Re: [Samba] Samba server joining domain and browsing group shares
Alex thank you for your support, can you please explain the command below: Specially the chown I'm not familiar with the syntax you are using. If I try to apply this to our TEST configuration it does not work we get the following error: cuzco:~ # chown 0:NETSYS\Series /Series chown: `0:NETSYS\\Series': invalid group Being NETSYS = workgroup name Being Series = group Series defined on the ADS windows PDC Being /Series = a disk share on the samba machine On the server you have to use the chown command and chmod command to give the AD group DEP_TEST_MEMBER access on the Linux filesystem: chmod g+s /data/grp chown 0:TEST\DEP_TEST_MEMBER /data/grp QUESTION: does DEP_TEST_MEMBER is a group defined on the Linux box and on the ADS. or is only defined on the ADS.? on my linux TEST box on the /etc/groups there is no Series group on my windows TEST ADS there is a group called Series with 4 users Another thing maybe I have not been clear, from our windows workstations we want to connect to a share in the Linux box but the user logged in the workstation does NOT have an account on linux machine he has an account on the windows ADS PDC. The following things work on our test environment machines: - Kerberos configuration see command below: cuzco:~ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 02/26/08 23:36:17 02/27/08 09:36:53 krbtgt/[EMAIL PROTECTED] renew until 02/27/08 23:36:17 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached - Joining the Domain see command below: cuzco:~ # net ads join -U Administrator Administrator's password: Using short domain name -- NETSYS Joined 'CUZCO' to realm 'NETSYSTEMSINFO.COM' - client connection using ADS user not defined on server. (My brother does not have an account on the linux box only on the ADS test machine) cuzco:~ # smbclient -L cuzco -Uamendez Password: Domain=[NETSYS] OS=[Unix] Server=[Samba 3.0.26a-3.5-1616-SUSE-SL10.3] Sharename Type Comment - --- users Disk All users print$ Disk Printer Drivers documentaries Disk Documentaries files movies Disk Movies media files series Disk Series media files IPC$IPC IPC Service (Linux file server) lj2600n Printer HP Color LaserJet 2600n Domain=[NETSYS] OS=[Unix] Server=[Samba 3.0.26a-3.5-1616-SUSE-SL10.3] Server Comment ---- AREQUIPA CUZCOLinux file server WorkgroupMaster ---- NETSYS AREQUIPA This does not work: We are on the PDC and we try to browse/connect to any of the shares other than home on the linux samba box. See attached print.ps image. This is the debug oputpt of the /var/log/samba/* files, when we attemmpt to browse/connect to the shares: 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_keytab_verify_ticket172 ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_keytab_verify_ticket172 ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_keytab_verify_ticket172 ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_keytab_verify_ticket172 ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_keytab_verify_ticket172 ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_keytab_verify_ticket172 ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_secrets_verify_ticket 279 ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_secrets_verify_ticket 279 ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_secrets_verify_ticket 279 ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed 02/28/2008 10:40:34 PM libads/kerberos_verify.c ads_secrets_verify_ticket 279 ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed
Re: [Samba] Samba server joining domain and browsing group shares
On Tue, Mar 11, 2008 at 12:25 AM, Victor Mendez [EMAIL PROTECTED] wrote: Alex thanks a lot. The problem was solved. The configuration information you provided me was very precise and correct. The problem was with SuSE and the YAST2 SAMBA GUI. Hello Victor, I'm glad that my configuration information put you on the right track to get things going. The configuration information I gave you runs on more than 100 Samba sites that are a Domain Member of a W2k3 Domain Controller. Thanks a lot, over the weekend we converted the 1st production server with this setup and we are converting 2 more win2k servers to samba servers. We are only keeping the PDC(It only contains the Active directory information, nothing else). We have more or less the same setup, we have around 7 W2k3 Domain Controllers on several European sites. On more than 100 sites we have only CentOS/Red Hat Enterprise Linux servers running with Samba as domain member. The Samba domain members are connected to the remote DC's and this works fine for more than 3 years now! The following is for SuSE user with 10.3 x-64, shares names defined in /etc/samba/smb.conf should be in lower case. It will not work when using upper case characters. Another thing when creating groups on the windows PDC make sure that the groups are global not local otherwise linux function getent will not see them. Well that does it for us. I have my shares configured in lower case (as you said), like this: [grp] comment = Group Directory path = /data/grp valid users = @TEST.COM\DEP_TEST_MEMBER read only = No inherit permissions = Yes hide unreadable = Yes The AD group DEP_TEST_MEMBER has access to this share. In the AD we have also a group DEP_TEST_IT and IT users (in the test environment) are member of both AD groups, so the users have access to the share. On Linux file system level I have in the /data/grp directory a directory called: IT. I gave the AD group DEP_TEST_IT as follow rights on the IT directory: chmod 2770 /data/grp/IT chown 0:TEST\dep_test_it IT TEST\dep_test_it must be between because \ is a meta character, like this it is the \ separator for winbind. The group names in the AD that are in capital case stored in the AD are resolved in lower case by the winbind daemon. Indeed, the group dep_test_it must NOT exist in the Linux group entry. Cheers Alex and thanks again ;-) Regards Victor You're welcome. Regards, Alex. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server joining domain and browsing group shares
Alex thanks a lot. The problem was solved. The configuration information you provided me was very precise and correct. The problem was with SuSE and the YAST2 SAMBA GUI. What we did basically was re-install SuSE 10.3, edit /etc/samba/smb.conf manually using the parameter you provided, We then commented out the parameters SuSE puts on the file by default. Manually modify the /etc/krb5.conf file again following your instructions and sample files and bingo everything works just fine. Thanks a lot, over the weekend we converted the 1st production server with this setup and we are converting 2 more win2k servers to samba servers. We are only keeping the PDC(It only contains the Active directory information, nothing else). The following is for SuSE user with 10.3 x-64, shares names defined in /etc/samba/smb.conf should be in lower case. It will not work when using upper case characters. Another thing when creating groups on the windows PDC make sure that the groups are global not local otherwise linux function getent will not see them. Well that does it for us. Cheers Alex and thanks again ;-) Regards Victor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server joining domain and browsing group shares
Thanks Alex for the reply. This week I'm have to pay attention to another project. I will revise the server configuration on Friday when I come form my business trip and email you the results over the week-end Regards Victor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server joining domain and browsing group shares
On Fri, Feb 29, 2008 at 5:06 PM, Victor Mendez [EMAIL PROTECTED]
wrote:
Output of getent command:
cuzco:~ # getent group NETSYS\Documentaries
documentaries:x:10008:netsys\fmendez,netsys\vmendez,amendez
cuzco:~ # getent group NETSYS\Series
series:x:10007:netsys\fmendez,netsys\vmendez,amendez
cuzco:~ # getent group NETSYS\Movies
movies:x:10005:netsys\vmendez,amendez,fmendez
So it looks as we have solved the winbind separator problem .
Hi Victor,
This is the correct output of then getent group command. This is how I see
it on my Samba servers too, so it seems that your winbind problem is solved
indeed!
But we still get no directory browse. I include the output of
the /var/log/samba/* files group when I try to login from a workstation
see smb-logs.tar.gz
In this file there is two errors that brough my attention:
1st error =
02/29/2008 10:22:01 AM libads/kerberos_verify.c
ads_keytab_verify_ticket172
ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
principals
2nd error =
02/29/2008 10:22:01 AM lib/util_sid.c string_to_sid 223
string_to_sid: Sid
@NETSYSTEMSINFOCOM\Documentaries does not start with 'S-'.
what I try to do is I try to browse/connect to the Documentaries share
Error messages of winbind can be found in the /var/log/samba/winbindd.log.
Look in this file or on the log file of the IP number that tries to connect
(via browse) to the share but you'll probably see Failed to verify incoming
ticket.
This can be a number of things. Where did you get the Samba packages?
Which Kerberos version are you using on your server?
Did you configure /etc/krb5.conf too?
My /etc/krb5.conf looks like this:
[libdefaults]
default_realm = TEST.COM
[realms]
NH-HOTELES.COM = {
kdc = adm01.test.com:88
kdc = adm03.test.com:88
kdc = adm04.test.com:88
}
I have Red Hat Linux servers and to connect to a Windows Server 2003 I need
at least MIT Kerberos version 1.3.1 on my Linux server with the Samba Red
Hat packages downloaded from samba.org
Your Linux server must be in timesync with the DC too; use ntpdate -b IP
address of DC to synchronize time.
Use the net ads info command to see if you're in timesync (look at Server
time offset, must be around 0, but not more than 300!)
Sometimes you need to reboot your workstation too that need to connect to
the share on the samba server.
If you don't use MIT kerberos, but HEIMDAL kerberos, you have to look in the
Samba documentation how to configure this (it is well described).
I hope this helps!
Regards,
Alex.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server joining domain and browsing group shares
On Mon, Mar 3, 2008 at 2:06 PM, Alex de Vaal wrote:
Did you configure /etc/krb5.conf too?
My /etc/krb5.conf looks like this:
[libdefaults]
default_realm = TEST.COM
[realms]
NH-HOTELES.COM = {
kdc = adm01.test.com:88
kdc = adm03.test.com:88
kdc = adm04.test.com:88
}
This is the correct /etc/krb5.conf file (sorry):
[libdefaults]
default_realm = TEST.COM
[realms]
TEST.COM = {
kdc = adm01.test.com:88
kdc = adm03.test.com:88
kdc = adm04.test.com:88
}
kdc equals a Domain Controller in your AD (Kerberos server).
Regards,
Alex.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server joining domain and browsing group shares
On Fri, Feb 29, 2008 at 5:12 AM, Victor Mendez [EMAIL PROTECTED] wrote: Alex thank you for your support, can you please explain the command below: Specially the chown I'm not familiar with the syntax you are using. If I try to apply this to our TEST configuration it does not work we get the following error: cuzco:~ # chown 0:NETSYS\Series /Series chown: `0:NETSYS\\Series': invalid group Being NETSYS = workgroup name Being Series = group Series defined on the ADS windows PDC Being /Series = a disk share on the samba machine On the server you have to use the chown command and chmod command to give the AD group DEP_TEST_MEMBER access on the Linux filesystem: chmod g+s /data/grp chown 0:TEST\DEP_TEST_MEMBER /data/grp QUESTION: does DEP_TEST_MEMBER is a group defined on the Linux box and on the ADS. or is only defined on the ADS.? DEP_TEST_MEMBER is a group only defined in the AD. on my linux TEST box on the /etc/groups there is no Series group on my windows TEST ADS there is a group called Series with 4 users Another thing maybe I have not been clear, from our windows workstations we want to connect to a share in the Linux box but the user logged in the workstation does NOT have an account on linux machine he has an account on the windows ADS PDC. AD users don't need a account on the Linux machine. But for Samba to work properly with AD users, you also need the winbind daemon to run. winbind is a daemon of Samba. If winbind runs properly then AD users/groups will be a (virtual) part of /etc/passwd and /etc/group. The file /etc/nsswitch.conf must look like this for winbind to run properly: passwd: files winbind shadow: files group: files winbind You can test that by using the getent command: getent group TEST\DEP_TEST_MEMBER The AD group DEP_TEST_MEMBER will be now translated to a Linux GID. - Joining the Domain see command below: cuzco:~ # net ads join -U Administrator Administrator's password: Using short domain name -- NETSYS Joined 'CUZCO' to realm 'NETSYSTEMSINFO.COM' That looks fine. We have adjusted the /etc/samba/smb.conf file to match your sample file config. Here I include a copy: .[global] workgroup = NETSYS realm = NETSYSTEMSINFO.COM preferred master = no server string = Linux file server security = ADS encrypt passwords = yes log level = 3 printcap name = cups printing = cups cups options = raw winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = no winbind separator = + The problem resides here: winbind separator = + Remove that entry and now the seperator will be \ [series] comment = Series media files #inherit acls = Yes inherit permissions = Yes path = /Series read only = No valid users = @NETSYSTEMSINFO.COM\Series hide unreadable =yes If you want to use winbind separator = + then the valid users must be like this: @NETSYSTEMSINFO.COM+Series Regards, Alex. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server joining domain and browsing group shares
Alex I thank you for you patience, but it is not working. I have implemented the following changes: 1st change to /etc/nsswitch: The file /etc/nsswitch.conf must look like this for winbind to run properly: passwd: files winbind shadow: files group: files winbind 2nd change to /etc/samba/smb.conf The problem resides here: winbind separator = + Remove that entry and now the seperator will be \ Output of getent command: cuzco:~ # getent group NETSYS\Documentaries documentaries:x:10008:netsys\fmendez,netsys\vmendez,amendez cuzco:~ # getent group NETSYS\Series series:x:10007:netsys\fmendez,netsys\vmendez,amendez cuzco:~ # getent group NETSYS\Movies movies:x:10005:netsys\vmendez,amendez,fmendez So it looks as we have solved the winbind separator problem . But we still get no directory browse. I include the output of the /var/log/samba/* files group when I try to login from a workstation see smb-logs.tar.gz In this file there is two errors that brough my attention: 1st error = 02/29/2008 10:22:01 AM libads/kerberos_verify.c ads_keytab_verify_ticket172 ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals 2nd error = 02/29/2008 10:22:01 AM lib/util_sid.c string_to_sid 223 string_to_sid: Sid @NETSYSTEMSINFOCOM\Documentaries does not start with 'S-'. what I try to do is I try to browse/connect to the Documentaries share It looks like we are stuck... Thanks again, regards Victor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server joining domain and browsing group shares
Thank you, Alex I would try this as soon as possible today and let you know the resuslts. Regards victor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba server joining domain and browsing group shares
Hello I have a small network and would like to add samba to our environment.
This what I would like to accomplish:
- We have a ADS PDC ( windows 2000 server)
- We have 27 workstations windows XP-PRO
We have recently bought a new server, and installed OPENSUSE 10.3 and we have
installed and configure samba. Basically we want to use the new samba server
as a data repository server.
In the windows environment we have 4 groups, management which has 4 users,
Accounting which has 5 users, sales which has 3 users and ingeneering that
has 15 users.
we would like that the users in each group only have access to the files for
their corresponding group in the samba server. i.e accounting sees the
accounting share only etc. this groups are defined in the PDC ADS machine not
in the samba server.
My question is how do I configure the samba server to inherit the groups
defined in the windows PDC ADS machine.
I Include a copy of the /etc/samba/samba.conf file:
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-12-04
[global]
workgroup = NETSYS
realm = NETSYSTEMSINFO.COM
preferred master = no
server string = Linux file server
security = ADS
encrypt passwords = yes
log level = 3
printcap name = cups
printing = cups
cups options = raw
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind separator = +
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
#security = user
add machine script = /usr/sbin/useradd -c
Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = No
domain master = No
netbios name = cuzco
usershare allow guests = No
use kerberos keytab = true
idmap gid = 1-2
idmap uid = 1-2
template homedir = /home/%D/%U
#winbind refresh tickets = yes
password server = arequipa.netsystemsinfo.com
#winbind cache time = 600
allow trusted domains = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[management]
comment = Management files
inherit acls = Yes
path = /Management
read only = No
valid users = @Documentaries
admin users = vmendez
[accounting]
comment = Accounting files
inherit acls = Yes
path = /Accounting
read only = No
valid users = @Movies
admin users = vmendez
[sales]
comment = Sales files
inherit acls = Yes
path = /Sales
read only = No
valid users = @Series
admin users = vmendez
[ingeneering]
comment = Ingeneering files
inherit acls = Yes
path = /Ingeneering
read only = No
valid users = @Series
admin users = vmendez
## Share disabled by YaST
# [netlogon]
-
I also include a copy of my /etc/krb5.conf file
[libdefaults]
default_realm= NETSYSTEMSINFO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
#clockskew = 300
[realms]
NETSYSTEMSINFO.COM = {
kdc = arequipa.netsystemsinfo.com
admin_server = arequipa.netsystemsinfo.com
default_domain = netsystemsinfo.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
#*.netsystemsinfo.com = NETSYSTEMSINFO.COM
.kerberos.server= NETSYSTEMSINFO.COM
.netsystemsinfo.com = NETSYSTEMSINFO.COM
[appdefaults]
pam = {
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
krb4_convert = false
}
[Samba] Samba server joining domain and browsing group shares
Hello, Want you want is rather easy, I have it running. My Samba server (on Red Hat) is Domain member of a W2k3 native AD, so it is joined to the domain (net ads join -Uusername%password) This is how my smb.conf looks like: # Global Parameters Needed For Samba 3.0.27a [global] workgroup = TEST realm = TEST.COM server string = %h server (Samba %v) security = ADS password server = adm04.test.com, adm01.test.com log file = /var/log/samba/%m.log max log size = 200 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap cache time = 660 domain master = No ldap timeout = 15 idmap uid = 1-3 idmap gid = 1-3 template homedir = /data/hom/%U template shell = /bin/bash winbind cache time = 660 printer admin = @TEST.COM\Domain Admins, @TEST.COM\DEP_ADMIN oplocks = No level2 oplocks = No default devmode = No enable privileges = Yes host msdfs = No msdfs root = No winbind enum users = Yes winbind enum groups = Yes winbind nested groups = No printing = cups strict locking = Yes [homes] comment = Home Directories read only = No create mask = 0600 directory mask = 0700 browseable = No [grp] comment = Group Directory path = /data/grp valid users = @TEST.COM\DEP_TEST_MEMBER read only = No inherit permissions = Yes hide unreadable = Yes On the server you have to use the chown command and chmod command to give the AD group DEP_TEST_MEMBER access on the Linux filesystem: chmod g+s /data/grp chown 0:TEST\DEP_TEST_MEMBER /data/grp I have 200+ sites running like this... ;-) Regards, Alex. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
