Re: [Samba] Samba and AD problem

[Markus Klimke]

Ian Harper wrote:

I am following the examples section 9.3 in the Samba 3 By Example book.

I can SSH onto the samba server as an AD user but I cant mount a samba share.


verify existing and valid kerberos ticket, append a -o krb to your 
smbmount.



If I run wbinfo -u or -g it shows the users and groups BUT it doesn't
show the short domain name, also if I run the getent commands they
shouw details but no domain name.


this should be no problem using samba as an ad member; annoying log 
ouput can be suppressed by changing the log level.




Can anyone offer any suggestions as to what may be wrong.

Thanks

Ian

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ADS File Security Problem

[Markus Klimke]

just take a look into the man page of smb.conf and search for 'force'. i 
suppose what you are seeking is 'force user = auser'.


updatemyself . schrieb:

Hai All,
 I have a setup with Samba share + ADS..
All my Windows XP machine is login to ADS Server also my samba share machine
 Everything working fine.. except some security permission,
Users can access all share with out username and password..
once if they login to Windows2003 ADS.
 In almost all share I allow read write permission in group wise
 All my need is... who ever creating a file or folder...
they must not be the owner only administer must be..
then only we can restrict the deletion of Valuable Data
most of my share is more then 1000GB
 If I change the ownership from Linux with some scripts  crontab
its creating a big accessing problem from WindowsXP systems
and I have to setup all the security permission again from Windows..
 Is there any way to create files and folders only with the ownership of
administer and with stickybit permission
 Here is my correct samba share configuration...
 #=== Global Settings

[global]
  workgroup = MYDOMAIN
server string = Samba Server
log file = /var/log/samba/%m.log
max log size = 50
security = ads
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no

#=== Share Definitions
==
#ldap idmap suffix = ou=emplist,dc=dqe,dc=com
password server = 172.16.20.200 http://172.16.20.200
realm = MYDOMAIN.COM http://MYDOMAIN.COM
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%D/%U
allow trusted domains = no
idmap backend = idmap_rid:DQE=16777216-33554431
winbind use default domain = yes

[vol08]
path = /vol08_700
writable = yes
public = yes
nt acl support = yes
create mask = 0755
security mask = 0755
inherit permissions = yes
inherit acls = yes
force security mode = 0
directory security mask = 0777
force directory security mode = 0

=
Please Share Your knowledge to solve this problem...
 Thank You in Advance,

--
regards,
Jerrynikki

---



--
--
Markus Klimke
Technische Universität Hamburg-Harburg
AB Modellierung und Berechnung
Denickestr. 17, Raum 3043
21073 Hamburg

Tel.: 040/42878-4482
--
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Automounting Samba Shares

[Markus Klimke]

Hi all,
I'm trying to (auto)mount the home directories of my users via samba3 to 
cut down nfs if it works. If I add an entry to the fstab, root is able 
to mount the share, if the appropriate kerberos ticket is available. But 
I can't mount it as a usual user, just works, if I mount it into the 
home directory. But I want to mount the home directory and don't want to 
create a temporary one to mount the real one there. So I've chowned to 
the user which shall have it... and it works. But I can't unmount it (???)

With autofs it doesn't work either, telling me:
do_mount //samba/user /mnt/autofs/samba type smbfs options krb using 
module generic
mount(generic): calling mkdir /mnt/autofs/samba
mount(generic): calling mount -t smbfs -s -o krb //samba/user 
/mnt/autofs/samba
 7422: tree connect failed: ERRDOS - ERRnoaccess (Access denied).
 SMB connection failed

Every homedir can be accessed via //samba/USERNAME
Has anyone a hint?
-markus
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba 3 PDC and ADS member server

[Markus Klimke]

Greg Adams wrote:
I've been reading some documentation and can't find an answer to my
question...
I work in an environment where we have a bunch of Solaris 2.8 servers and
a bunch of developers using Windows 2000 and XP desktops. We support a
client using a Windows 2000 Server ADS PDC, and they need to map some of
the NFS drives on our Solaris 2.8 servers. Currently we run a PCNetLink
PDC (don't worry much about that, it's basically the same as a Samba 2 NT4
PDC), and our PCNetLink PDC has a trust relationship to the Windows 2000
Server ADS PDC that our client has. Additionally our internal development
staff uses the PCNetLink PDC for user authentication, netlogon services,
file sharing, etc.
Fairly soon the corporation that both our development group and our client
belong to is going to disallow all NT4 domain services, including
PCNetLink and legacy mode operations, so we are looking at switching to
Samba 3, as we have heard that it can communicate with ADS servers.
Here's my question: I would like to move to an OpenLDAP/Kerberos
authentication scheme for our Solaris machines and have a Samba 3 PDC
using this OpenLDAP/Kerb5 backend for authentication as the PDC for our
Windows 2000 and XP workstations. Additionally, I would like to be able to
have the same Samba 3 PDC interact with the Windows 2000 ADS Server that
our client runs in either a trust relationship or as a member server to
allow the customer clients to use the filesharing services on our Solaris
servers. From my reading, it seems that the trust relationship is not
possible (something about NT4 trusts vs. ADS trusts, and Samba 3 only
supporting NT4 trusts). Is it possible to have one samba 3 PDC also be an
ADS member server? Is there some better way to achieve what I've
described?
Thanks for any help. Greg
I don't know if I understood you right, but you can either make your 
samba server work as a PDC or keep your Windows 2000 Server as the 
primary one. The advantage of keeping Windows as the boss is that you 
can use group policy rights assignment to your windows machines; if you 
intend to use Samba as a PDC you should consider, if you want to have 
group policies, http://www.nitrobit.com/Index.html.

In case you want Windows as the boss you can use the implemented LDAPv3 
and the MIT Kerberos of the Windows 200x Server editions. Making your 
users visible on Unix you can use either nssldap (depends on: pam_ldap, 
openldap, [openssl, cyrus-sasl]) or winbind to map Windows to Unix 
users. I don't know if nssldap works on Solaris, but take look here: 
http://www.padl.com/download. You have to extend your Windows Server 
Schema with the MKSADPlugins.msi, which adds a Unix Settings tab 
creating new users or groups, or download the Services for Unix 3.0 
which are free from Microsoft. If you use nssldap you just need to 
install the SFU at minimum, just to extend your schema, nothing more.

For a Samba 3 PDC you have to use a passdb backend, while many of them 
are supported by samba, like the pdb, the smbpasswd or ldap. They are 
described very well in the samba documentation or in the examples book 
from John Terpstra.

For some more infos about using Windows as the boss, take a look at 
http://forums.gentoo.org/viewtopic.php?t=114837. Instead of emerge do 
your Solaris compiles.

-markus
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Admins cannot change folder ownership

[Markus Klimke]

ww m-pubsyssamba wrote:
Hi All,

	how can I allow an administrator to have permission to change folder ownership from windows explorer?
The Samba server is an AD domain member server and I'm using group mapping not winbind for users and groups in Samba, I've 
tried mapping both the Administrators and Domain Admins groups to UNIX groups of which my test user is a member of but I always 
get a permission denied error when attempting to change the ownership of a folder. Anyone like to explain this to me?

	thanks in advance, cheers Andy.
Hi Andy,

I can't give you a total solution solving your (our, you are definitly 
not alone with this) problem. This problem is a mapping conflict. If you 
try to change the permissions on windows side, you will see in the samba 
log, that it can't map the SID under windows to a UID under unix. This 
will take, I think, a deeper look into the ACL's. I think, that we have 
to use winbind at all, because it makes the SID-UID mapping. Using 
group mapping is recommended, I think, but you have to consider the 
rid's. If you make a usual mapping to the Domain Users group without 
defining the rid, the last part of the SID will be generated 
automatically (algorithm mapping, or so).

No solution, but maybe a hint. If you solve it, please post.

-markus

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] User problem (samba, w2k3)

[Markus Klimke]

Hello all,

:: Strategy ::

I am using Samba 3.0.2a with security mode ADS, hooking a fileserver up 
to a W2k3 server and domain. The join worked as mentioned in the 
documentation. For auth of users I use nssldap to query the LDAP 
database of W2k3, so my windows users are visible either under linux and 
windows.

:: Problem ::

If I try to share the homes or other points I'm asked to type in a 
username and a password. When I type in a username, which is as 
described visible on both sides, windows says that this user is not 
valid to enter the share. As a workaround I used an admin entry in the 
smbpasswd, which has access to the shares. I think this is a very ugly 
hack. I also tried it with winbind, but it didn't work also. When I open 
the security tab under windows of a share or the subdirectories within, 
it shows entries like FILER\user which is not my domain just the samba 
server itself. Maybe this is correct, but I can't make any change of 
adding a user to the security context of windows.

I am not using the winbind name switch in nsswitch.conf and not any 
winbind pam auth, because of using nssldap for making users visible on 
linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in 
advanced mode (not native or mixed mode), which might be a problem, but 
I don't believe this. If I type wbinfo -u the users on windows side 
are listed, but not with the domain separator, just the user itself.

:: Question ::

How can I map samba shares with security = ADS on a windows machine, 
without using smbpasswd?

:: smb.conf ::

# Global parameters
[global]
workgroup = DOMAIN
realm = DOMAIN.DE
security = ads
password server = w2k3.domain.de
encrypt passwords = yes
#smb passwd file = /etc/samba/smbpasswd
;; I don't want to use this line, because the documentation
;; said I don't need this
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 10
preferred master = no
idmap uid = 500-6000
idmap gid = 500-6000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind trusted domains only = yes
;; Catched the above line from a hint, which was mentioned
;; to fix the problem
[homes]
comment = %u's Home Directory
;; This one's always showing, if smbpasswd entry above
;; is enabled: admin's Home Directory, where admin is
;; is the smbpasswd entry to get shares mapped
create mask = 0755
read only = No
browseable = No
[shared]
comment = Share Point
path = /shared
read only = no
browseable = yes
[backup]
comment = Backup Repo
path = /backup
read only = yes
browseable = no
Many thanks for every hint or assistance
Best regards
-markus
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: User problem (samba, w2k3)

[Markus Klimke]

Yohann Ferreira wrote:
Hi there

Could you also join your krb5.conf and your pam.d/login files ?
I also have the same kind of problem, and I just would like to see 
differences between our configurations ...

Thanks for reading !

Bertram
Hi Bertram,

sure:

:: krb5.conf ::

[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.DE
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.DE = {
  kdc = w2k3.domain.de:88
}
[domain_realm]
.domain.de = DOMAIN.DE
domain.de = DOMAIN.DE
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}
:: pam.d/system-auth ::

#%PAM-1.0

auth   required /lib/security/pam_env.so
auth   sufficient   /lib/security/pam_unix.so
auth   sufficient   /lib/security/pam_krb5.so use_first_pass likeauth
auth   required /lib/security/pam_deny.so
accountsufficient   /lib/security/pam_unix.so
accountrequired /lib/security/pam_ldap.so
password   required /lib/security/pam_cracklib.so retry=3 type=
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow 
use_authtok
password   sufficient   /lib/security/pam_krb5.so use_first_pass
password   required /lib/security/pam_deny.so

sessionrequired /lib/security/pam_mkhomedir.so skel=/etc/skel 
umask=0022
sessionrequired /lib/security/pam_limits.so
sessionrequired /lib/security/pam_unix.so
sessionoptional /lib/security/pam_krb5.so
sessionoptional /lib/security/pam_ldap.so

But I don't think it's related to this one's. I've tried a little around 
and saw, that I had some problems understanding the permissions theory 
concerning windows and linux interoperability with samba. The main fact 
is, that if you have the same users (usernames) on both sides, they have 
the right to map their home drive. Even another share point, with 
exclusive rights for group membership, should give you the ability to 
map and/or access them. That does it for me. I don't know exactly why I 
had the problem, but it seems to be fixed. Maybe it was because winbind 
wasn't started, what could be. Now I can access the shares, if you have 
the permissions to access it.

Anyway at this time I can't set permissions in the security tab of 
windows for shares, but this is related to the SID - UID mapping, which 
I will have a closer look later.

Best Regards
-markus

From: Markus Klimke [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Samba] User problem (samba, w2k3)
Date: Thu, 29 Apr 2004 13:00:53 +0200
Hello all,

:: Strategy ::

I am using Samba 3.0.2a with security mode ADS, hooking a fileserver 
up to a W2k3 server and domain. The join worked as mentioned in the 
documentation. For auth of users I use nssldap to query the LDAP 
database of W2k3, so my windows users are visible either under linux 
and windows.

:: Problem ::

If I try to share the homes or other points I'm asked to type in a 
username and a password. When I type in a username, which is as 
described visible on both sides, windows says that this user is not 
valid to enter the share. As a workaround I used an admin entry in 
the smbpasswd, which has access to the shares. I think this is a very 
ugly hack. I also tried it with winbind, but it didn't work also. When 
I open the security tab under windows of a share or the subdirectories 
within, it shows entries like FILER\user which is not my domain just 
the samba server itself. Maybe this is correct, but I can't make any 
change of adding a user to the security context of windows.

I am not using the winbind name switch in nsswitch.conf and not any 
winbind pam auth, because of using nssldap for making users visible on 
linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in 
advanced mode (not native or mixed mode), which might be a problem, 
but I don't believe this. If I type wbinfo -u the users on windows 
side are listed, but not with the domain separator, just the user itself.

:: Question ::

How can I map samba shares with security = ADS on a windows machine, 
without using smbpasswd?

:: smb.conf ::

# Global parameters
[global]
workgroup = DOMAIN
realm = DOMAIN.DE
security = ads
password server = w2k3.domain.de
encrypt passwords = yes
#smb passwd file = /etc/samba/smbpasswd
;; I don't want to use this line, because the documentation
;; said I don't need this
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 10
preferred master = no
idmap uid = 500-6000
idmap gid = 500-6000