaini\jason".
>>
>> After enter the command "net ads join -U jason at
jasondomain.jj", My computer joined but when use "net rpc
testjoin" , I got same error as below :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>
>> I don't know why it see domain name as "JASONDOMAINI".
How can I edit it?
> You shouldn't because 'JASONDOMAINI' *IS* your domain name
*NOT* the
> backend!!!
>
> The join command should be 'net ads join -U jason at
JASONDOMAIN.JJ' , but
> does 'jason' have the required rights to join the domain ?? Try
again
> but this time use:
>
> net ads join -U Administrator at JASONDOMAIN.JJ
>
> and enter the 'Administrator' password when prompted.
>
> Rowland
>>
>> Thanks.
>>
>>
>>
>>
>> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 06/01/15 06:17, Jason Long wrote:
>>> Thanks.
>>> My domain name is "jasondomain.jj" and backend is
"jasondomaini".
>> No, your realm name is "jasondomain.jj" and it would seem
that your
>> domain name is "jasondomaini", the domain name can also be
known as the
>> 'workgroup' name.
>>
>> Set smb.conf to match this:
>>
>> [global]
>>            workgroup = JASONDOMAINI
>>            security = ADS
>>            realm = JASONDOMAIN.JJ
>>            dedicated keytab file = /etc/krb5.keytab
>>            kerberos method = secrets and keytab
>>            server string = Samba 4 Client %h
>>            winbind enum users = yes
>>            winbind enum groups = yes
>>            winbind use default domain = yes
>>            winbind expand groups = 4
>>            winbind nss info = rfc2307
>>            winbind refresh tickets = Yes
>>            winbind offline logon = yes
>>            winbind normalize names = Yes
>>            idmap config * : backend = tdb
>>            idmap config * : range = 2000-9999
>>            idmap config JASONDOMAINI : backend  = ad
>>            idmap config JASONDOMAINI : range = 10000-999999
>>            idmap config JASONDOMAINI : schema_mode = rfc2307
>>            printcap name = cups
>>            cups options = raw
>>            usershare allow guests = yes
>>            domain master = no
>>            local master = no
>>            preferred master = no
>>            os level = 20
>>            map to guest = bad user
>>
>> set /etc/krb5.conf to this:
>>
>> [libdefaults]
>>         default_realm = JASONDOMAIN.JJ
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         ticket_lifetime = 24h
>>         forwardable = yes
>>
>> set /etc/resolv.conf
>>
>> nameserver <ip of your windows server>
>> search jasondomain.jj
>>
>> If /etc/krb5.keytab exists, delete it.
>>
>> make sure the time on the client matches the server.
>>
>> then try to join the domain:
>>
>> net ads join -U Administrator at JASONDOMAIN.JJ
>>
>>
>> Rowland
>>>
>>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>>> On 05/01/15 11:09, Jason Long wrote:
>>>> Thank you.
>>>>
>>>> My Windows is Windows server 2008 R2.
>>>> About realm name, My domain name is "JASONDOMAIN.JJ".
>>>> My Windows not have any Workgroup Name. It is Domain.
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 05/01/15 07:02, Jason Long wrote:
>>>>> Thanks a lot.
>>>>> I changed the below lines to correct domain name :
>>>>>
>>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>>
>>>>> and after join, the command "net rpc testjoin"
show same error :
>>>>>
>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>
>>>>> I have an idea and I guess that "/etc/krb5.conf"
has some incorrect options. The file is "
>>>>>
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = JASONDOMAIN.JJ
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> ticket_lifetime = 24h
>>>>> renew_lifetime = 7d
>>>>> forwardable = yes
>>>>> default_keytab_name = /etc/krb5.keytab
>>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> pkinit_kdc_hostname = <DNS>
>>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>>> pkinit_cert_match =
&&<EKU>msScLogin<PRINCIPAL>
>>>>> pkinit_eku_checking = kpServerAuth
>>>>> pkinit_win2k_require_binding = false
>>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>>
>>>>> [realms]
>>>>> EXAMPLE.COM = {
>>>>> kdc = kerberos.example.com
>>>>> admin_server = kerberos.example.com
>>>>> }
>>>>> JASONDOMAIN.JJ = {
>>>>> auth_to_local =
RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>>> auth_to_local =
RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>>> auth_to_local = DEFAULT
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .example.com = EXAMPLE.COM
>>>>> example.com = EXAMPLE.COM
>>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>>> [capaths]
>>>>> [appdefaults]
>>>>> pam = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> forwardable = true
>>>>> validate = true
>>>>> }
>>>>> httpd = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> What is your idea? I must tell you that after removed
LikeWise and configure manually, I can't login to Linux via Windows AD
accounts.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>  
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>>> Thanks a lot.
>>>>>>> I enter the command and result is :
>>>>>>>
>>>>>>> Using short domain name -- JASONDOMAINI
>>>>>>> Joined 'PRINTMAH' to dns domain
'JASONDOMAIN.JJ'
>>>>>>> but after run "net rpc testjoin" :
>>>>>>>
>>>>>>> Unable to find a suitable server for domain
JASONDOMAINI
>>>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> I guess I understand what is my problem. I'm
really sorry :(.
>>>>>>>
>>>>>>> On Windows OS i used "set" command and it
show me :
>>>>>>>
>>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>>
>>>>>>> I guess that I must change "JASONDOMAINI"
in below texts to
>>>>>>> "JASONDOMAIN" :
>>>>>>>
>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>>
>>>>>>> Am I right?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>>> Thank you.
>>>>>>>> I used below videos for join my Linux Box to
Windows domain :
>>>>>>>>
>>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>>
>>>>>>>> Please look at this video and I used
instructions in it and
>>>>>>>> LikeWiseOpen tool.
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> I enter "net ads testjoin" and it
show me :
>>>>>>>>>
>>>>>>>>> ads_connect: No logon servers
>>>>>>>>> Join to domain is not valid: No logon
servers
>>>>>>>> You are *not* joined to the domain, I suppose
this should have been
>>>>>>>> asked earlier, but how did you do the domain
join ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> If it is incorrect, Why I can Login to
Linux via Windows account?
>>>>>>>>> As you see, I followed the steps on Video.
>>>>>>>>>
>>>>>>>>> :(.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Saturday, January 3, 2015 1:13 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>>> Thank you.
>>>>>>>>>> Command show below error :
>>>>>>>>>>
>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>
>>>>>>>>>> :(
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wednesday, December 31, 2014 2:05
AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>>>>> Thanks.
>>>>>>>>>>> I changed the command as below :
>>>>>>>>>>>
>>>>>>>>>>> #net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>> SeDiskOperatorPrivilege -U
jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>>
>>>>>>>>>>> But Got below error :
>>>>>>>>>>>
>>>>>>>>>>> Could not connect to server
192.168.1.1
>>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>
>>>>>>>>>>> Cheers.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, December 31, 2014
1:35 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>> On 31/12/14 09:17, Jason Long
wrote:
>>>>>>>>>>>> Thank you so much but I run
below commands on linux :
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>> # net rpc rights list accounts
-Uadministrator
>>>>>>>>>>>>
>>>>>>>>>>>> it ask me a password for
"administrator:
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator's
password:
>>>>>>>>>>>> Could not connect to server
127.0.0.1
>>>>>>>>>>>> Connection failed:
NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>>
>>>>>>>>>>>> Must I enter windows
administrator password?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday, December 29, 2014
5:10 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>> On 29/12/14 12:52, Jason Long
wrote:
>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did some changes like
below :
>>>>>>>>>>>>>
>>>>>>>>>>>>>
/dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>>> user_xattr,acl,defaults    
1 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>>> output.
>>>>>>>>>>>>> I added below lines to
[global] section too :
>>>>>>>>>>>>>
>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>
>>>>>>>>>>>>> But about below commands
can you tell me more?
>>>>>>>>>>>>>
>>>>>>>>>>>>> net rpc rights grant
'SAMDOM\Domain Admins'
>>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>>> net rpc rights list
accounts -Uadministrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> I hope they are not
Dangerous!!!!
>>>>>>>>>>>> No :-)
>>>>>>>>>>>>
>>>>>>>>>>>> The first one gives members of
Domain Admins the right to change
>>>>>>>>>>>> windows
>>>>>>>>>>>> ACL's on a share
>>>>>>>>>>>> The second list accounts and
what rights they have.
>>>>>>>>>>>>
>>>>>>>>>>>>> In the
>>>>>>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>>> , the other steps are in
Windows!!! Can I doing via Linux too?
>>>>>>>>>>>> Yes, but it is just easier via
windows
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>        Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, December 29,
2014 1:59 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>> On 29/12/14 06:38, Jason
Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I
>>>>>>>>>>>>>> change configure as
below :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> workgroup =
JASONDOMAINI
>>>>>>>>>>>>>> server string = Samba
Server Version %v
>>>>>>>>>>>>>> # logs split per
machine
>>>>>>>>>>>>>> log file =
/var/log/samba/log.%m
>>>>>>>>>>>>>> # max 50KB per log
file, then rotate
>>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>> idmap config *:backend
= tdb
>>>>>>>>>>>>>> idmap config *:range =
70001-80000
>>>>>>>>>>>>>> #idmap config
SAMDOM:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I use
"SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>>> It show me the root
partition and I can open "Test" directory
>>>>>>>>>>>>>> But it has two problems
:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1- Why it show root
partition?
>>>>>>>>>>>>>> 2- I can't browse
it via Windows explorer!!!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I want to know use AD
users in Linux is Hard?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In your opinion I used
a correct command to set ACL?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>>> # owner:
JASONDOMAINI\134JASON
>>>>>>>>>>>>>> # group:
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>>>
group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and in "getent
group" it show me below group :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> in your idea, Am I use
correct command to set permission?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sunday, December 28,
2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>>> On 28/12/14 15:48,
Jason Long wrote:
>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>> Thus I must change
"idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>>> " to
"idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>>> How about
Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>>> About your question
I must say that I Test this share via
>>>>>>>>>>>>>>> Linux too and
Windows and Linux has same problem.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> About "What I
would do is, install the OpenSSH server on the
>>>>>>>>>>>>>>> linux machine,
install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>>> to login via
'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>>> that Windows
clients use SSH to work with this directory? I
>>>>>>>>>>>>>>> want to made this
Linux Box as a File server and Windows
>>>>>>>>>>>>>>> Clients need
graphical browser to copy and paste file into
>>>>>>>>>>>>>>> this
directory!!!!!!!
>>>>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am loosing track here
a bit, but if your dns domain is
>>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>>> then your windows AD
realm should be something like
>>>>>>>>>>>>>> internal.example.com
>>>>>>>>>>>>>> and your
workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>>> they all
>>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So anywhere that you
come across these, you should use the
>>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>>> this is the relevant
parts from a Unix client on my domain:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>                      
workgroup = INTERNAL
>>>>>>>>>>>>>>                      
security = ADS
>>>>>>>>>>>>>>                      
realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>>>                      
..........
>>>>>>>>>>>>>>                      
idmap config * : backend = tdb
>>>>>>>>>>>>>>                      
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : backend = ad
>>>>>>>>>>>>>>                      
idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As for using
'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>>> you can
>>>>>>>>>>>>>> connect to the Unix
machine.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>>>>
>>>>>>>>>>>>> right, answers to your
questions
>>>>>>>>>>>>> 1) I think that you may
find that this is also printed 'Could
>>>>>>>>>>>>> not chdir
>>>>>>>>>>>>> to home directory', in
which case you will end up in the root
>>>>>>>>>>>>> of computer.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2) Are you running the
'nmbd' daemon ? Even if this is not
>>>>>>>>>>>>> running you
>>>>>>>>>>>>> should be able to navigate
to the share by entering the path.
>>>>>>>>>>>>> Have a
>>>>>>>>>>>>> look here:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>> You are trying to run the command
on a client, try adding either:
>>>>>>>>>>>
>>>>>>>>>>> -S server name
>>>>>>>>>>>
>>>>>>>>>>> OR
>>>>>>>>>>>
>>>>>>>>>>> -I address of target server
>>>>>>>>>>>
>>>>>>>>>>> where 'server' is the AD
DC.
>>>>>>>>>>>
>>>>>>>>>>> Yes, you need to supply the
password of the Domain Administrator.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> OK, try it like this:
>>>>>>>>>>
>>>>>>>>>> net rpc rights grant 'Domain
Admins' SeDiskOperatorPrivilege
>>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>>
>>>>>>>>>> This works for me on a client joined to
the domain.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Sounds like something is wrong with the
join, what does 'net ads
>>>>>>>>> testjoin' return ? You may have to run
this command with sudo.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> Sometimes I wonder why all the time is spent on
keeping the samba wiki
>>>>>>> updated. Likewiseopen was replaced sometime ago by
PowerBroker Open, I
>>>>>>> cannot recommend using either of these, because
quite simply, they are
>>>>>>> not needed.
>>>>>>>
>>>>>>> Check the following files:
>>>>>>>
>>>>>>> /etc/samba/smb.conf
>>>>>>>
>>>>>>> [global]
>>>>>>>                workgroup = JASONDOMAINI
>>>>>>>                security = ADS
>>>>>>>                realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>                dedicated keytab file =
/etc/krb5.keytab
>>>>>>>                kerberos method = secrets and keytab
>>>>>>>                server string = Samba 4 Client %h
>>>>>>>                winbind enum users = yes
>>>>>>>                winbind enum groups = yes
>>>>>>>                winbind use default domain = yes
>>>>>>>                winbind expand groups = 4
>>>>>>>                winbind nss info = rfc2307
>>>>>>>                winbind refresh tickets = Yes
>>>>>>>                winbind normalize names = Yes
>>>>>>>                idmap config * : backend = tdb
>>>>>>>                idmap config * : range = 2000-9999
>>>>>>>                idmap config JASONDOMAINI : backend 
= ad
>>>>>>>                idmap config JASONDOMAINI : range =
10000-999999
>>>>>>>                idmap config JASONDOMAINI :
schema_mode = rfc2307
>>>>>>>                printcap name = cups
>>>>>>>                cups options = raw
>>>>>>>                usershare allow guests = yes
>>>>>>>                domain master = no
>>>>>>>                local master = no
>>>>>>>                preferred master = no
>>>>>>>                os level = 20
>>>>>>>                map to guest = bad user
>>>>>>>                vfs objects = acl_xattr
>>>>>>>                map acl inherit = Yes
>>>>>>>                store dos attributes = Yes
>>>>>>>                log level = 6
>>>>>>>
>>>>>>> /etc/krb5.conf
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>>             default_realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>             dns_lookup_realm = false
>>>>>>>             dns_lookup_kdc = true
>>>>>>>             ticket_lifetime = 24h
>>>>>>>             forwardable = yes
>>>>>>>
>>>>>>> /etc/resolv.conf
>>>>>>>
>>>>>>> nameserver <your AD DC's ipaddress>
>>>>>>> search jasondomaini.jasondomain.jj
>>>>>>>
>>>>>>> If required, alter them to match the above, check
that 'hostname'
>>>>>>> returns only the hostname of the client, check that
'hostname -f'
>>>>>>> returns the FQDN. If either are not correct, fix
them.
>>>>>>>
>>>>>>> Remove likewiseopen
>>>>>>>
>>>>>>> Once everything is correct, run the following
command:
>>>>>>>
>>>>>>> net ads join -U Administrator at
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>
>>>>>>> You should be asked for the domain Administrators
password, enter this
>>>>>>> and you should join the domain
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> What Windows DC are you using ?
>>>>>> What is the realm name * workgroup name on the Windows
DC ?
>>>>>>
>>>>>> Rowland
>>>>> oops, that should have been:
>>>>>
>>>>>
>>>>> What is the realm name & workgroup name on the Windows
DC ?
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi, will you answer these questions:
>>>>
>>>> What Windows DC are you using ?
>>>> What is the realm name on the Windows DC ?
>>>> What is the workgroup name on the Windows DC ?
>>>>
>>>> You do not need all of what you have in /etc/krb5.conf, but
please
>>>> answer the questions above first.
>>>>
>>>> Rowland
>>>>
>>> OK, so what is your 'domain' name (and No, it is not
'JASONDOMAIN.JJ')
>>>
>>> Rowland
>>>
Your confused !!!

looking back over what you posted I found this:

Thanks a lot.
I changed the below lines to correct domain name :

idmap config JASONDOMAIN : range = 10000-999999
idmap config JASONDOMAIN : schema_mode = rfc2307

and after join, the command "net rpc testjoin" show same error :

Unable to find a suitable server for domain JASONDOMAINI
Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL

this was 05/01/15 07:02

Totally missed it then, but now it sticks out like a sore thumb, is your 
workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI' ?????

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Thank you.
I'm really sorry Bro.
You right, When I get properties from AD, "Domain name(Pre-Windows
2000)" is "JASONDOMAINI". I'm sorry :( but when I want to
join a Windows client to my domain I use "JASONDOMAIN.JJ" !!!!
I guess that we must change SAMBA configuration.

Cheers.




On Friday, January 9, 2015 1:55 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 09/01/15 08:40, Jason Long wrote:
> Thanks.
> I'm confused. Can I paste "set" command on windows for you?
> "jason" account is administrator and can join and dis-join any
computer.
>
> Cheers.
>
>
>
> On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 07/01/15 10:51, Jason Long wrote:
>> Thank you.
>> I changed my "krb5.conf" as below :
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = yes
>> default_keytab_name = /etc/krb5.keytab
>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
>
> [libdefaults]
>        default_realm = EXAMPLE.LAN
>        dns_lookup_realm = false
>        dns_lookup_kdc = true
>        ticket_lifetime = 24h
>        forwardable = yes
>
>> and removed "krb5.keytab" too. You told me that my domain
name is "jasondomaini" but it is wrong, My domain name is
"jasondomain.jj" and backend is "jasondomaini", For example,
when I want to login into Windows use "jasondomaini\jason".
>>
>> After enter the command "net ads join -U jason at
jasondomain.jj", My computer joined but when use "net rpc
testjoin" , I got same error as below :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>
>> I don't know why it see domain name as "JASONDOMAINI".
How can I edit it?
> You shouldn't because 'JASONDOMAINI' *IS* your domain name
*NOT* the
> backend!!!
>
> The join command should be 'net ads join -U jason at
JASONDOMAIN.JJ' , but
> does 'jason' have the required rights to join the domain ?? Try
again
> but this time use:
>
> net ads join -U Administrator at JASONDOMAIN.JJ
>
> and enter the 'Administrator' password when prompted.
>
> Rowland
>>
>> Thanks.
>>
>>
>>
>>
>> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 06/01/15 06:17, Jason Long wrote:
>>> Thanks.
>>> My domain name is "jasondomain.jj" and backend is
"jasondomaini".
>> No, your realm name is "jasondomain.jj" and it would seem
that your
>> domain name is "jasondomaini", the domain name can also be
known as the
>> 'workgroup' name.
>>
>> Set smb.conf to match this:
>>
>> [global]
>>            workgroup = JASONDOMAINI
>>            security = ADS
>>            realm = JASONDOMAIN.JJ
>>            dedicated keytab file = /etc/krb5.keytab
>>            kerberos method = secrets and keytab
>>            server string = Samba 4 Client %h
>>            winbind enum users = yes
>>            winbind enum groups = yes
>>            winbind use default domain = yes
>>            winbind expand groups = 4
>>            winbind nss info = rfc2307
>>            winbind refresh tickets = Yes
>>            winbind offline logon = yes
>>            winbind normalize names = Yes
>>            idmap config * : backend = tdb
>>            idmap config * : range = 2000-9999
>>            idmap config JASONDOMAINI : backend  = ad
>>            idmap config JASONDOMAINI : range = 10000-999999
>>            idmap config JASONDOMAINI : schema_mode = rfc2307
>>            printcap name = cups
>>            cups options = raw
>>            usershare allow guests = yes
>>            domain master = no
>>            local master = no
>>            preferred master = no
>>            os level = 20
>>            map to guest = bad user
>>
>> set /etc/krb5.conf to this:
>>
>> [libdefaults]
>>         default_realm = JASONDOMAIN.JJ
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         ticket_lifetime = 24h
>>         forwardable = yes
>>
>> set /etc/resolv.conf
>>
>> nameserver <ip of your windows server>
>> search jasondomain.jj
>>
>> If /etc/krb5.keytab exists, delete it.
>>
>> make sure the time on the client matches the server.
>>
>> then try to join the domain:
>>
>> net ads join -U Administrator at JASONDOMAIN.JJ
>>
>>
>> Rowland
>>>
>>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>>> On 05/01/15 11:09, Jason Long wrote:
>>>> Thank you.
>>>>
>>>> My Windows is Windows server 2008 R2.
>>>> About realm name, My domain name is "JASONDOMAIN.JJ".
>>>> My Windows not have any Workgroup Name. It is Domain.
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 05/01/15 07:02, Jason Long wrote:
>>>>> Thanks a lot.
>>>>> I changed the below lines to correct domain name :
>>>>>
>>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>>
>>>>> and after join, the command "net rpc testjoin"
show same error :
>>>>>
>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>
>>>>> I have an idea and I guess that "/etc/krb5.conf"
has some incorrect options. The file is "
>>>>>
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = JASONDOMAIN.JJ
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> ticket_lifetime = 24h
>>>>> renew_lifetime = 7d
>>>>> forwardable = yes
>>>>> default_keytab_name = /etc/krb5.keytab
>>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>> pkinit_kdc_hostname = <DNS>
>>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>>> pkinit_cert_match =
&&<EKU>msScLogin<PRINCIPAL>
>>>>> pkinit_eku_checking = kpServerAuth
>>>>> pkinit_win2k_require_binding = false
>>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>>
>>>>> [realms]
>>>>> EXAMPLE.COM = {
>>>>> kdc = kerberos.example.com
>>>>> admin_server = kerberos.example.com
>>>>> }
>>>>> JASONDOMAIN.JJ = {
>>>>> auth_to_local =
RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>>> auth_to_local =
RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>>> auth_to_local = DEFAULT
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .example.com = EXAMPLE.COM
>>>>> example.com = EXAMPLE.COM
>>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>>> [capaths]
>>>>> [appdefaults]
>>>>> pam = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> forwardable = true
>>>>> validate = true
>>>>> }
>>>>> httpd = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> What is your idea? I must tell you that after removed
LikeWise and configure manually, I can't login to Linux via Windows AD
accounts.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>  
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>>> Thanks a lot.
>>>>>>> I enter the command and result is :
>>>>>>>
>>>>>>> Using short domain name -- JASONDOMAINI
>>>>>>> Joined 'PRINTMAH' to dns domain
'JASONDOMAIN.JJ'
>>>>>>> but after run "net rpc testjoin" :
>>>>>>>
>>>>>>> Unable to find a suitable server for domain
JASONDOMAINI
>>>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> I guess I understand what is my problem. I'm
really sorry :(.
>>>>>>>
>>>>>>> On Windows OS i used "set" command and it
show me :
>>>>>>>
>>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>>
>>>>>>> I guess that I must change "JASONDOMAINI"
in below texts to
>>>>>>> "JASONDOMAIN" :
>>>>>>>
>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>>
>>>>>>> Am I right?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>>> Thank you.
>>>>>>>> I used below videos for join my Linux Box to
Windows domain :
>>>>>>>>
>>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>>
>>>>>>>> Please look at this video and I used
instructions in it and
>>>>>>>> LikeWiseOpen tool.
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> I enter "net ads testjoin" and it
show me :
>>>>>>>>>
>>>>>>>>> ads_connect: No logon servers
>>>>>>>>> Join to domain is not valid: No logon
servers
>>>>>>>> You are *not* joined to the domain, I suppose
this should have been
>>>>>>>> asked earlier, but how did you do the domain
join ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> If it is incorrect, Why I can Login to
Linux via Windows account?
>>>>>>>>> As you see, I followed the steps on Video.
>>>>>>>>>
>>>>>>>>> :(.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Saturday, January 3, 2015 1:13 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>>> Thank you.
>>>>>>>>>> Command show below error :
>>>>>>>>>>
>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>
>>>>>>>>>> :(
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wednesday, December 31, 2014 2:05
AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>>>>> Thanks.
>>>>>>>>>>> I changed the command as below :
>>>>>>>>>>>
>>>>>>>>>>> #net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>> SeDiskOperatorPrivilege -U
jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>>
>>>>>>>>>>> But Got below error :
>>>>>>>>>>>
>>>>>>>>>>> Could not connect to server
192.168.1.1
>>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>
>>>>>>>>>>> Cheers.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, December 31, 2014
1:35 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>> On 31/12/14 09:17, Jason Long
wrote:
>>>>>>>>>>>> Thank you so much but I run
below commands on linux :
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>> # net rpc rights list accounts
-Uadministrator
>>>>>>>>>>>>
>>>>>>>>>>>> it ask me a password for
"administrator:
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator's
password:
>>>>>>>>>>>> Could not connect to server
127.0.0.1
>>>>>>>>>>>> Connection failed:
NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>>
>>>>>>>>>>>> Must I enter windows
administrator password?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday, December 29, 2014
5:10 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>> On 29/12/14 12:52, Jason Long
wrote:
>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did some changes like
below :
>>>>>>>>>>>>>
>>>>>>>>>>>>>
/dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>>> user_xattr,acl,defaults    
1 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>>> output.
>>>>>>>>>>>>> I added below lines to
[global] section too :
>>>>>>>>>>>>>
>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>
>>>>>>>>>>>>> But about below commands
can you tell me more?
>>>>>>>>>>>>>
>>>>>>>>>>>>> net rpc rights grant
'SAMDOM\Domain Admins'
>>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>>> net rpc rights list
accounts -Uadministrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> I hope they are not
Dangerous!!!!
>>>>>>>>>>>> No :-)
>>>>>>>>>>>>
>>>>>>>>>>>> The first one gives members of
Domain Admins the right to change
>>>>>>>>>>>> windows
>>>>>>>>>>>> ACL's on a share
>>>>>>>>>>>> The second list accounts and
what rights they have.
>>>>>>>>>>>>
>>>>>>>>>>>>> In the
>>>>>>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>>> , the other steps are in
Windows!!! Can I doing via Linux too?
>>>>>>>>>>>> Yes, but it is just easier via
windows
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>        Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, December 29,
2014 1:59 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>> On 29/12/14 06:38, Jason
Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I
>>>>>>>>>>>>>> change configure as
below :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> workgroup =
JASONDOMAINI
>>>>>>>>>>>>>> server string = Samba
Server Version %v
>>>>>>>>>>>>>> # logs split per
machine
>>>>>>>>>>>>>> log file =
/var/log/samba/log.%m
>>>>>>>>>>>>>> # max 50KB per log
file, then rotate
>>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>> idmap config *:backend
= tdb
>>>>>>>>>>>>>> idmap config *:range =
70001-80000
>>>>>>>>>>>>>> #idmap config
SAMDOM:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:backend = ad
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>>> idmap config
JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I use
"SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>>> It show me the root
partition and I can open "Test" directory
>>>>>>>>>>>>>> But it has two problems
:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1- Why it show root
partition?
>>>>>>>>>>>>>> 2- I can't browse
it via Windows explorer!!!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I want to know use AD
users in Linux is Hard?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In your opinion I used
a correct command to set ACL?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>>> # owner:
JASONDOMAINI\134JASON
>>>>>>>>>>>>>> # group:
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>>>
group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and in "getent
group" it show me below group :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> in your idea, Am I use
correct command to set permission?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sunday, December 28,
2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>>> On 28/12/14 15:48,
Jason Long wrote:
>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>> Thus I must change
"idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>>> " to
"idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>>> How about
Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>>> About your question
I must say that I Test this share via
>>>>>>>>>>>>>>> Linux too and
Windows and Linux has same problem.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> About "What I
would do is, install the OpenSSH server on the
>>>>>>>>>>>>>>> linux machine,
install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>>> to login via
'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>>> that Windows
clients use SSH to work with this directory? I
>>>>>>>>>>>>>>> want to made this
Linux Box as a File server and Windows
>>>>>>>>>>>>>>> Clients need
graphical browser to copy and paste file into
>>>>>>>>>>>>>>> this
directory!!!!!!!
>>>>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am loosing track here
a bit, but if your dns domain is
>>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>>> then your windows AD
realm should be something like
>>>>>>>>>>>>>> internal.example.com
>>>>>>>>>>>>>> and your
workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>>> they all
>>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So anywhere that you
come across these, you should use the
>>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>>> this is the relevant
parts from a Unix client on my domain:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>                      
workgroup = INTERNAL
>>>>>>>>>>>>>>                      
security = ADS
>>>>>>>>>>>>>>                      
realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>>>                      
..........
>>>>>>>>>>>>>>                      
idmap config * : backend = tdb
>>>>>>>>>>>>>>                      
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : backend = ad
>>>>>>>>>>>>>>                      
idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>>>                      
idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As for using
'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>>> you can
>>>>>>>>>>>>>> connect to the Unix
machine.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>>>>
>>>>>>>>>>>>> right, answers to your
questions
>>>>>>>>>>>>> 1) I think that you may
find that this is also printed 'Could
>>>>>>>>>>>>> not chdir
>>>>>>>>>>>>> to home directory', in
which case you will end up in the root
>>>>>>>>>>>>> of computer.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2) Are you running the
'nmbd' daemon ? Even if this is not
>>>>>>>>>>>>> running you
>>>>>>>>>>>>> should be able to navigate
to the share by entering the path.
>>>>>>>>>>>>> Have a
>>>>>>>>>>>>> look here:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>> You are trying to run the command
on a client, try adding either:
>>>>>>>>>>>
>>>>>>>>>>> -S server name
>>>>>>>>>>>
>>>>>>>>>>> OR
>>>>>>>>>>>
>>>>>>>>>>> -I address of target server
>>>>>>>>>>>
>>>>>>>>>>> where 'server' is the AD
DC.
>>>>>>>>>>>
>>>>>>>>>>> Yes, you need to supply the
password of the Domain Administrator.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> OK, try it like this:
>>>>>>>>>>
>>>>>>>>>> net rpc rights grant 'Domain
Admins' SeDiskOperatorPrivilege
>>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>>
>>>>>>>>>> This works for me on a client joined to
the domain.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Sounds like something is wrong with the
join, what does 'net ads
>>>>>>>>> testjoin' return ? You may have to run
this command with sudo.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> Sometimes I wonder why all the time is spent on
keeping the samba wiki
>>>>>>> updated. Likewiseopen was replaced sometime ago by
PowerBroker Open, I
>>>>>>> cannot recommend using either of these, because
quite simply, they are
>>>>>>> not needed.
>>>>>>>
>>>>>>> Check the following files:
>>>>>>>
>>>>>>> /etc/samba/smb.conf
>>>>>>>
>>>>>>> [global]
>>>>>>>                workgroup = JASONDOMAINI
>>>>>>>                security = ADS
>>>>>>>                realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>                dedicated keytab file =
/etc/krb5.keytab
>>>>>>>                kerberos method = secrets and keytab
>>>>>>>                server string = Samba 4 Client %h
>>>>>>>                winbind enum users = yes
>>>>>>>                winbind enum groups = yes
>>>>>>>                winbind use default domain = yes
>>>>>>>                winbind expand groups = 4
>>>>>>>                winbind nss info = rfc2307
>>>>>>>                winbind refresh tickets = Yes
>>>>>>>                winbind normalize names = Yes
>>>>>>>                idmap config * : backend = tdb
>>>>>>>                idmap config * : range = 2000-9999
>>>>>>>                idmap config JASONDOMAINI : backend 
= ad
>>>>>>>                idmap config JASONDOMAINI : range =
10000-999999
>>>>>>>                idmap config JASONDOMAINI :
schema_mode = rfc2307
>>>>>>>                printcap name = cups
>>>>>>>                cups options = raw
>>>>>>>                usershare allow guests = yes
>>>>>>>                domain master = no
>>>>>>>                local master = no
>>>>>>>                preferred master = no
>>>>>>>                os level = 20
>>>>>>>                map to guest = bad user
>>>>>>>                vfs objects = acl_xattr
>>>>>>>                map acl inherit = Yes
>>>>>>>                store dos attributes = Yes
>>>>>>>                log level = 6
>>>>>>>
>>>>>>> /etc/krb5.conf
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>>             default_realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>             dns_lookup_realm = false
>>>>>>>             dns_lookup_kdc = true
>>>>>>>             ticket_lifetime = 24h
>>>>>>>             forwardable = yes
>>>>>>>
>>>>>>> /etc/resolv.conf
>>>>>>>
>>>>>>> nameserver <your AD DC's ipaddress>
>>>>>>> search jasondomaini.jasondomain.jj
>>>>>>>
>>>>>>> If required, alter them to match the above, check
that 'hostname'
>>>>>>> returns only the hostname of the client, check that
'hostname -f'
>>>>>>> returns the FQDN. If either are not correct, fix
them.
>>>>>>>
>>>>>>> Remove likewiseopen
>>>>>>>
>>>>>>> Once everything is correct, run the following
command:
>>>>>>>
>>>>>>> net ads join -U Administrator at
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>
>>>>>>> You should be asked for the domain Administrators
password, enter this
>>>>>>> and you should join the domain
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> What Windows DC are you using ?
>>>>>> What is the realm name * workgroup name on the Windows
DC ?
>>>>>>
>>>>>> Rowland
>>>>> oops, that should have been:
>>>>>
>>>>>
>>>>> What is the realm name & workgroup name on the Windows
DC ?
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi, will you answer these questions:
>>>>
>>>> What Windows DC are you using ?
>>>> What is the realm name on the Windows DC ?
>>>> What is the workgroup name on the Windows DC ?
>>>>
>>>> You do not need all of what you have in /etc/krb5.conf, but
please
>>>> answer the questions above first.
>>>>
>>>> Rowland
>>>>
>>> OK, so what is your 'domain' name (and No, it is not
'JASONDOMAIN.JJ')
>>>
>>> Rowland
>>>
Your confused !!!

looking back over what you posted I found this:

Thanks a lot.
I changed the below lines to correct domain name :

idmap config JASONDOMAIN : range = 10000-999999
idmap config JASONDOMAIN : schema_mode = rfc2307

and after join, the command "net rpc testjoin" show same error :

Unable to find a suitable server for domain JASONDOMAINI
Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL

this was 05/01/15 07:02

Totally missed it then, but now it sticks out like a sore thumb, is your 
workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI' ?????

Rowland

On 12/01/15 14:53, Jason Long wrote:
> Thank you.
> I'm really sorry Bro.
> You right, When I get properties from AD, "Domain name(Pre-Windows
2000)" is "JASONDOMAINI". I'm sorry :( but when I want to
join a Windows client to my domain I use "JASONDOMAIN.JJ" !!!!
> I guess that we must change SAMBA configuration.
>
> Cheers.
>
>
>
>
> On Friday, January 9, 2015 1:55 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 09/01/15 08:40, Jason Long wrote:
>> Thanks.
>> I'm confused. Can I paste "set" command on windows for
you?
>> "jason" account is administrator and can join and dis-join
any computer.
>>
>> Cheers.
>>
>>
>>
>> On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>> On 07/01/15 10:51, Jason Long wrote:
>>> Thank you.
>>> I changed my "krb5.conf" as below :
>>>
>>>
>>> [logging]
>>> default = FILE:/var/log/krb5libs.log
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>> default_realm = JASONDOMAIN.JJ
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> renew_lifetime = 7d
>>> forwardable = yes
>>> default_keytab_name = /etc/krb5.keytab
>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
>>> pkinit_kdc_hostname = <DNS>
>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>>> pkinit_eku_checking = kpServerAuth
>>> pkinit_win2k_require_binding = false
>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>
>> My krb5.conf is:
>>
>> [libdefaults]
>>         default_realm = EXAMPLE.LAN
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         ticket_lifetime = 24h
>>         forwardable = yes
>>
>>> and removed "krb5.keytab" too. You told me that my domain
name is "jasondomaini" but it is wrong, My domain name is
"jasondomain.jj" and backend is "jasondomaini", For example,
when I want to login into Windows use "jasondomaini\jason".
>>>
>>> After enter the command "net ads join -U jason at
jasondomain.jj", My computer joined but when use "net rpc
testjoin" , I got same error as below :
>>>
>>> Unable to find a suitable server for domain JASONDOMAINI
>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>
>>> I don't know why it see domain name as
"JASONDOMAINI". How can I edit it?
>> You shouldn't because 'JASONDOMAINI' *IS* your domain name
*NOT* the
>> backend!!!
>>
>> The join command should be 'net ads join -U jason at
JASONDOMAIN.JJ' , but
>> does 'jason' have the required rights to join the domain ?? Try
again
>> but this time use:
>>
>> net ads join -U Administrator at JASONDOMAIN.JJ
>>
>> and enter the 'Administrator' password when prompted.
>>
>> Rowland
>>> Thanks.
>>>
>>>
>>>
>>>
>>> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>> On 06/01/15 06:17, Jason Long wrote:
>>>> Thanks.
>>>> My domain name is "jasondomain.jj" and backend is
"jasondomaini".
>>> No, your realm name is "jasondomain.jj" and it would seem
that your
>>> domain name is "jasondomaini", the domain name can also
be known as the
>>> 'workgroup' name.
>>>
>>> Set smb.conf to match this:
>>>
>>> [global]
>>>             workgroup = JASONDOMAINI
>>>             security = ADS
>>>             realm = JASONDOMAIN.JJ
>>>             dedicated keytab file = /etc/krb5.keytab
>>>             kerberos method = secrets and keytab
>>>             server string = Samba 4 Client %h
>>>             winbind enum users = yes
>>>             winbind enum groups = yes
>>>             winbind use default domain = yes
>>>             winbind expand groups = 4
>>>             winbind nss info = rfc2307
>>>             winbind refresh tickets = Yes
>>>             winbind offline logon = yes
>>>             winbind normalize names = Yes
>>>             idmap config * : backend = tdb
>>>             idmap config * : range = 2000-9999
>>>             idmap config JASONDOMAINI : backend  = ad
>>>             idmap config JASONDOMAINI : range = 10000-999999
>>>             idmap config JASONDOMAINI : schema_mode = rfc2307
>>>             printcap name = cups
>>>             cups options = raw
>>>             usershare allow guests = yes
>>>             domain master = no
>>>             local master = no
>>>             preferred master = no
>>>             os level = 20
>>>             map to guest = bad user
>>>
>>> set /etc/krb5.conf to this:
>>>
>>> [libdefaults]
>>>          default_realm = JASONDOMAIN.JJ
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>>          ticket_lifetime = 24h
>>>          forwardable = yes
>>>
>>> set /etc/resolv.conf
>>>
>>> nameserver <ip of your windows server>
>>> search jasondomain.jj
>>>
>>> If /etc/krb5.keytab exists, delete it.
>>>
>>> make sure the time on the client matches the server.
>>>
>>> then try to join the domain:
>>>
>>> net ads join -U Administrator at JASONDOMAIN.JJ
>>>
>>>
>>> Rowland
>>>> On Monday, January 5, 2015 3:48 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 05/01/15 11:09, Jason Long wrote:
>>>>> Thank you.
>>>>>
>>>>> My Windows is Windows server 2008 R2.
>>>>> About realm name, My domain name is
"JASONDOMAIN.JJ".
>>>>> My Windows not have any Workgroup Name. It is Domain.
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 05/01/15 07:02, Jason Long wrote:
>>>>>> Thanks a lot.
>>>>>> I changed the below lines to correct domain name :
>>>>>>
>>>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>>>
>>>>>> and after join, the command "net rpc
testjoin" show same error :
>>>>>>
>>>>>> Unable to find a suitable server for domain
JASONDOMAINI
>>>>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>>>>
>>>>>> I have an idea and I guess that
"/etc/krb5.conf" has some incorrect options. The file is "
>>>>>>
>>>>>> [logging]
>>>>>> default = FILE:/var/log/krb5libs.log
>>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = JASONDOMAIN.JJ
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = true
>>>>>> ticket_lifetime = 24h
>>>>>> renew_lifetime = 7d
>>>>>> forwardable = yes
>>>>>> default_keytab_name = /etc/krb5.keytab
>>>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
DES-CBC-MD5 DES-CBC-CRC
>>>>>> pkinit_kdc_hostname = <DNS>
>>>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>>>> pkinit_cert_match =
&&<EKU>msScLogin<PRINCIPAL>
>>>>>> pkinit_eku_checking = kpServerAuth
>>>>>> pkinit_win2k_require_binding = false
>>>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>>>
>>>>>> [realms]
>>>>>> EXAMPLE.COM = {
>>>>>> kdc = kerberos.example.com
>>>>>> admin_server = kerberos.example.com
>>>>>> }
>>>>>> JASONDOMAIN.JJ = {
>>>>>> auth_to_local =
RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>>>> auth_to_local =
RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>>>> auth_to_local = DEFAULT
>>>>>> }
>>>>>>
>>>>>> [domain_realm]
>>>>>> .example.com = EXAMPLE.COM
>>>>>> example.com = EXAMPLE.COM
>>>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>>>> [capaths]
>>>>>> [appdefaults]
>>>>>> pam = {
>>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>>> forwardable = true
>>>>>> validate = true
>>>>>> }
>>>>>> httpd = {
>>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>> What is your idea? I must tell you that after removed
LikeWise and configure manually, I can't login to Linux via Windows AD
accounts.
>>>>>>
>>>>>>
>>>>>> Thanks.
>>>>>>   
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>>>> Thanks a lot.
>>>>>>>> I enter the command and result is :
>>>>>>>>
>>>>>>>> Using short domain name -- JASONDOMAINI
>>>>>>>> Joined 'PRINTMAH' to dns domain
'JASONDOMAIN.JJ'
>>>>>>>> but after run "net rpc testjoin" :
>>>>>>>>
>>>>>>>> Unable to find a suitable server for domain
JASONDOMAINI
>>>>>>>> Join to domain 'JASONDOMAINI' is not
valid: NT_STATUS_UNSUCCESSFUL
>>>>>>>>
>>>>>>>> I guess I understand what is my problem.
I'm really sorry :(.
>>>>>>>>
>>>>>>>> On Windows OS i used "set" command
and it show me :
>>>>>>>>
>>>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>>>
>>>>>>>> I guess that I must change
"JASONDOMAINI" in below texts to
>>>>>>>> "JASONDOMAIN" :
>>>>>>>>
>>>>>>>> idmap config JASONDOMAINI : range =
10000-999999
>>>>>>>> idmap config JASONDOMAINI : schema_mode =
rfc2307
>>>>>>>>
>>>>>>>> Am I right?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>>>> Thank you.
>>>>>>>>> I used below videos for join my Linux Box
to Windows domain :
>>>>>>>>>
>>>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>>>
>>>>>>>>> Please look at this video and I used
instructions in it and
>>>>>>>>> LikeWiseOpen tool.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Cheers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Saturday, January 3, 2015 5:45 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>> I enter "net ads testjoin"
and it show me :
>>>>>>>>>>
>>>>>>>>>> ads_connect: No logon servers
>>>>>>>>>> Join to domain is not valid: No logon
servers
>>>>>>>>> You are *not* joined to the domain, I
suppose this should have been
>>>>>>>>> asked earlier, but how did you do the
domain join ?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> If it is incorrect, Why I can Login to
Linux via Windows account?
>>>>>>>>>> As you see, I followed the steps on
Video.
>>>>>>>>>>
>>>>>>>>>> :(.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Saturday, January 3, 2015 1:13 AM,
Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>>>> Thank you.
>>>>>>>>>>> Command show below error :
>>>>>>>>>>>
>>>>>>>>>>> Could not connect to server
192.168.1.1
>>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>
>>>>>>>>>>> :(
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, December 31, 2014
2:05 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>> On 31/12/14 09:55, Jason Long
wrote:
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>> I changed the command as below
:
>>>>>>>>>>>>
>>>>>>>>>>>> #net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege -U
jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>>>
>>>>>>>>>>>> But Got below error :
>>>>>>>>>>>>
>>>>>>>>>>>> Could not connect to server
192.168.1.1
>>>>>>>>>>>> Connection failed:
NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Wednesday, December 31, 2014
1:35 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>> On 31/12/14 09:17, Jason Long
wrote:
>>>>>>>>>>>>> Thank you so much but I run
below commands on linux :
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> # net rpc rights grant
'jasondomain\Domain Admins'
>>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>>> # net rpc rights list
accounts -Uadministrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> it ask me a password for
"administrator:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Enter administrator's
password:
>>>>>>>>>>>>> Could not connect to server
127.0.0.1
>>>>>>>>>>>>> Connection failed:
NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>>>
>>>>>>>>>>>>> Must I enter windows
administrator password?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, December 29,
2014 5:10 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>> On 29/12/14 12:52, Jason
Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I did some changes like
below :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
/dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>>>> user_xattr,acl,defaults
1 1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>>>> output.
>>>>>>>>>>>>>> I added below lines to
[global] section too :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>> store dos attributes =
Yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But about below
commands can you tell me more?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> net rpc rights grant
'SAMDOM\Domain Admins'
>>>>>>>>>>>>>> SeDiskOperatorPrivilege
-Uadministrator
>>>>>>>>>>>>>> net rpc rights list
accounts -Uadministrator
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I hope they are not
Dangerous!!!!
>>>>>>>>>>>>> No :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> The first one gives members
of Domain Admins the right to change
>>>>>>>>>>>>> windows
>>>>>>>>>>>>> ACL's on a share
>>>>>>>>>>>>> The second list accounts
and what rights they have.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> In the
>>>>>>>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>>>> , the other steps are
in Windows!!! Can I doing via Linux too?
>>>>>>>>>>>>> Yes, but it is just easier
via windows
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>         Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Monday, December 29,
2014 1:59 AM, Rowland Penny
>>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>>> On 29/12/14 06:38,
Jason Long wrote:
>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>> You right, My realm
is "jasondomaini.jasondomain.jj"  and I
>>>>>>>>>>>>>>> change configure as
below :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>> workgroup =
JASONDOMAINI
>>>>>>>>>>>>>>> server string =
Samba Server Version %v
>>>>>>>>>>>>>>> # logs split per
machine
>>>>>>>>>>>>>>> log file =
/var/log/samba/log.%m
>>>>>>>>>>>>>>> # max 50KB per log
file, then rotate
>>>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>> realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>>>> passdb backend =
tdbsam
>>>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>> idmap config
*:backend = tdb
>>>>>>>>>>>>>>> idmap config
*:range = 70001-80000
>>>>>>>>>>>>>>> #idmap config
SAMDOM:backend = ad
>>>>>>>>>>>>>>> idmap config
JASONDOMAINI:backend = ad
>>>>>>>>>>>>>>> idmap config
JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>>>> idmap config
JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> When I use
"SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>>>> It show me the root
partition and I can open "Test" directory
>>>>>>>>>>>>>>> But it has two
problems :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1- Why it show root
partition?
>>>>>>>>>>>>>>> 2- I can't
browse it via Windows explorer!!!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I want to know use
AD users in Linux is Hard?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In your opinion I
used a correct command to set ACL?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>>>> # owner:
JASONDOMAINI\134JASON
>>>>>>>>>>>>>>> # group:
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>>>>
group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> and in "getent
group" it show me below group :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> in your idea, Am I
use correct command to set permission?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sunday, December
28, 2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>>>> <rowlandpenny at
googlemail.com> wrote:
>>>>>>>>>>>>>>> On 28/12/14 15:48,
Jason Long wrote:
>>>>>>>>>>>>>>>> Thank you so
much.
>>>>>>>>>>>>>>>> Thus I must
change "idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>>>> " to
"idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>>>> How about
Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>>>> About your
question I must say that I Test this share via
>>>>>>>>>>>>>>>> Linux too and
Windows and Linux has same problem.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> About
"What I would do is, install the OpenSSH server on the
>>>>>>>>>>>>>>>> linux machine,
install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>>>> to login via
'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>>>> that Windows
clients use SSH to work with this directory? I
>>>>>>>>>>>>>>>> want to made
this Linux Box as a File server and Windows
>>>>>>>>>>>>>>>> Clients need
graphical browser to copy and paste file into
>>>>>>>>>>>>>>>> this
directory!!!!!!!
>>>>>>>>>>>>>>>> What is your
idea?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am loosing track
here a bit, but if your dns domain is
>>>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>>>> then your windows
AD realm should be something like
>>>>>>>>>>>>>>>
internal.example.com
>>>>>>>>>>>>>>> and your
workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>>>> they all
>>>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So anywhere that
you come across these, you should use the
>>>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>>>> this is the
relevant parts from a Unix client on my domain:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>                    
workgroup = INTERNAL
>>>>>>>>>>>>>>>                    
security = ADS
>>>>>>>>>>>>>>>                    
realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>>>>                    
..........
>>>>>>>>>>>>>>>                    
idmap config * : backend = tdb
>>>>>>>>>>>>>>>                    
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>                    
idmap config INTERNAL : backend = ad
>>>>>>>>>>>>>>>                    
idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>>>>                    
idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> As for using
'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>>>> you can
>>>>>>>>>>>>>>> connect to the Unix
machine.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>> OK, we are getting
closer
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> right, answers to your
questions
>>>>>>>>>>>>>> 1) I think that you may
find that this is also printed 'Could
>>>>>>>>>>>>>> not chdir
>>>>>>>>>>>>>> to home directory',
in which case you will end up in the root
>>>>>>>>>>>>>> of computer.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2) Are you running the
'nmbd' daemon ? Even if this is not
>>>>>>>>>>>>>> running you
>>>>>>>>>>>>>> should be able to
navigate to the share by entering the path.
>>>>>>>>>>>>>> Have a
>>>>>>>>>>>>>> look here:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>> You are trying to run the
command on a client, try adding either:
>>>>>>>>>>>>
>>>>>>>>>>>> -S server name
>>>>>>>>>>>>
>>>>>>>>>>>> OR
>>>>>>>>>>>>
>>>>>>>>>>>> -I address of target server
>>>>>>>>>>>>
>>>>>>>>>>>> where 'server' is the
AD DC.
>>>>>>>>>>>>
>>>>>>>>>>>> Yes, you need to supply the
password of the Domain Administrator.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>> OK, try it like this:
>>>>>>>>>>>
>>>>>>>>>>> net rpc rights grant 'Domain
Admins' SeDiskOperatorPrivilege
>>>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>>>
>>>>>>>>>>> This works for me on a client
joined to the domain.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> Sounds like something is wrong with the
join, what does 'net ads
>>>>>>>>>> testjoin' return ? You may have to
run this command with sudo.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>> Sometimes I wonder why all the time is spent on
keeping the samba wiki
>>>>>>>> updated. Likewiseopen was replaced sometime ago
by PowerBroker Open, I
>>>>>>>> cannot recommend using either of these, because
quite simply, they are
>>>>>>>> not needed.
>>>>>>>>
>>>>>>>> Check the following files:
>>>>>>>>
>>>>>>>> /etc/samba/smb.conf
>>>>>>>>
>>>>>>>> [global]
>>>>>>>>                 workgroup = JASONDOMAINI
>>>>>>>>                 security = ADS
>>>>>>>>                 realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>                 dedicated keytab file =
/etc/krb5.keytab
>>>>>>>>                 kerberos method = secrets and
keytab
>>>>>>>>                 server string = Samba 4 Client
%h
>>>>>>>>                 winbind enum users = yes
>>>>>>>>                 winbind enum groups = yes
>>>>>>>>                 winbind use default domain =
yes
>>>>>>>>                 winbind expand groups = 4
>>>>>>>>                 winbind nss info = rfc2307
>>>>>>>>                 winbind refresh tickets = Yes
>>>>>>>>                 winbind normalize names = Yes
>>>>>>>>                 idmap config * : backend = tdb
>>>>>>>>                 idmap config * : range =
2000-9999
>>>>>>>>                 idmap config JASONDOMAINI :
backend  = ad
>>>>>>>>                 idmap config JASONDOMAINI :
range = 10000-999999
>>>>>>>>                 idmap config JASONDOMAINI :
schema_mode = rfc2307
>>>>>>>>                 printcap name = cups
>>>>>>>>                 cups options = raw
>>>>>>>>                 usershare allow guests = yes
>>>>>>>>                 domain master = no
>>>>>>>>                 local master = no
>>>>>>>>                 preferred master = no
>>>>>>>>                 os level = 20
>>>>>>>>                 map to guest = bad user
>>>>>>>>                 vfs objects = acl_xattr
>>>>>>>>                 map acl inherit = Yes
>>>>>>>>                 store dos attributes = Yes
>>>>>>>>                 log level = 6
>>>>>>>>
>>>>>>>> /etc/krb5.conf
>>>>>>>>
>>>>>>>> [libdefaults]
>>>>>>>>              default_realm =
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>              dns_lookup_realm = false
>>>>>>>>              dns_lookup_kdc = true
>>>>>>>>              ticket_lifetime = 24h
>>>>>>>>              forwardable = yes
>>>>>>>>
>>>>>>>> /etc/resolv.conf
>>>>>>>>
>>>>>>>> nameserver <your AD DC's ipaddress>
>>>>>>>> search jasondomaini.jasondomain.jj
>>>>>>>>
>>>>>>>> If required, alter them to match the above,
check that 'hostname'
>>>>>>>> returns only the hostname of the client, check
that 'hostname -f'
>>>>>>>> returns the FQDN. If either are not correct,
fix them.
>>>>>>>>
>>>>>>>> Remove likewiseopen
>>>>>>>>
>>>>>>>> Once everything is correct, run the following
command:
>>>>>>>>
>>>>>>>> net ads join -U Administrator at
JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>
>>>>>>>> You should be asked for the domain
Administrators password, enter this
>>>>>>>> and you should join the domain
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> What Windows DC are you using ?
>>>>>>> What is the realm name * workgroup name on the
Windows DC ?
>>>>>>>
>>>>>>> Rowland
>>>>>> oops, that should have been:
>>>>>>
>>>>>>
>>>>>> What is the realm name & workgroup name on the
Windows DC ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi, will you answer these questions:
>>>>>
>>>>> What Windows DC are you using ?
>>>>> What is the realm name on the Windows DC ?
>>>>> What is the workgroup name on the Windows DC ?
>>>>>
>>>>> You do not need all of what you have in /etc/krb5.conf, but
please
>>>>> answer the questions above first.
>>>>>
>>>>> Rowland
>>>>>
>>>> OK, so what is your 'domain' name (and No, it is not
'JASONDOMAIN.JJ')
>>>>
>>>> Rowland
>>>>
> Your confused !!!
>
> looking back over what you posted I found this:
>
> Thanks a lot.
> I changed the below lines to correct domain name :
>
> idmap config JASONDOMAIN : range = 10000-999999
> idmap config JASONDOMAIN : schema_mode = rfc2307
>
> and after join, the command "net rpc testjoin" show same error :
>
> Unable to find a suitable server for domain JASONDOMAINI
> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>
> this was 05/01/15 07:02
>
> Totally missed it then, but now it sticks out like a sore thumb, is your
> workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI'
?????
>
> Rowland
When you join a Unix client to an AD domain, you use 'net ads join -U 
Administrator' (or another user that has the right to join machines to 
the domain)

You need to have lines in smb.conf similar to these:

    workgroup = DOMAIN

    realm = DOMAIN.TLD

    idmap config DOMAIN : backend = ad
    idmap config DOMAIN : schema_mode = rfc2307
    idmap config DOMAIN : range = RANGE

Which in your case would be:

    workgroup = JASONDOMAINI

    realm = JASONDOMAIN.JJ

    idmap config JASONDOMAINI : backend = ad
    idmap config JASONDOMAINI : schema_mode = rfc2307
    idmap config JASONDOMAINI : range = RANGE

You would also have to have your realm in /etc/krb5.conf

[libdefaults]
  default_realm = JASONDOMAIN.JJ
  dns_lookup_realm = false
  dns_lookup_kdc = true

The /etc/resolv.conf should look something like this:

search jasondomain.jj
nameserver <ipaddress of your AD DC>

With these all set correctly, the join should work.

Rowland