Re: [Samba] Samba and AD problem
Ian Harper wrote: I am following the examples section 9.3 in the Samba 3 By Example book. I can SSH onto the samba server as an AD user but I cant mount a samba share. verify existing and valid kerberos ticket, append a -o krb to your smbmount. If I run wbinfo -u or -g it shows the users and groups BUT it doesn't show the short domain name, also if I run the getent commands they shouw details but no domain name. this should be no problem using samba as an ad member; annoying log ouput can be suppressed by changing the log level. Can anyone offer any suggestions as to what may be wrong. Thanks Ian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ADS File Security Problem
just take a look into the man page of smb.conf and search for 'force'. i suppose what you are seeking is 'force user = auser'. updatemyself . schrieb: Hai All, I have a setup with Samba share + ADS.. All my Windows XP machine is login to ADS Server also my samba share machine Everything working fine.. except some security permission, Users can access all share with out username and password.. once if they login to Windows2003 ADS. In almost all share I allow read write permission in group wise All my need is... who ever creating a file or folder... they must not be the owner only administer must be.. then only we can restrict the deletion of Valuable Data most of my share is more then 1000GB If I change the ownership from Linux with some scripts crontab its creating a big accessing problem from WindowsXP systems and I have to setup all the security permission again from Windows.. Is there any way to create files and folders only with the ownership of administer and with stickybit permission Here is my correct samba share configuration... #=== Global Settings [global] workgroup = MYDOMAIN server string = Samba Server log file = /var/log/samba/%m.log max log size = 50 security = ads encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no #=== Share Definitions == #ldap idmap suffix = ou=emplist,dc=dqe,dc=com password server = 172.16.20.200 http://172.16.20.200 realm = MYDOMAIN.COM http://MYDOMAIN.COM idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash template homedir = /home/%D/%U allow trusted domains = no idmap backend = idmap_rid:DQE=16777216-33554431 winbind use default domain = yes [vol08] path = /vol08_700 writable = yes public = yes nt acl support = yes create mask = 0755 security mask = 0755 inherit permissions = yes inherit acls = yes force security mode = 0 directory security mask = 0777 force directory security mode = 0 = Please Share Your knowledge to solve this problem... Thank You in Advance, -- regards, Jerrynikki --- -- -- Markus Klimke Technische Universität Hamburg-Harburg AB Modellierung und Berechnung Denickestr. 17, Raum 3043 21073 Hamburg Tel.: 040/42878-4482 -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Automounting Samba Shares
Hi all, I'm trying to (auto)mount the home directories of my users via samba3 to cut down nfs if it works. If I add an entry to the fstab, root is able to mount the share, if the appropriate kerberos ticket is available. But I can't mount it as a usual user, just works, if I mount it into the home directory. But I want to mount the home directory and don't want to create a temporary one to mount the real one there. So I've chowned to the user which shall have it... and it works. But I can't unmount it (???) With autofs it doesn't work either, telling me: do_mount //samba/user /mnt/autofs/samba type smbfs options krb using module generic mount(generic): calling mkdir /mnt/autofs/samba mount(generic): calling mount -t smbfs -s -o krb //samba/user /mnt/autofs/samba 7422: tree connect failed: ERRDOS - ERRnoaccess (Access denied). SMB connection failed Every homedir can be accessed via //samba/USERNAME Has anyone a hint? -markus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3 PDC and ADS member server
Greg Adams wrote: I've been reading some documentation and can't find an answer to my question... I work in an environment where we have a bunch of Solaris 2.8 servers and a bunch of developers using Windows 2000 and XP desktops. We support a client using a Windows 2000 Server ADS PDC, and they need to map some of the NFS drives on our Solaris 2.8 servers. Currently we run a PCNetLink PDC (don't worry much about that, it's basically the same as a Samba 2 NT4 PDC), and our PCNetLink PDC has a trust relationship to the Windows 2000 Server ADS PDC that our client has. Additionally our internal development staff uses the PCNetLink PDC for user authentication, netlogon services, file sharing, etc. Fairly soon the corporation that both our development group and our client belong to is going to disallow all NT4 domain services, including PCNetLink and legacy mode operations, so we are looking at switching to Samba 3, as we have heard that it can communicate with ADS servers. Here's my question: I would like to move to an OpenLDAP/Kerberos authentication scheme for our Solaris machines and have a Samba 3 PDC using this OpenLDAP/Kerb5 backend for authentication as the PDC for our Windows 2000 and XP workstations. Additionally, I would like to be able to have the same Samba 3 PDC interact with the Windows 2000 ADS Server that our client runs in either a trust relationship or as a member server to allow the customer clients to use the filesharing services on our Solaris servers. From my reading, it seems that the trust relationship is not possible (something about NT4 trusts vs. ADS trusts, and Samba 3 only supporting NT4 trusts). Is it possible to have one samba 3 PDC also be an ADS member server? Is there some better way to achieve what I've described? Thanks for any help. Greg I don't know if I understood you right, but you can either make your samba server work as a PDC or keep your Windows 2000 Server as the primary one. The advantage of keeping Windows as the boss is that you can use group policy rights assignment to your windows machines; if you intend to use Samba as a PDC you should consider, if you want to have group policies, http://www.nitrobit.com/Index.html. In case you want Windows as the boss you can use the implemented LDAPv3 and the MIT Kerberos of the Windows 200x Server editions. Making your users visible on Unix you can use either nssldap (depends on: pam_ldap, openldap, [openssl, cyrus-sasl]) or winbind to map Windows to Unix users. I don't know if nssldap works on Solaris, but take look here: http://www.padl.com/download. You have to extend your Windows Server Schema with the MKSADPlugins.msi, which adds a Unix Settings tab creating new users or groups, or download the Services for Unix 3.0 which are free from Microsoft. If you use nssldap you just need to install the SFU at minimum, just to extend your schema, nothing more. For a Samba 3 PDC you have to use a passdb backend, while many of them are supported by samba, like the pdb, the smbpasswd or ldap. They are described very well in the samba documentation or in the examples book from John Terpstra. For some more infos about using Windows as the boss, take a look at http://forums.gentoo.org/viewtopic.php?t=114837. Instead of emerge do your Solaris compiles. -markus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Admins cannot change folder ownership
ww m-pubsyssamba wrote: Hi All, how can I allow an administrator to have permission to change folder ownership from windows explorer? The Samba server is an AD domain member server and I'm using group mapping not winbind for users and groups in Samba, I've tried mapping both the Administrators and Domain Admins groups to UNIX groups of which my test user is a member of but I always get a permission denied error when attempting to change the ownership of a folder. Anyone like to explain this to me? thanks in advance, cheers Andy. Hi Andy, I can't give you a total solution solving your (our, you are definitly not alone with this) problem. This problem is a mapping conflict. If you try to change the permissions on windows side, you will see in the samba log, that it can't map the SID under windows to a UID under unix. This will take, I think, a deeper look into the ACL's. I think, that we have to use winbind at all, because it makes the SID-UID mapping. Using group mapping is recommended, I think, but you have to consider the rid's. If you make a usual mapping to the Domain Users group without defining the rid, the last part of the SID will be generated automatically (algorithm mapping, or so). No solution, but maybe a hint. If you solve it, please post. -markus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] User problem (samba, w2k3)
Hello all, :: Strategy :: I am using Samba 3.0.2a with security mode ADS, hooking a fileserver up to a W2k3 server and domain. The join worked as mentioned in the documentation. For auth of users I use nssldap to query the LDAP database of W2k3, so my windows users are visible either under linux and windows. :: Problem :: If I try to share the homes or other points I'm asked to type in a username and a password. When I type in a username, which is as described visible on both sides, windows says that this user is not valid to enter the share. As a workaround I used an admin entry in the smbpasswd, which has access to the shares. I think this is a very ugly hack. I also tried it with winbind, but it didn't work also. When I open the security tab under windows of a share or the subdirectories within, it shows entries like FILER\user which is not my domain just the samba server itself. Maybe this is correct, but I can't make any change of adding a user to the security context of windows. I am not using the winbind name switch in nsswitch.conf and not any winbind pam auth, because of using nssldap for making users visible on linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in advanced mode (not native or mixed mode), which might be a problem, but I don't believe this. If I type wbinfo -u the users on windows side are listed, but not with the domain separator, just the user itself. :: Question :: How can I map samba shares with security = ADS on a windows machine, without using smbpasswd? :: smb.conf :: # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.DE security = ads password server = w2k3.domain.de encrypt passwords = yes #smb passwd file = /etc/samba/smbpasswd ;; I don't want to use this line, because the documentation ;; said I don't need this socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 10 preferred master = no idmap uid = 500-6000 idmap gid = 500-6000 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind trusted domains only = yes ;; Catched the above line from a hint, which was mentioned ;; to fix the problem [homes] comment = %u's Home Directory ;; This one's always showing, if smbpasswd entry above ;; is enabled: admin's Home Directory, where admin is ;; is the smbpasswd entry to get shares mapped create mask = 0755 read only = No browseable = No [shared] comment = Share Point path = /shared read only = no browseable = yes [backup] comment = Backup Repo path = /backup read only = yes browseable = no Many thanks for every hint or assistance Best regards -markus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: User problem (samba, w2k3)
Yohann Ferreira wrote: Hi there Could you also join your krb5.conf and your pam.d/login files ? I also have the same kind of problem, and I just would like to see differences between our configurations ... Thanks for reading ! Bertram Hi Bertram, sure: :: krb5.conf :: [libdefaults] ticket_lifetime = 600 default_realm = DOMAIN.DE default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] DOMAIN.DE = { kdc = w2k3.domain.de:88 } [domain_realm] .domain.de = DOMAIN.DE domain.de = DOMAIN.DE [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } :: pam.d/system-auth :: #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so auth sufficient /lib/security/pam_krb5.so use_first_pass likeauth auth required /lib/security/pam_deny.so accountsufficient /lib/security/pam_unix.so accountrequired /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok password sufficient /lib/security/pam_krb5.so use_first_pass password required /lib/security/pam_deny.so sessionrequired /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022 sessionrequired /lib/security/pam_limits.so sessionrequired /lib/security/pam_unix.so sessionoptional /lib/security/pam_krb5.so sessionoptional /lib/security/pam_ldap.so But I don't think it's related to this one's. I've tried a little around and saw, that I had some problems understanding the permissions theory concerning windows and linux interoperability with samba. The main fact is, that if you have the same users (usernames) on both sides, they have the right to map their home drive. Even another share point, with exclusive rights for group membership, should give you the ability to map and/or access them. That does it for me. I don't know exactly why I had the problem, but it seems to be fixed. Maybe it was because winbind wasn't started, what could be. Now I can access the shares, if you have the permissions to access it. Anyway at this time I can't set permissions in the security tab of windows for shares, but this is related to the SID - UID mapping, which I will have a closer look later. Best Regards -markus From: Markus Klimke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Samba] User problem (samba, w2k3) Date: Thu, 29 Apr 2004 13:00:53 +0200 Hello all, :: Strategy :: I am using Samba 3.0.2a with security mode ADS, hooking a fileserver up to a W2k3 server and domain. The join worked as mentioned in the documentation. For auth of users I use nssldap to query the LDAP database of W2k3, so my windows users are visible either under linux and windows. :: Problem :: If I try to share the homes or other points I'm asked to type in a username and a password. When I type in a username, which is as described visible on both sides, windows says that this user is not valid to enter the share. As a workaround I used an admin entry in the smbpasswd, which has access to the shares. I think this is a very ugly hack. I also tried it with winbind, but it didn't work also. When I open the security tab under windows of a share or the subdirectories within, it shows entries like FILER\user which is not my domain just the samba server itself. Maybe this is correct, but I can't make any change of adding a user to the security context of windows. I am not using the winbind name switch in nsswitch.conf and not any winbind pam auth, because of using nssldap for making users visible on linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in advanced mode (not native or mixed mode), which might be a problem, but I don't believe this. If I type wbinfo -u the users on windows side are listed, but not with the domain separator, just the user itself. :: Question :: How can I map samba shares with security = ADS on a windows machine, without using smbpasswd? :: smb.conf :: # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.DE security = ads password server = w2k3.domain.de encrypt passwords = yes #smb passwd file = /etc/samba/smbpasswd ;; I don't want to use this line, because the documentation ;; said I don't need this socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 10 preferred master = no idmap uid = 500-6000 idmap gid = 500-6000