On Wed, Dec 16, 2009 at 4:34 AM, mistofeles <ptmu...@utu.fi> wrote: > > Okay, this Samba4 seemed to be a dead end. I re-installed some parts of > Samba and 'net' command started to work again. > > Some questions: > - Must I log in and 'kinit' with my username, which has rights to join this > device to AD every time I reboot the PC. It seems so. > > - Is there some way to make the user permissions work in Samba ? > Now I have to set 707 permissions to user home directory so that he can > read > and modify his data. If I make it like this, everyone in the AD can go and > read his files. > Linux has its own system of permissions. Is there any way to make Samba > understand that they should be used and not some system, which is built in > Samba ? > > Somebody said that I should keep the system 'KISS'. How is this made ? >
You seem to be having a lot more trouble with this than it should be. I'll go over the steps that are in a joining script I wrote to make sure you are not missing anything. YMMV mostly depending on how your DNS is set up. apt-get update apt-get install samba samba-common winbind ntp ntpdate openssh-server krb5-config krb5-user /etc/init.d/winbind stop /etc/init.d/samba stop edit /etc/krb5.conf (if needed, we replace the file with only the following contents as our DNS provides everything else we need) [libdefaults] default_realm = DOMAIN.LOCAL forwardable = true rdns = no [domain_realm] .domain.local = DOMAIN.LOCAL edit /etc/hosts 127.0.0.1 localhost 127.0.1.1 hostname.domain.local hostname.domain.edu hostname edit /etc/dhcp3/dhclient.conf (if the computer is using DHCP, add the following lines) send host-name "MYCOMPUTER"; supersede domain-name "domain.local domain.edu"; /sbin/dhclient If static assigned IP addresses edit /etc/resolve.conf domain domain.local search domain.local domain.edu edit /etc/nsswitch.conf (modify the following lines) passwd: compat winbind group: compat winbind hosts: files dns (msdns, or whatever it is causes lots of problems, I suggest you only use files and dns for hosts, use whatever else you need) If you don't want interactive logins to the box, comment out the identified PAM lines - Edit /etc/pam.d/common-account like this: account sufficient pam_winbind.so account required pam_unix.so - Edit /etc/pam.d/common-auth like this: auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE auth required pam_unix.so use_first_pass nullok_secure - Edit /etc/pam.d/common-session like this: session required pam_mkhomedir.so skel=/etc/skel umask=0028 #Comment out if no interactive logins session required pam_winbind.so session required pam_unix.so - Edit /etc/pam.d/samba like this: @include common-auth auth required pam_winbind.so @include common-account account required pam_winbind.so @include common-session - Edit /etc/pam.d/login like this:(no changes needed if no interactive logins) # # The PAM configuration file for the Shadow 'login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the \`FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=3000000 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the \`CONSOLE' setting from login.defs) auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the \`NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the \`CONSOLE_GROUPS' option in login.defs) auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the \`PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) account required pam_access.so # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session required pam_limits.so # Prints the last login info upon succesful login # (Replaces the \`LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so # Prints the motd upon succesful login # (Replaces the \`MOTD_FILE' option in login.defs) session optional pam_motd.so # Prints the status of the user's mailbox upon succesful login # (Replaces the \`MAIL_CHECK_ENAB' option from login.defs). # # This also defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs session optional pam_mail.so standard # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. # Uncomment the following line to enable SELinux # session required pam_selinux.so select_context # Standard Un*x account and session @include common-account @include common-session @include common-password - Edit /etc/pam.d/sshd like this:(no changes needed if no interactive logins) # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password - Edit /etc/security/access.conf like this:(no changes if no interactive logins) + : root : ALL + : ad_group1 : ALL + : ad_group2 : ALL - : ALL : ALL - Edit /etc/security/pam_winbind.conf like this: (no changes if no interactive logins) # # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # turn on debugging ;debug = no # turn on extended PAM state debugging ;debug_state = no # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes # authenticate using kerberos ;krb5_auth = yes # when using kerberos, request a "FILE" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) ;krb5_ccache_type = FILE # make successful authentication dependend on membership of one SID # (can also take a name) ;require_membership_of = # password expiry warning period in days ;warn_pwd_expire = 14 # omit pam conversations ;silent = no - Edit /etc/samba/smb.conf like this: #======================= Global Settings ======================= [global] workgroup = DOMAIN realm = DOMAIN.LOCAL preferred master = no server string = %h server dns proxy = no #### Debugging/Accounting #### log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d ####### Authentication ####### security = ADS encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes invalid users = root unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes ########## Printing ########## load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes ############ Misc ############ idmap backend = hash winbind nss info = hash winbind use default domain = yes winbind separator = + winbind enum groups = no winbind enum users = no winbind nested groups = yes template homedir = /home/%U template shell = /bin/bash winbind refresh tickets = yes # kerberos method = system keytab # Keytab not working with PAM cache, see bug #6833 winbind offline logon = yes #======================= Share Definitions ======================= - Edit /etc/ssh/ssh_config like this:(no changes if no interactive logins) # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * # ForwardAgent no # ForwardX11 no # ForwardX11Trusted yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes - Edit /etc/ssh/sshd_config like this: # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes - Turn samba and windbind back on - Run the following command: `net ads join -U [domain-account]` - restart samba, winbind and ssh - try to login/access share using your domain credentials - now you're done! Set up the the passwd command to work with AD users (interactive logins only) If you want the active directory users to be able to change their passwords (such as for non-route-y AD users), You must make the following change: - Edit /etc/pam.d/common-password like this: password sufficient pam_unix.so nullok obscure md5 password requisite pam_winbind.so krb5_auth krb5_ccache_type=FILE As far as file security, Samba will honor Linux's file permissions including ACLs. If you need fine grained permissions and the ability to set some permissions through Windows, then install acl package and enable it on your file system. Samba also honors quotas from Linux as well. It has taken me months of research and tinkering with Samba and Active Directory to get to the point where I am now. If you take the time to understand how each option listed above works, it's a lot easier to troubleshoot. Don't get discouraged if things are not working right away, be sure you are restarting the winbind and samba services, check the logs, they help a lot (/var/log/samba/*) in finding where problems lie. Every environment is different, so you may run into things that others have not. We can try to help where we can, but be patient, you may have to be the one that figures it out. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba