Samba as fileserver on Active Directory domain

Prev: Cannot compile RHEL rpms using samba 3.4.2 series source
Next: [Samba] MSH_SHUTDOWN

From: Robert LeBlanc on 5 Oct 2009 16:30

---

The changes have not made it into a 3.3.x release yet, 3.3.7 was a security
release, ideally 3.3.8 should have the fix. There were quiet a number of
configuration changes from 3.0.x to 3.3.x in regards to Active Directory,
you may not be able to use you old config without updating some things.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez <iordonez(a)berkeley.edu> wrote:

>
> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some
> "realm" complaints when I run testparm and some "ADS" related error. The
> 3.3.7 version is masked by Gentoo portage and not sure if it will be
> available soon.
>
> Thanks,
> -Ivan
>
>
> Robert LeBlanc wrote:
>
> What version of samba are you using? I submitted a patch to Samba that is
> in 3.4.1 and slated for the next version of 3.3.x that fixes the
> workgroup/realm thing. It falls back to SPEGO without the patch, but it
> takes a little while, the patch speeds things up.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>
> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson <jpetersson(a)garnser.se
> > wrote:
>
>> How did you solve the kerberos portion how things, when winbind tries
>> to connect to my server the kerberos sessions fails as it tries to
>> connect with the workgroup instead of the realm.
>>
>> Thanks
>>
>> /Jonathan
>>
>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez <iordonez(a)berkeley.edu>
>> wrote:
>> >
>> >
>> > Jonathan Petersson wrote:
>> >>
>> >> Hi Ivan,
>> >>
>> >> I'm working on a similar thing but is having some issues with the
>> >> kerberos sessions between samba and AD. Is your Samba server a member
>> >> of a Win2k8R2 or a Win2k3 domain?
>> >>
>> >> Thanks
>> >>
>> >> /Jonathan
>> >>
>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez <iordonez(a)berkeley.edu>
>> >> wrote:
>> >>
>> >>>
>> >>> Robert LeBlanc wrote:
>> >>>
>> >>>>
>> >>>> What are the permissions on /shared/drive? We use ACLs to control
>> access
>> >>>> rather than smb.conf. This gives us great flexability and you can
>> kind
>> >>>> of
>> >>>> manage it using a Windows machine. If you have Kerberos keytab
>> >>>> generated,
>> >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords are
>> >>>> needed,
>> >>>> it also obeys ACL. The only catch is that you need to use RID or LDAP
>> >>>> for
>> >>>> uid/gid mapping or else your permissions won't line up.
>> >>>>
>> >>>> Robert LeBlanc
>> >>>> Life Sciences & Undergraduate Education Computer Support
>> >>>> Brigham Young University
>> >>>>
>> >>>>
>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez <iordonez(a)berkeley.edu
>> >>>> <mailto:iordonez(a)berkeley.edu>> wrote:
>> >>>>
>> >>>> Hello,
>> >>>>
>> >>>> We have a Gentoo box running Samba and is a member of the Active
>> >>>> Directory domain. This Gentoo box will be a fileserver when
>> >>>> everything is completed and setup as it should. I want our users
>> >>>> to login to their computer (Computers are all members of the same
>> >>>> Active Directory domain) using Active Directory accounts/domain
>> >>>> for authentication. I am using Winbind for Active Directory
>> >>>> authentication/integration. I'm almost done except file permission
>> >>>> issue. All is working smoothly (ie. wbinfo, smbclient, getent,
>> >>>> etc.). I can access/map the shared drive on the Gentoo box from
>> >>>> any Windows computer, login to a machine without a problem using
>> >>>> Active Directory accounts. The Active Directory authentication
>> >>>> with Winbind is working as it should.
>> >>>>
>> >>>> For some odd reason, I can't figure out how to give permissions to
>> >>>> all users the ability to make changes/add new folders on the
>> >>>> shared drive. I am getting access denied even when the users or
>> >>>> group are valid users of the shared drive per smb.conf. Below is
>> >>>> my smb.conf shared configuration:
>> >>>>
>> >>>> [shared]
>> >>>> comment = shared
>> >>>> path = /shared/drive
>> >>>> read only = no
>> >>>> inherit permissions = yes
>> >>>> create mask = 755
>> >>>> directory mask = 755
>> >>>> valid users = @"MYDOMAIN+mygroup"
>> >>>> browseable = yes
>> >>>> writable = yes
>> >>>>
>> >>>> Any help would be greatly appreciated.
>> >>>>
>> >>>> -Ivan
>> >>>> -- To unsubscribe from this list go to the following URL and
>> read
>> >>>> the
>> >>>> instructions: https://lists.samba.org/mailman/options/samba
>> >>>>
>> >>>>
>> >>>
>> >>> Hi,
>> >>>
>> >>> The files and folders on the shared drive are owned by local Linux
>> >>> account.
>> >>> The permissions are read, write and execute by the owner, read and
>> write
>> >>> by
>> >>> group and all. I was hoping that smb.conf will control the shared
>> drive
>> >>> access but having a hard time doing so. I would like to use ACL if
>> that
>> >>> is
>> >>> the best way to make it work. Would you mind giving me few pointers
>> or
>> >>> point me to the right direction to get started on ACL? I am no LDAP
>> >>> expert
>> >>> but I think I can get by if I have to use it.
>> >>>
>> >>> Thanks!
>> >>>
>> >>> -Ivan
>> >>> --
>> >>> To unsubscribe from this list go to the following URL and read the
>> >>> instructions: https://lists.samba.org/mailman/options/samba
>> >>>
>> >>>
>> >
>> > Hi Jonathan,
>> >
>> > Our Samba server is a member of Win2k8R2 domain.
>> > Thanks,
>> > -Ivan
>> >
>>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From: Ivan Ordonez on 5 Oct 2009 16:40

---

I was able to install 3.3.8 version of Samba. I am running it now. I
can see shares, but could not write at all.

ACL seems simple but I can't get it to work. Any help or advise would
be greatly appreciated.

Robert LeBlanc wrote:
> The changes have not made it into a 3.3.x release yet, 3.3.7 was a
> security release, ideally 3.3.8 should have the fix. There were quiet
> a number of configuration changes from 3.0.x to 3.3.x in regards to
> Active Directory, you may not be able to use you old config without
> updating some things.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>
> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez <iordonez(a)berkeley.edu
> <mailto:iordonez(a)berkeley.edu>> wrote:
>
>
> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got
> some "realm" complaints when I run testparm and some "ADS"
> related error. The 3.3.7 version is masked by Gentoo portage and
> not sure if it will be available soon.
>
> Thanks,
> -Ivan
>
>
> Robert LeBlanc wrote:
>> What version of samba are you using? I submitted a patch to Samba
>> that is in 3.4.1 and slated for the next version of 3.3.x that
>> fixes the workgroup/realm thing. It falls back to SPEGO without
>> the patch, but it takes a little while, the patch speeds things up.
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson
>> <jpetersson(a)garnser.se <mailto:jpetersson(a)garnser.se>> wrote:
>>
>> How did you solve the kerberos portion how things, when
>> winbind tries
>> to connect to my server the kerberos sessions fails as it
>> tries to
>> connect with the workgroup instead of the realm.
>>
>> Thanks
>>
>> /Jonathan
>>
>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez
>> <iordonez(a)berkeley.edu <mailto:iordonez(a)berkeley.edu>> wrote:
>> >
>> >
>> > Jonathan Petersson wrote:
>> >>
>> >> Hi Ivan,
>> >>
>> >> I'm working on a similar thing but is having some issues
>> with the
>> >> kerberos sessions between samba and AD. Is your Samba
>> server a member
>> >> of a Win2k8R2 or a Win2k3 domain?
>> >>
>> >> Thanks
>> >>
>> >> /Jonathan
>> >>
>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez
>> <iordonez(a)berkeley.edu <mailto:iordonez(a)berkeley.edu>>
>> >> wrote:
>> >>
>> >>>
>> >>> Robert LeBlanc wrote:
>> >>>
>> >>>>
>> >>>> What are the permissions on /shared/drive? We use ACLs
>> to control access
>> >>>> rather than smb.conf. This gives us great flexability
>> and you can kind
>> >>>> of
>> >>>> manage it using a Windows machine. If you have Kerberos
>> keytab
>> >>>> generated,
>> >>>> you can smbmount on Linux using the -o sec=krb5 and no
>> passwords are
>> >>>> needed,
>> >>>> it also obeys ACL. The only catch is that you need to
>> use RID or LDAP
>> >>>> for
>> >>>> uid/gid mapping or else your permissions won't line up.
>> >>>>
>> >>>> Robert LeBlanc
>> >>>> Life Sciences & Undergraduate Education Computer Support
>> >>>> Brigham Young University
>> >>>>
>> >>>>
>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez
>> <iordonez(a)berkeley.edu <mailto:iordonez(a)berkeley.edu>
>> >>>> <mailto:iordonez(a)berkeley.edu
>> <mailto:iordonez(a)berkeley.edu>>> wrote:
>> >>>>
>> >>>> Hello,
>> >>>>
>> >>>> We have a Gentoo box running Samba and is a member of
>> the Active
>> >>>> Directory domain. This Gentoo box will be a fileserver
>> when
>> >>>> everything is completed and setup as it should. I
>> want our users
>> >>>> to login to their computer (Computers are all members
>> of the same
>> >>>> Active Directory domain) using Active Directory
>> accounts/domain
>> >>>> for authentication. I am using Winbind for Active
>> Directory
>> >>>> authentication/integration. I'm almost done except
>> file permission
>> >>>> issue. All is working smoothly (ie. wbinfo,
>> smbclient, getent,
>> >>>> etc.). I can access/map the shared drive on the Gentoo
>> box from
>> >>>> any Windows computer, login to a machine without a
>> problem using
>> >>>> Active Directory accounts. The Active Directory
>> authentication
>> >>>> with Winbind is working as it should.
>> >>>>
>> >>>> For some odd reason, I can't figure out how to give
>> permissions to
>> >>>> all users the ability to make changes/add new folders
>> on the
>> >>>> shared drive. I am getting access denied even when the
>> users or
>> >>>> group are valid users of the shared drive per
>> smb.conf. Below is
>> >>>> my smb.conf shared configuration:
>> >>>>
>> >>>> [shared]
>> >>>> comment = shared
>> >>>> path = /shared/drive
>> >>>> read only = no
>> >>>> inherit permissions = yes
>> >>>> create mask = 755
>> >>>> directory mask = 755
>> >>>> valid users = @"MYDOMAIN+mygroup"
>> >>>> browseable = yes
>> >>>> writable = yes
>> >>>>
>> >>>> Any help would be greatly appreciated.
>> >>>>
>> >>>> -Ivan
>> >>>> -- To unsubscribe from this list go to the
>> following URL and read
>> >>>> the
>> >>>> instructions:
>> https://lists.samba.org/mailman/options/samba
>> >>>>
>> >>>>
>> >>>
>> >>> Hi,
>> >>>
>> >>> The files and folders on the shared drive are owned by
>> local Linux
>> >>> account.
>> >>> The permissions are read, write and execute by the
>> owner, read and write
>> >>> by
>> >>> group and all. I was hoping that smb.conf will control
>> the shared drive
>> >>> access but having a hard time doing so. I would like to
>> use ACL if that
>> >>> is
>> >>> the best way to make it work. Would you mind giving me
>> few pointers or
>> >>> point me to the right direction to get started on ACL? I
>> am no LDAP
>> >>> expert
>> >>> but I think I can get by if I have to use it.
>> >>>
>> >>> Thanks!
>> >>>
>> >>> -Ivan
>> >>> --
>> >>> To unsubscribe from this list go to the following URL and
>> read the
>> >>> instructions: https://lists.samba.org/mailman/options/samba
>> >>>
>> >>>
>> >
>> > Hi Jonathan,
>> >
>> > Our Samba server is a member of Win2k8R2 domain.
>> > Thanks,
>> > -Ivan
>> >
>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From: Robert LeBlanc on 5 Oct 2009 19:50

---

Sorry, my bad, 3.3.8 was the security release. It sounds like it is working
however. As far as ACLs, make sure that ACLs are turned on on your file
system (mount -o acl for most filesystems) and the make sure you have the
ACL packages for your distro installed (Debian apt-get install acl). Then
it's a matter of using the setfacl command like `setfacl -m
d:u:<ad-user>:rwx,u:<ad-user>:rwx,d:g:<ad-group>:rx,g:<ad-group>:rx
/my/shared/dir.

You can add as many ACLs as you want, remember that the linux default rwx
perms sets the max for ACL users and groups. If the linux user (owner) ACL
is rx, then even though an ACL specifies another user with rwx, they will
only have rx. The second thing to remember is that the default ACL is not
needed, but if specified will set those ACLs on all new files and
directories and act much like Windows. If you set the permissions using
Windows, the default ACL will be set. Thidly, only Linux user and group have
the file counted against their quota, permissions assigned in ACLs do not
affect thoes user and groups quotas. Fourtly, some applications are not ACL
aware, Apache for instance does not look at ACLs on Linux. To check your set
ACLs, use getfacl /this/is/my/file.

Hope that helps.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez <iordonez(a)berkeley.edu> wrote:

> I was able to install 3.3.8 version of Samba. I am running it now. I can
> see shares, but could not write at all.
>
> ACL seems simple but I can't get it to work. Any help or advise would be
> greatly appreciated.
>
>
> Robert LeBlanc wrote:
>
> The changes have not made it into a 3.3.x release yet, 3.3.7 was a security
> release, ideally 3.3.8 should have the fix. There were quiet a number of
> configuration changes from 3.0.x to 3.3.x in regards to Active Directory,
> you may not be able to use you old config without updating some things.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>
> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez <iordonez(a)berkeley.edu>wrote:
>
>>
>> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some
>> "realm" complaints when I run testparm and some "ADS" related error. The
>> 3.3.7 version is masked by Gentoo portage and not sure if it will be
>> available soon.
>>
>> Thanks,
>> -Ivan
>>
>> Robert LeBlanc wrote:
>>
>> What version of samba are you using? I submitted a patch to Samba that is
>> in 3.4.1 and slated for the next version of 3.3.x that fixes the
>> workgroup/realm thing. It falls back to SPEGO without the patch, but it
>> takes a little while, the patch speeds things up.
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson <
>> jpetersson(a)garnser.se> wrote:
>>
>>> How did you solve the kerberos portion how things, when winbind tries
>>> to connect to my server the kerberos sessions fails as it tries to
>>> connect with the workgroup instead of the realm.
>>>
>>> Thanks
>>>
>>> /Jonathan
>>>
>>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez <iordonez(a)berkeley.edu>
>>> wrote:
>>> >
>>> >
>>> > Jonathan Petersson wrote:
>>> >>
>>> >> Hi Ivan,
>>> >>
>>> >> I'm working on a similar thing but is having some issues with the
>>> >> kerberos sessions between samba and AD. Is your Samba server a member
>>> >> of a Win2k8R2 or a Win2k3 domain?
>>> >>
>>> >> Thanks
>>> >>
>>> >> /Jonathan
>>> >>
>>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez <iordonez(a)berkeley.edu>
>>> >> wrote:
>>> >>
>>> >>>
>>> >>> Robert LeBlanc wrote:
>>> >>>
>>> >>>>
>>> >>>> What are the permissions on /shared/drive? We use ACLs to control
>>> access
>>> >>>> rather than smb.conf. This gives us great flexability and you can
>>> kind
>>> >>>> of
>>> >>>> manage it using a Windows machine. If you have Kerberos keytab
>>> >>>> generated,
>>> >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords are
>>> >>>> needed,
>>> >>>> it also obeys ACL. The only catch is that you need to use RID or
>>> LDAP
>>> >>>> for
>>> >>>> uid/gid mapping or else your permissions won't line up.
>>> >>>>
>>> >>>> Robert LeBlanc
>>> >>>> Life Sciences & Undergraduate Education Computer Support
>>> >>>> Brigham Young University
>>> >>>>
>>> >>>>
>>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez <
>>> iordonez(a)berkeley.edu
>>> >>>> <mailto:iordonez(a)berkeley.edu>> wrote:
>>> >>>>
>>> >>>> Hello,
>>> >>>>
>>> >>>> We have a Gentoo box running Samba and is a member of the Active
>>> >>>> Directory domain. This Gentoo box will be a fileserver when
>>> >>>> everything is completed and setup as it should. I want our users
>>> >>>> to login to their computer (Computers are all members of the same
>>> >>>> Active Directory domain) using Active Directory accounts/domain
>>> >>>> for authentication. I am using Winbind for Active Directory
>>> >>>> authentication/integration. I'm almost done except file permission
>>> >>>> issue. All is working smoothly (ie. wbinfo, smbclient, getent,
>>> >>>> etc.). I can access/map the shared drive on the Gentoo box from
>>> >>>> any Windows computer, login to a machine without a problem using
>>> >>>> Active Directory accounts. The Active Directory authentication
>>> >>>> with Winbind is working as it should.
>>> >>>>
>>> >>>> For some odd reason, I can't figure out how to give permissions to
>>> >>>> all users the ability to make changes/add new folders on the
>>> >>>> shared drive. I am getting access denied even when the users or
>>> >>>> group are valid users of the shared drive per smb.conf. Below is
>>> >>>> my smb.conf shared configuration:
>>> >>>>
>>> >>>> [shared]
>>> >>>> comment = shared
>>> >>>> path = /shared/drive
>>> >>>> read only = no
>>> >>>> inherit permissions = yes
>>> >>>> create mask = 755
>>> >>>> directory mask = 755
>>> >>>> valid users = @"MYDOMAIN+mygroup"
>>> >>>> browseable = yes
>>> >>>> writable = yes
>>> >>>>
>>> >>>> Any help would be greatly appreciated.
>>> >>>>
>>> >>>> -Ivan
>>> >>>> -- To unsubscribe from this list go to the following URL and
>>> read
>>> >>>> the
>>> >>>> instructions: https://lists.samba.org/mailman/options/samba
>>> >>>>
>>> >>>>
>>> >>>
>>> >>> Hi,
>>> >>>
>>> >>> The files and folders on the shared drive are owned by local Linux
>>> >>> account.
>>> >>> The permissions are read, write and execute by the owner, read and
>>> write
>>> >>> by
>>> >>> group and all. I was hoping that smb.conf will control the shared
>>> drive
>>> >>> access but having a hard time doing so. I would like to use ACL if
>>> that
>>> >>> is
>>> >>> the best way to make it work. Would you mind giving me few pointers
>>> or
>>> >>> point me to the right direction to get started on ACL? I am no LDAP
>>> >>> expert
>>> >>> but I think I can get by if I have to use it.
>>> >>>
>>> >>> Thanks!
>>> >>>
>>> >>> -Ivan
>>> >>> --
>>> >>> To unsubscribe from this list go to the following URL and read the
>>> >>> instructions: https://lists.samba.org/mailman/options/samba
>>> >>>
>>> >>>
>>> >
>>> > Hi Jonathan,
>>> >
>>> > Our Samba server is a member of Win2k8R2 domain.
>>> > Thanks,
>>> > -Ivan
>>> >
>>>
>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From: Ivan Ordonez on 5 Oct 2009 20:00

---

I was able to set ACL with local username but can't do it on domain
username or groups.

hostname ~ # getfacl /shared/drive
getfacl: Removing leading '/' from absolute path names
# file: shared/drive
# owner: mylocalusername
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

When I tried to set ACLs for domain account or groups, it was invalid
option.

hostname ~ #setfacl -m g:"DOMAIN+Domain Admins":rwx /shared/drive
setfacl: Option -m: Invalid argument near character 3

hostname ~ #setfacl -m g:"DOMAIN+myusername":rwx /shared/drive
setfacl: Option -m: Invalid argument near character 3

I believe the drive is mounted and ACL is enable.

hostname ~ # mount
/dev/hda3 on / type ext3 (rw,noatime,acl)

Here is my /etc/fstab
/dev/hda3 / ext3 noatime,acl 0 1

What I find odd is running wbinfo and getent command to be very
inconsistent. I would sometimes get result and sometimes not.
hostname ~ # wbinfo -u
Error looking up domain users

Any other suggestions?

Thanks.









Robert LeBlanc wrote:
> Sorry, my bad, 3.3.8 was the security release. It sounds like it is
> working however. As far as ACLs, make sure that ACLs are turned on on
> your file system (mount -o acl for most filesystems) and the make sure
> you have the ACL packages for your distro installed (Debian apt-get
> install acl). Then it's a matter of using the setfacl command like
> `setfacl -m
> d:u:<ad-user>:rwx,u:<ad-user>:rwx,d:g:<ad-group>:rx,g:<ad-group>:rx
> /my/shared/dir.
>
> You can add as many ACLs as you want, remember that the linux default
> rwx perms sets the max for ACL users and groups. If the linux user
> (owner) ACL is rx, then even though an ACL specifies another user with
> rwx, they will only have rx. The second thing to remember is that the
> default ACL is not needed, but if specified will set those ACLs on all
> new files and directories and act much like Windows. If you set the
> permissions using Windows, the default ACL will be set. Thidly, only
> Linux user and group have the file counted against their quota,
> permissions assigned in ACLs do not affect thoes user and groups
> quotas. Fourtly, some applications are not ACL aware, Apache for
> instance does not look at ACLs on Linux. To check your set ACLs, use
> getfacl /this/is/my/file.
>
> Hope that helps.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>
> On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez <iordonez(a)berkeley.edu
> <mailto:iordonez(a)berkeley.edu>> wrote:
>
> I was able to install 3.3.8 version of Samba. I am running it
> now. I can see shares, but could not write at all.
>
> ACL seems simple but I can't get it to work. Any help or advise
> would be greatly appreciated.
>
>
> Robert LeBlanc wrote:
>> The changes have not made it into a 3.3.x release yet, 3.3.7 was
>> a security release, ideally 3.3.8 should have the fix. There were
>> quiet a number of configuration changes from 3.0.x to 3.3.x in
>> regards to Active Directory, you may not be able to use you old
>> config without updating some things.
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez
>> <iordonez(a)berkeley.edu <mailto:iordonez(a)berkeley.edu>> wrote:
>>
>>
>> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I
>> got some "realm" complaints when I run testparm and some
>> "ADS" related error. The 3.3.7 version is masked by Gentoo
>> portage and not sure if it will be available soon.
>>
>> Thanks,
>> -Ivan
>>
>>
>> Robert LeBlanc wrote:
>>> What version of samba are you using? I submitted a patch to
>>> Samba that is in 3.4.1 and slated for the next version of
>>> 3.3.x that fixes the workgroup/realm thing. It falls back to
>>> SPEGO without the patch, but it takes a little while, the
>>> patch speeds things up.
>>>
>>> Robert LeBlanc
>>> Life Sciences & Undergraduate Education Computer Support
>>> Brigham Young University
>>>
>>>
>>> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson
>>> <jpetersson(a)garnser.se <mailto:jpetersson(a)garnser.se>> wrote:
>>>
>>> How did you solve the kerberos portion how things, when
>>> winbind tries
>>> to connect to my server the kerberos sessions fails as
>>> it tries to
>>> connect with the workgroup instead of the realm.
>>>
>>> Thanks
>>>
>>> /Jonathan
>>>
>>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez
>>> <iordonez(a)berkeley.edu <mailto:iordonez(a)berkeley.edu>>
>>> wrote:
>>> >
>>> >
>>> > Jonathan Petersson wrote:
>>> >>
>>> >> Hi Ivan,
>>> >>
>>> >> I'm working on a similar thing but is having some
>>> issues with the
>>> >> kerberos sessions between samba and AD. Is your Samba
>>> server a member
>>> >> of a Win2k8R2 or a Win2k3 domain?
>>> >>
>>> >> Thanks
>>> >>
>>> >> /Jonathan
>>> >>
>>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez
>>> <iordonez(a)berkeley.edu <mailto:iordonez(a)berkeley.edu>>
>>> >> wrote:
>>> >>
>>> >>>
>>> >>> Robert LeBlanc wrote:
>>> >>>
>>> >>>>
>>> >>>> What are the permissions on /shared/drive? We use
>>> ACLs to control access
>>> >>>> rather than smb.conf. This gives us great
>>> flexability and you can kind
>>> >>>> of
>>> >>>> manage it using a Windows machine. If you have
>>> Kerberos keytab
>>> >>>> generated,
>>> >>>> you can smbmount on Linux using the -o sec=krb5 and
>>> no passwords are
>>> >>>> needed,
>>> >>>> it also obeys ACL. The only catch is that you need
>>> to use RID or LDAP
>>> >>>> for
>>> >>>> uid/gid mapping or else your permissions won't line up.
>>> >>>>
>>> >>>> Robert LeBlanc
>>> >>>> Life Sciences & Undergraduate Education Computer
>>> Support
>>> >>>> Brigham Young University
>>> >>>>
>>> >>>>
>>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez
>>> <iordonez(a)berkeley.edu <mailto:iordonez(a)berkeley.edu>
>>> >>>> <mailto:iordonez(a)berkeley.edu
>>> <mailto:iordonez(a)berkeley.edu>>> wrote:
>>> >>>>
>>> >>>> Hello,
>>> >>>>
>>> >>>> We have a Gentoo box running Samba and is a
>>> member of the Active
>>> >>>> Directory domain. This Gentoo box will be a
>>> fileserver when
>>> >>>> everything is completed and setup as it should.
>>> I want our users
>>> >>>> to login to their computer (Computers are all
>>> members of the same
>>> >>>> Active Directory domain) using Active Directory
>>> accounts/domain
>>> >>>> for authentication. I am using Winbind for Active
>>> Directory
>>> >>>> authentication/integration. I'm almost done
>>> except file permission
>>> >>>> issue. All is working smoothly (ie. wbinfo,
>>> smbclient, getent,
>>> >>>> etc.). I can access/map the shared drive on the
>>> Gentoo box from
>>> >>>> any Windows computer, login to a machine without
>>> a problem using
>>> >>>> Active Directory accounts. The Active Directory
>>> authentication
>>> >>>> with Winbind is working as it should.
>>> >>>>
>>> >>>> For some odd reason, I can't figure out how to
>>> give permissions to
>>> >>>> all users the ability to make changes/add new
>>> folders on the
>>> >>>> shared drive. I am getting access denied even
>>> when the users or
>>> >>>> group are valid users of the shared drive per
>>> smb.conf. Below is
>>> >>>> my smb.conf shared configuration:
>>> >>>>
>>> >>>> [shared]
>>> >>>> comment = shared
>>> >>>> path = /shared/drive
>>> >>>> read only = no
>>> >>>> inherit permissions = yes
>>> >>>> create mask = 755
>>> >>>> directory mask = 755
>>> >>>> valid users = @"MYDOMAIN+mygroup"
>>> >>>> browseable = yes
>>> >>>> writable = yes
>>> >>>>
>>> >>>> Any help would be greatly appreciated.
>>> >>>>
>>> >>>> -Ivan
>>> >>>> -- To unsubscribe from this list go to the
>>> following URL and read
>>> >>>> the
>>> >>>> instructions:
>>> https://lists.samba.org/mailman/options/samba
>>> >>>>
>>> >>>>
>>> >>>
>>> >>> Hi,
>>> >>>
>>> >>> The files and folders on the shared drive are owned
>>> by local Linux
>>> >>> account.
>>> >>> The permissions are read, write and execute by the
>>> owner, read and write
>>> >>> by
>>> >>> group and all. I was hoping that smb.conf will
>>> control the shared drive
>>> >>> access but having a hard time doing so. I would
>>> like to use ACL if that
>>> >>> is
>>> >>> the best way to make it work. Would you mind
>>> giving me few pointers or
>>> >>> point me to the right direction to get started on
>>> ACL? I am no LDAP
>>> >>> expert
>>> >>> but I think I can get by if I have to use it.
>>> >>>
>>> >>> Thanks!
>>> >>>
>>> >>> -Ivan
>>> >>> --
>>> >>> To unsubscribe from this list go to the following
>>> URL and read the
>>> >>> instructions:
>>> https://lists.samba.org/mailman/options/samba
>>> >>>
>>> >>>
>>> >
>>> > Hi Jonathan,
>>> >
>>> > Our Samba server is a member of Win2k8R2 domain.
>>> > Thanks,
>>> > -Ivan
>>> >
>>>
>>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From: Robert LeBlanc on 5 Oct 2009 20:30

---

wbinfo needs to work all the time or you will have problems, getent does not
need to (we have enum users and groups to no because we have so many objects
in our AD). I would look at the winbind logs to get an idea of what is wrong
Debian has this at /var/log/samba/log.winbindd. I usually get several
connection reset by peer lines, and some Could not receive trustdoms, but it
seems to recover and retty and things work. What you are looking for is
failure to connect to a server, or trying to connect to a bad server ro
something. It sounds like you are getting close, the last mile is always the
hardest.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Mon, Oct 5, 2009 at 5:49 PM, Ivan Ordonez <iordonez(a)berkeley.edu> wrote:

> I was able to set ACL with local username but can't do it on domain
> username or groups.
>
> hostname ~ # getfacl /shared/drive
> getfacl: Removing leading '/' from absolute path names
> # file: shared/drive
> # owner: mylocalusername
> # group: root
> user::rwx
> group::r-x
> other::r-x
> default:user::rwx
> default:group::rwx
> default:other::r-x
>
> When I tried to set ACLs for domain account or groups, it was invalid
> option.
>
> hostname ~ #setfacl -m g:"DOMAIN+Domain Admins":rwx /shared/drive
> setfacl: Option -m: Invalid argument near character 3
>
> hostname ~ #setfacl -m g:"DOMAIN+myusername":rwx /shared/drive
> setfacl: Option -m: Invalid argument near character 3
>
> I believe the drive is mounted and ACL is enable.
>
> hostname ~ # mount
> /dev/hda3 on / type ext3 (rw,noatime,acl)
>
> Here is my /etc/fstab
> /dev/hda3 / ext3 noatime,acl 0 1
>
> What I find odd is running wbinfo and getent command to be very
> inconsistent. I would sometimes get result and sometimes not.
> hostname ~ # wbinfo -u
> Error looking up domain users
>
> Any other suggestions?
>
> Thanks.
>
>
>
>
>
>
>
>
>
>
> Robert LeBlanc wrote:
>
> Sorry, my bad, 3.3.8 was the security release. It sounds like it is working
> however. As far as ACLs, make sure that ACLs are turned on on your file
> system (mount -o acl for most filesystems) and the make sure you have the
> ACL packages for your distro installed (Debian apt-get install acl). Then
> it's a matter of using the setfacl command like `setfacl -m
> d:u:<ad-user>:rwx,u:<ad-user>:rwx,d:g:<ad-group>:rx,g:<ad-group>:rx
> /my/shared/dir.
>
> You can add as many ACLs as you want, remember that the linux default rwx
> perms sets the max for ACL users and groups. If the linux user (owner) ACL
> is rx, then even though an ACL specifies another user with rwx, they will
> only have rx. The second thing to remember is that the default ACL is not
> needed, but if specified will set those ACLs on all new files and
> directories and act much like Windows. If you set the permissions using
> Windows, the default ACL will be set. Thidly, only Linux user and group have
> the file counted against their quota, permissions assigned in ACLs do not
> affect thoes user and groups quotas. Fourtly, some applications are not ACL
> aware, Apache for instance does not look at ACLs on Linux. To check your set
> ACLs, use getfacl /this/is/my/file.
>
> Hope that helps.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>
> On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez <iordonez(a)berkeley.edu>wrote:
>
>> I was able to install 3.3.8 version of Samba. I am running it now. I can
>> see shares, but could not write at all.
>>
>> ACL seems simple but I can't get it to work. Any help or advise would be
>> greatly appreciated.
>>
>> Robert LeBlanc wrote:
>>
>> The changes have not made it into a 3.3.x release yet, 3.3.7 was a
>> security release, ideally 3.3.8 should have the fix. There were quiet a
>> number of configuration changes from 3.0.x to 3.3.x in regards to Active
>> Directory, you may not be able to use you old config without updating some
>> things.
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez <iordonez(a)berkeley.edu>wrote:
>>
>>>
>>> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some
>>> "realm" complaints when I run testparm and some "ADS" related error. The
>>> 3.3.7 version is masked by Gentoo portage and not sure if it will be
>>> available soon.
>>>
>>> Thanks,
>>> -Ivan
>>>
>>> Robert LeBlanc wrote:
>>>
>>> What version of samba are you using? I submitted a patch to Samba that is
>>> in 3.4.1 and slated for the next version of 3.3.x that fixes the
>>> workgroup/realm thing. It falls back to SPEGO without the patch, but it
>>> takes a little while, the patch speeds things up.
>>>
>>> Robert LeBlanc
>>> Life Sciences & Undergraduate Education Computer Support
>>> Brigham Young University
>>>
>>>
>>> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson <
>>> jpetersson(a)garnser.se> wrote:
>>>
>>>> How did you solve the kerberos portion how things, when winbind tries
>>>> to connect to my server the kerberos sessions fails as it tries to
>>>> connect with the workgroup instead of the realm.
>>>>
>>>> Thanks
>>>>
>>>> /Jonathan
>>>>
>>>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez <iordonez(a)berkeley.edu>
>>>> wrote:
>>>> >
>>>> >
>>>> > Jonathan Petersson wrote:
>>>> >>
>>>> >> Hi Ivan,
>>>> >>
>>>> >> I'm working on a similar thing but is having some issues with the
>>>> >> kerberos sessions between samba and AD. Is your Samba server a member
>>>> >> of a Win2k8R2 or a Win2k3 domain?
>>>> >>
>>>> >> Thanks
>>>> >>
>>>> >> /Jonathan
>>>> >>
>>>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez <iordonez(a)berkeley.edu>
>>>> >> wrote:
>>>> >>
>>>> >>>
>>>> >>> Robert LeBlanc wrote:
>>>> >>>
>>>> >>>>
>>>> >>>> What are the permissions on /shared/drive? We use ACLs to control
>>>> access
>>>> >>>> rather than smb.conf. This gives us great flexability and you can
>>>> kind
>>>> >>>> of
>>>> >>>> manage it using a Windows machine. If you have Kerberos keytab
>>>> >>>> generated,
>>>> >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords
>>>> are
>>>> >>>> needed,
>>>> >>>> it also obeys ACL. The only catch is that you need to use RID or
>>>> LDAP
>>>> >>>> for
>>>> >>>> uid/gid mapping or else your permissions won't line up.
>>>> >>>>
>>>> >>>> Robert LeBlanc
>>>> >>>> Life Sciences & Undergraduate Education Computer Support
>>>> >>>> Brigham Young University
>>>> >>>>
>>>> >>>>
>>>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez <
>>>> iordonez(a)berkeley.edu
>>>> >>>> <mailto:iordonez(a)berkeley.edu>> wrote:
>>>> >>>>
>>>> >>>> Hello,
>>>> >>>>
>>>> >>>> We have a Gentoo box running Samba and is a member of the Active
>>>> >>>> Directory domain. This Gentoo box will be a fileserver when
>>>> >>>> everything is completed and setup as it should. I want our users
>>>> >>>> to login to their computer (Computers are all members of the same
>>>> >>>> Active Directory domain) using Active Directory accounts/domain
>>>> >>>> for authentication. I am using Winbind for Active Directory
>>>> >>>> authentication/integration. I'm almost done except file
>>>> permission
>>>> >>>> issue. All is working smoothly (ie. wbinfo, smbclient, getent,
>>>> >>>> etc.). I can access/map the shared drive on the Gentoo box from
>>>> >>>> any Windows computer, login to a machine without a problem using
>>>> >>>> Active Directory accounts. The Active Directory authentication
>>>> >>>> with Winbind is working as it should.
>>>> >>>>
>>>> >>>> For some odd reason, I can't figure out how to give permissions
>>>> to
>>>> >>>> all users the ability to make changes/add new folders on the
>>>> >>>> shared drive. I am getting access denied even when the users or
>>>> >>>> group are valid users of the shared drive per smb.conf. Below is
>>>> >>>> my smb.conf shared configuration:
>>>> >>>>
>>>> >>>> [shared]
>>>> >>>> comment = shared
>>>> >>>> path = /shared/drive
>>>> >>>> read only = no
>>>> >>>> inherit permissions = yes
>>>> >>>> create mask = 755
>>>> >>>> directory mask = 755
>>>> >>>> valid users = @"MYDOMAIN+mygroup"
>>>> >>>> browseable = yes
>>>> >>>> writable = yes
>>>> >>>>
>>>> >>>> Any help would be greatly appreciated.
>>>> >>>>
>>>> >>>> -Ivan
>>>> >>>> -- To unsubscribe from this list go to the following URL and
>>>> read
>>>> >>>> the
>>>> >>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> >>>>
>>>> >>>>
>>>> >>>
>>>> >>> Hi,
>>>> >>>
>>>> >>> The files and folders on the shared drive are owned by local Linux
>>>> >>> account.
>>>> >>> The permissions are read, write and execute by the owner, read and
>>>> write
>>>> >>> by
>>>> >>> group and all. I was hoping that smb.conf will control the shared
>>>> drive
>>>> >>> access but having a hard time doing so. I would like to use ACL if
>>>> that
>>>> >>> is
>>>> >>> the best way to make it work. Would you mind giving me few
>>>> pointers or
>>>> >>> point me to the right direction to get started on ACL? I am no LDAP
>>>> >>> expert
>>>> >>> but I think I can get by if I have to use it.
>>>> >>>
>>>> >>> Thanks!
>>>> >>>
>>>> >>> -Ivan
>>>> >>> --
>>>> >>> To unsubscribe from this list go to the following URL and read the
>>>> >>> instructions: https://lists.samba.org/mailman/options/samba
>>>> >>>
>>>> >>>
>>>> >
>>>> > Hi Jonathan,
>>>> >
>>>> > Our Samba server is a member of Win2k8R2 domain.
>>>> > Thanks,
>>>> > -Ivan
>>>> >
>>>>
>>>
>>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

First  |  Prev  | 
Pages: 1 2 3
Prev: Cannot compile RHEL rpms using samba 3.4.2 series source
Next: [Samba] MSH_SHUTDOWN