Re: [Samba] how to join to AD ? -Annoyed
On Thu, Dec 17, 2009 at 8:23 AM, mistofeles wrote: > > > Robert LeBlanc wrote: > > > > You seem to be having a lot more trouble with this than it should be. > > > Yes, I know, I'm stupid ;) > And after reading hundreds of pages of Samba documentation I still feel > stupid. > > - I didn't find line 'password server = KDC' in your smb.conf. I tought it > must be there. > Login/access is OK. Here my troubles begin. > Password server by default will query the domain for servers to use, you may override it and specify an order or pin it to specific servers. I choose to leave the default so that I don't have to worry about which DCs are up and if any more are added or removed in the future. I left it out to use the defaults, check the man page for more info. > Robert LeBlanc wrote: > > > > As far as file security, Samba will honor Linux's file permissions > > including ACLs. > > > It seems that I do not understand the system Samba handles the permissions. > > It seems that in terminal Linux 'User' permissions (rwx--) are used but > in Samba the access is determined with 'World' (--rwx), if group is nol > valid AD group. Or it is determine by 'Group' (---rwx---), if the group is > valid 'domain users'. > Linux and Samba will try the user's permissions, then group and then other. This makes permission fall though more easily as generally you will give more permissions to users and less permissions to other (world). Since we usually use ACLs, user and group are given all permissions (usually they need all permissions in most cases) and then give more restricted access using ACL to other users and groups. The world permissions are set as normal since ACLs don't make much sense in this situation. I usually map this to the Everyone group in Windows in my head. Basically, our linux users that login to the system has the same exact access as they do over Samba. Maybe one of my share defs can help: [users] comment = Life Sciences user share browseable = yes path = /ls/users guest ok = no read only = no admin users = lfsci-csr create mask = 0770 directory mask = 0770 veto files = /.forward/.bash*/.profile/ dos filemode = yes posix locking = no hide unreadable = yes vfs objects = shadow_copy2 shadow:snapdir = /ls/snapshots/users shadow:basedir = /ls/users shadow:fixinodes = yes We have one share and users have folders that only they can see. drwxr-sr-x 57 root root 4.0K 2009-12-17 03:14 users A user folder: drwxrws--- 18 rleblanclfsci-csr 4.0K 2009-12-14 10:05 rleblanc When someone with no access connects to the share, they see a blank screen, When I access the same share (I'm a member of lfsci-csr), I see everyone's folder. When a regular user logs in, they only see their folder. This allows me to quickly help someone when they are having data problems, as that share is already mapped on my machines. > After reading your message twice I made some tuning and found that this > line > in [homes] made the permissions work: > path = /home/%U > Note %U. With %S it left users directories wide open RW if d---rwx--- > My conf's are still mostly as I have laid them. > > Now there is some funny behaviour. If I query \\myserver\somebody (somebody > is a member of AD) on the WinXP MyComputer address line, I get my own > directory \\myserver\myself in window. > This doesn't matter, it happends in my old samba 2 server too. > > Another funny thing is that in Win there is both: 'homes' and 'myself' and > they both are connected to 'homes'. > > After all this hacking my smb.conf is full of carbage, but it works. I will > collect my conf's to my WWW page ASAP. > > I've cut out as much stuff as I could from my smb.conf file, and the defaults work great most of the time. If you have time, you might want to see what can be thrown out to make reading your conf a little easier. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ? -Annoyed
Robert LeBlanc wrote: > > You seem to be having a lot more trouble with this than it should be. > Yes, I know, I'm stupid ;) And after reading hundreds of pages of Samba documentation I still feel stupid. - I didn't find line 'password server = KDC' in your smb.conf. I tought it must be there. Login/access is OK. Here my troubles begin. Robert LeBlanc wrote: > > As far as file security, Samba will honor Linux's file permissions > including ACLs. > It seems that I do not understand the system Samba handles the permissions. It seems that in terminal Linux 'User' permissions (rwx--) are used but in Samba the access is determined with 'World' (--rwx), if group is nol valid AD group. Or it is determine by 'Group' (---rwx---), if the group is valid 'domain users'. After reading your message twice I made some tuning and found that this line in [homes] made the permissions work: path = /home/%U Note %U. With %S it left users directories wide open RW if d---rwx--- My conf's are still mostly as I have laid them. Now there is some funny behaviour. If I query \\myserver\somebody (somebody is a member of AD) on the WinXP MyComputer address line, I get my own directory \\myserver\myself in window. This doesn't matter, it happends in my old samba 2 server too. Another funny thing is that in Win there is both: 'homes' and 'myself' and they both are connected to 'homes'. After all this hacking my smb.conf is full of carbage, but it works. I will collect my conf's to my WWW page ASAP. -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26829652.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ? -Annoyed
On Wed, Dec 16, 2009 at 4:34 AM, mistofeles wrote: > > Okay, this Samba4 seemed to be a dead end. I re-installed some parts of > Samba and 'net' command started to work again. > > Some questions: > - Must I log in and 'kinit' with my username, which has rights to join this > device to AD every time I reboot the PC. It seems so. > > - Is there some way to make the user permissions work in Samba ? > Now I have to set 707 permissions to user home directory so that he can > read > and modify his data. If I make it like this, everyone in the AD can go and > read his files. > Linux has its own system of permissions. Is there any way to make Samba > understand that they should be used and not some system, which is built in > Samba ? > > Somebody said that I should keep the system 'KISS'. How is this made ? > You seem to be having a lot more trouble with this than it should be. I'll go over the steps that are in a joining script I wrote to make sure you are not missing anything. YMMV mostly depending on how your DNS is set up. apt-get update apt-get install samba samba-common winbind ntp ntpdate openssh-server krb5-config krb5-user /etc/init.d/winbind stop /etc/init.d/samba stop edit /etc/krb5.conf (if needed, we replace the file with only the following contents as our DNS provides everything else we need) [libdefaults] default_realm = DOMAIN.LOCAL forwardable = true rdns = no [domain_realm] .domain.local = DOMAIN.LOCAL edit /etc/hosts 127.0.0.1 localhost 127.0.1.1 hostname.domain.localhostname.domain.edu hostname edit /etc/dhcp3/dhclient.conf (if the computer is using DHCP, add the following lines) send host-name "MYCOMPUTER"; supersede domain-name "domain.local domain.edu"; /sbin/dhclient If static assigned IP addresses edit /etc/resolve.conf domain domain.local search domain.local domain.edu edit /etc/nsswitch.conf (modify the following lines) passwd: compat winbind group: compat winbind hosts: files dns (msdns, or whatever it is causes lots of problems, I suggest you only use files and dns for hosts, use whatever else you need) If you don't want interactive logins to the box, comment out the identified PAM lines - Edit /etc/pam.d/common-account like this: account sufficient pam_winbind.so account requiredpam_unix.so - Edit /etc/pam.d/common-auth like this: authsufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE authrequiredpam_unix.so use_first_pass nullok_secure - Edit /etc/pam.d/common-session like this: session requiredpam_mkhomedir.soskel=/etc/skel umask=0028 #Comment out if no interactive logins session requiredpam_winbind.so session requiredpam_unix.so - Edit /etc/pam.d/samba like this: @include common-auth authrequiredpam_winbind.so @include common-account account requiredpam_winbind.so @include common-session - Edit /etc/pam.d/login like this:(no changes needed if no interactive logins) # # The PAM configuration file for the Shadow 'login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the \`FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=300 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the \`CONSOLE' setting from login.defs) auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the \`NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the \`CONSOLE_GROUPS' option in login.defs) auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the \`PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # accountrequisite pam_time.so # Uncomme
Re: [Samba] how to join to AD ? -Annoyed
mistofeles wrote: > > > > mistofeles wrote: >> >> I'm installing another Ubuntu 9.10 server from scratch with the advice >> above. >> It seems that you got to instal krb5-users and krb5-client to make it >> work. >> > I spent hours with this. In the end I installed this samba4-bla-bla and > managed to make 'net' run, > Okay, this Samba4 seemed to be a dead end. I re-installed some parts of Samba and 'net' command started to work again. Some questions: - Must I log in and 'kinit' with my username, which has rights to join this device to AD every time I reboot the PC. It seems so. - Is there some way to make the user permissions work in Samba ? Now I have to set 707 permissions to user home directory so that he can read and modify his data. If I make it like this, everyone in the AD can go and read his files. Linux has its own system of permissions. Is there any way to make Samba understand that they should be used and not some system, which is built in Samba ? Somebody said that I should keep the system 'KISS'. How is this made ? -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26809793.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
2009/12/14 mistofeles : > > I'm installing another Ubuntu 9.10 server from scratch with the advice above. > It seems that you got to instal krb5-users and krb5-client to make it work. > > Here is what I got (not so important): > > r...@sandy:# net > The program 'net' can be found in the following packages: > * samba-common-bin > * samba4-clients > Try: apt-get install > net: command not found > > r...@sandy:# dpkg --get-selections |grep samba > samba install > samba-common install > samba-common-bin install > samba-doc install > > r...@sandy:# whereis net > net: /usr/src/linux-headers-2.6.31-16/net > /usr/src/linux-headers-2.6.31-16-generic-pae/net /usr/bin/net.samba3 This is what it should look like: $ ls -l /usr/bin/net lrwxrwxrwx 1 root root 21 2009-12-05 17:51 /usr/bin/net -> /etc/alternatives/net $ ls -l /etc/alternatives/net lrwxrwxrwx 1 root root 19 2009-12-05 17:44 /etc/alternatives/net -> /usr/bin/net.samba3 $ ls -l /usr/bin/net.samba3 -rwxr-xr-x 1 root root 5258980 2009-10-01 16:45 /usr/bin/net.samba3 So I think that on your machine, the /etc/alternatives links are not set up for the "net" command. Try this: $ sudo update-alternatives --auto net -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ? -Annoyed
mistofeles wrote: > > I'm installing another Ubuntu 9.10 server from scratch with the advice > above. > It seems that you got to instal krb5-users and krb5-client to make it > work. > I spent hours with this. In the end I installed this samba4-bla-bla and managed to make 'net' run, but managed not to make a connection. In this time my previous servers started to give unnumbered and -documented error messages. I really wonder, if there is any way to make Samba work. There is too much undocumented material. New versions of programs are dripping in all the time and nobody seems to know how to make it work. I'm a professional with computers meaning that I have had possibilities and time to work with this. I just wonder how an normal user manages with this mess. -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26793428.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
I'm installing another Ubuntu 9.10 server from scratch with the advice above. It seems that you got to instal krb5-users and krb5-client to make it work. Here is what I got (not so important): r...@sandy:# net The program 'net' can be found in the following packages: * samba-common-bin * samba4-clients Try: apt-get install net: command not found r...@sandy:# dpkg --get-selections |grep samba samba install samba-commoninstall samba-common-bininstall samba-doc install r...@sandy:# whereis net net: /usr/src/linux-headers-2.6.31-16/net /usr/src/linux-headers-2.6.31-16-generic-pae/net /usr/bin/net.samba3 -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26775751.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
mistofeles wrote: There is these lines in smb.conf and I have found no good information about them: idmap uid = 1-200 idmap gid = 5000-200 idmap config MY_DOMAIN:range = 1000 - 3 If you want to avoid troubles, keep the values coherent. In a single-domain, if you don't need a consistent mapping of the users across different clients (for example to have multiple clients access a NFS server) you can keep the range quite limited. If you need consistent mapping, you can use RID backend -- but you'll have to use a wide range to avoid collisions. It seems that the users get their local UID / GUID as 1 / 5000 or above as set in 'idmap uid' and 'idmap gid'. What is the meaning of this 'idmap config MY_DOMAIN:range' and how should I set it ? The same as idmap uid. Or just remove that line. I have a right to join a PC to our domain. Before I could do that, I had to adduser myself in my server with the username I have in the domain. After that 'kinit' and 'net ads join' work. Try using kinit user.n...@full.uppercase.realm After that, you'll use "net ads join -U user.name" BTW: is krb5 necessary for the authentication ? pam_krb5 is not -- winbind handles it. But it needs krb5 client libs. -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zucc...@unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
I reinstalled the system and tried to follow the guidelines above. One thing: There is these lines in smb.conf and I have found no good information about them: idmap uid = 1-200 idmap gid = 5000-200 idmap config MY_DOMAIN:range = 1000 - 3 It seems that the users get their local UID / GUID as 1 / 5000 or above as set in 'idmap uid' and 'idmap gid'. What is the meaning of this 'idmap config MY_DOMAIN:range' and how should I set it ? We have a rather large domain of about 30,000 users. Mys own server will have max 100 users. Is there some preferred walues to set on those lines above ? I have no administrator rights to the AD. === Another thing. I have a right to join a PC to our domain. Before I could do that, I had to adduser myself in my server with the username I have in the domain. After that 'kinit' and 'net ads join' work. BTW: is krb5 necessary for the authentication ? -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26635903.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
mistofeles wrote: I have but two Linux user in the server: root and myself. If I try to add one, Samba checks the user from the AD and doesn't want to adduser or useradd any, who alreay is in AD. Right. Use domain tools to add users to domain. And keep different names for domain and local users (at least till you've figured out EXACTLY how it works!). I have logged in my WinXP as myself and I see my linux directory as \\server\myself You shouldn't. You should access /home/DOMAIN/myself instead of /home/myself, UNLESS you've setup permissions in a "strange" way (as said in other posts, with all domain users mapped to a single Linux user). If I now write \\server\myfriend to the addres line of My Computer, I get another icon '\\server\myfriend' (registered user). Behind this icon is the directory \\server\myself. So, now I have two ways to get in to my directory. If I try \\server\another_friend (registered user), I get again to my directory and on the top level I have icons \\server\myself and \\server\another_friend. icon \\server\friend has disappeared. I don't understand why you get another icon in any case, unless you've setup home dirs to always point to the same user's home. I build in linux a directory /home/minime. I n my Win7 box I log with name mini_me (registered user) Now I can see dir \\server\mini_me as it should be and not any other users dir. Praise goods its friday. Is mini_me mapped to another Linux user? You're messing things a lot. Maybe it's better if you restart, keeping separate users for Linux and domain. Then setup (with winbind) PAM to let domain sers login to the Linux box, with homes in /home/DOMAIN/user . The really important thing to remember is that YOU HAVE TO KEEP DOMAIN UIDs/GIDs in a well-defined range, out of the range used for standard (local Linux) users. Given this, you'll have a solid starting point to experiment from. Follow the KISS principle. -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zucc...@unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
Still some more fun I have but two Linux user in the server: root and myself. If I try to add one, Samba checks the user from the AD and doesn't want to adduser or useradd any, who alreay is in AD. I have logged in my WinXP as myself and I see my linux directory as \\server\myself If I now write \\server\myfriend to the addres line of My Computer, I get another icon '\\server\myfriend' (registered user). Behind this icon is the directory \\server\myself. So, now I have two ways to get in to my directory. If I try \\server\another_friend (registered user), I get again to my directory and on the top level I have icons \\server\myself and \\server\another_friend. icon \\server\friend has disappeared. I build in linux a directory /home/minime. I n my Win7 box I log with name mini_me (registered user) Now I can see dir \\server\mini_me as it should be and not any other users dir. Praise goods its friday. -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26543400.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
mistofeles wrote: From Diego came this email: Wrong solution for what's really not a problem. You should map the samba user to 'myself'. Or, even better, place both users in a group and have /home/myself owned by myself:commongroup and 770. -- Mistofeles: Either I have missed something, or it doesn't work as I expected. Still the directory got to be like this: drwx---rwx 4 myself users4096 2009-11-27 14:14 . This way ANY Linux user could read and write it. I changed the permissions and group, and now I it is RW from WinXP: drwxrwx--- 4 myself domain users4096 2009-11-27 14:14 . This way only domain users (not Linux users, unless you manually add'em to "domain users" group) can access that directory. All the subdirectories or files are with permissions and groups built like this: -rwx-- 1 myself domain users0 2009-11-27 14:14 hello.txt Must be rw-rw or only "myself" can access it! I still wonder, what to do, if we have to allow new users to be linux users in this server. Where's the problem? Samba users are seen as normal users, with their uid and gid being provided by samba rather than by files in /etc ... I'd rather use the original Linux groups (barack:users) and permissions (700) here to keep he users out of the data of the other users. Why? Unless you map every Samba user to the same uid, that directory won't be accessible by them, and I think that's not what you're looking for. Have a look at how permissions work... You'll see what I mean. "others"="users with an uid and a gid different from the ones of the file"... -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zucc...@unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
>From Diego came this email: Wrong solution for what's really not a problem. You should map the samba user to 'myself'. Or, even better, place both users in a group and have /home/myself owned by myself:commongroup and 770. -- Mistofeles: Either I have missed something, or it doesn't work as I expected. Still the directory got to be like this: drwx---rwx 4 myself users4096 2009-11-27 14:14 . I changed the permissions and group, and now I it is RW from WinXP: drwxrwx--- 4 myself domain users4096 2009-11-27 14:14 . All the subdirectories or files are with permissions and groups built like this: -rwx-- 1 myself domain users0 2009-11-27 14:14 hello.txt I still wonder, what to do, if we have to allow new users to be linux users in this server. I'd rather use the original Linux groups (barack:users) and permissions (700) here to keep he users out of the data of the other users. -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26541917.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
mistofeles wrote: > > Now I managed to join my server to AD, when I debugged once more the > files.:jumping: > Many thanks to you ! > There is still one small problem. My WinXP can mount my home from the server OK. BUT the permissions of my /home/myself must be 707, if I want to see, create or save files or folders there while working at the WinXP. 700 is not enough. (I might find a solution myself, but I think there is some others, who want to see this too) -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26535987.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
> -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of mistofeles > Sent: Thursday, November 26, 2009 8:08 AM > To: samba@lists.samba.org > Subject: Re: [Samba] how to join to AD ? > > Windows already uses IPv6 as the primary protocol; Microsoft actually > > implements most new features as IPv6-only. > > > I have my reasons to 'hate' IPv6. I know that it is coming, but just > now it is causing troubles. > We have a rather slow public part in our network, where our students > can use net without joining their private computers to the AD. Mostly they > have > either WVisva or W7 in their laptops. For some reason M$W is broadcasting > the IPv6 calls all the time. The public net is full of that kind of > calls and the net has no space for the real data. There is some modifications > to firewalls under work, which will block these M$W IPv6 calls. Actually, your best bet to solve this might be to turn IPv6 ON. It's most important to turn on on your router. The reason MS is broadcasting IPv6 all the time is that IPv6 is trying to autoconfigure - basically, the IPv6 equivalent of looking for a DHCP server. That fails not because the machines can't find an IP address (autoconfiguration takes care of that in IPv6) but because they can't find a default gateway. So basically the workstations continually try to figure out their IPv6 configuration and generate a lot of traffic talking to each other "hey, are you the default gateway? - No" "What about you, are you my default gateway? - No" The default gateway is resolved through a router advertising daemon - radvd in Linux -, which you don't have. With that, the workstations will stop this broadcasting (actually, it's multicasting - there is no broadcasting in IPv6) as soon as they have a valid IP address and default gateway. I recommend an additional DHCP server because that also lets you set a DNS server (without a DHCP server, name resolution is by mDNS - basically, broadcasts). Even with a DHCP server, you still need radvd (or the equivalent on your actual router) because DHCPv6 does not let you set a default gateway. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
Kevin Keane-2 wrote: > >> an unbelievable long list of packets and options I have seen no mention >> anywhere. Now it seems that I got to rip the packet open and check it >> thoroughly ?!? > > Probably not. Samba should already be compiled correctly on most > distributions. It's actually not all that bad. > You are right. Ubuntu deb seems to be OK. I didn't even need OpenLDAP Kevin Keane-2 wrote: > > The remaining items Jason mentioned are configurations for recompiling > Samba. > It seems that all the parts needed are in the deb and there is no need to recompile in this kind of simple cases. Kevin Keane-2 wrote: > > > mistofeles wrote: >> >>> The only thing I'm sure, I will not include, is this damned IPv6. >> > You might want to rethink this. Expect in about two years a cutover on the > Internet, similar to the recent conversion of broadcast TV to HDTV. We are > getting very close to the point where Internet providers won't give you > IPv4 addresses any more but IPv6 addresses. > > Windows already uses IPv6 as the primary protocol; Microsoft actually > implements most new features as IPv6-only. > I have my reasons to 'hate' IPv6. I know that it is coming, but just now it is causing troubles. We have a rather slow public part in our network, where our students can use net without joining their private computers to the AD. Mostly they have either WVisva or W7 in their laptops. For some reason M$W is broadcasting the IPv6 calls all the time. The public net is full of that kind of calls and the net has no space for the real data. There is some modifications to firewalls under work, which will block these M$W IPv6 calls. Thank you for your comments. -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26531533.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
Now I managed to join my server to AD, when I debugged once more the files.:jumping: Many thanks to you ! Next step will be that I'll minimize smb.conf and try to write some documentation to my own pages of this case. -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26526963.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
> -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of mistofeles > Sent: Wednesday, November 25, 2009 1:52 PM > To: samba@lists.samba.org > Subject: Re: [Samba] how to join to AD ? > > > > Jason Gerfen-2 wrote: > > > > ADS server type will allow domain authentication for samba > directories > > You will need Samba which provides winbindd, sasl, openldap, > kerberos. > > Samba should be configured with ads, acl, ldap, kerberos, pam, > winbind > > options if you are building from source. > > I would configure it with the following options for optimum > scalability: > > kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, > winbind, > > ads, async, automount, doc, examples, fam, quotas, selinux, swat, > syslog. > > > > - Huh. In the beginning I tought all that is needed is packed to samba > packet, which is installed with 'apt-get install samba'. Your list > contains > an unbelievable long list of packets and options I have seen no mention > anywhere. Now it seems that I got to rip the packet open and check it > thoroughly ?!? Probably not. Samba should already be compiled correctly on most distributions. It's actually not all that bad. The remaining packages are simply packages that Samba uses. I don't know about your distribution, but OpenSuSE (and most other distribution) will automatically pull in all the required packages as dependencies. Winbindd is part of Samba itself (but often split into a separate package). Kerberos and sasl are required because Active Directory uses Kerberos for authentication. Rather than reimplement it, Samba uses the Kerberos and sasl libraries others already wrote. Similarly, openldap is what everybody in the Linux world uses to access LDAP servers - Active Directory is an LDAP server. The remaining items Jason mentioned are configurations for recompiling Samba. > The only thing I'm sure, I will not include, is this damned IPv6. You might want to rethink this. Expect in about two years a cutover on the Internet, similar to the recent conversion of broadcast TV to HDTV. We are getting very close to the point where Internet providers won't give you IPv4 addresses any more but IPv6 addresses. Right now, IPv4 is still the better choice (because Windows XP and Samba both only have limited IPv6 support). Of course you can still run IPv4 on your private network, but at some point it will be as quaint as trying to run IPX today. Windows already uses IPv6 as the primary protocol; Microsoft actually implements most new features as IPv6-only. > It seems odd in my eyes, that you can set samba make the tasks we ask > it > just editing the smb.conf file, if we set 'security = user', but > checking > the passwords from an external server needs editing and installing so > many > files. > I'm not very enthusiastic to compile anything. In my experience (OpenSUSE) no compiling necessary, but you do have to tell Kerberos where to look for authentication. I also had to configure PAM, but I think that was for something different, not Samba. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
Jason Gerfen wrote: auth sufficient pam_winbind.so [...] auth sufficient pam_krb5.so use_first_pass [...] accountsufficient pam_krb5.so ignore_root accountsufficient pam_winbind.so Why are you using both pam_winbind and pam_krb5 ? Shouldn't winbind already handle krb5 auth? -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zucc...@unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
Jason Gerfen-2 wrote: > > ADS server type will allow domain authentication for samba directories > You will need Samba which provides winbindd, sasl, openldap, kerberos. > Samba should be configured with ads, acl, ldap, kerberos, pam, winbind > options if you are building from source. > I would configure it with the following options for optimum scalability: > kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, winbind, > ads, async, automount, doc, examples, fam, quotas, selinux, swat, syslog. > - Huh. In the beginning I tought all that is needed is packed to samba packet, which is installed with 'apt-get install samba'. Your list contains an unbelievable long list of packets and options I have seen no mention anywhere. Now it seems that I got to rip the packet open and check it thoroughly ?!? The only thing I'm sure, I will not include, is this damned IPv6. It seems odd in my eyes, that you can set samba make the tasks we ask it just editing the smb.conf file, if we set 'security = user', but checking the passwords from an external server needs editing and installing so many files. I'm not very enthusiastic to compile anything. Jason Gerfen-2 wrote: > > In gentoo linux the following will give you everything you need: > USE="kerberos acl caps cups ipv6 ldap pam python readline winbind ads > async automount doc examples fam quotas selinux swat syslog" / > emerge mit-krb5 pam_krb5 pam_ldap openldap nss_ldap openssl cyrus-sasl ntp > samba -va > Got to go through this and check what is there already in the Ubuntu samba deb packet :( Jason Gerfen-2 wrote: > > Here is are a few file configuration examples to get you going: > /etc/krb5.conf > /etc/nsswitch.conf > /etc/samba/smb.conf > /etc/pam.d/system-auth > === > #%PAM-1.0 > auth required pam_mount.so > . . . > sessionoptional pam_krb5.so > === > I hope that helps. Also if you look at the pam configuration above you > will see some of the best pam modules to install with ubunu package > manager. > Do you mean by 'module' for example pam_krb5.so ? I tought they are built in the deb packet Thank you. It will take me a day to go through all that you recommend. -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26520905.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
mistofeles wrote:
We have a small Ubuntu 9.10 file server in a large Win 2003/2008 domain.
There is no X nor web browser in the server.
I have rights to join machines to the domain, but I'm not an Administrator
There is about 10 users in this server, who want to authenticate with domain
passwords when they mount their home directories to WindowsXP workstations.
The ssh passwords should be local and separated from domain passwords.
The server should not try to play any master roles.
Just deliver directories to windows.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2560147
ADS server type will allow domain authentication for samba directories
We have tried this for about a month and gone through many books, web pages
and forums.
You will need Samba which provides winbindd, sasl, openldap, kerberos.
Samba should be configured with ads, acl, ldap, kerberos, pam, winbind
options if you are building from source.
I would configure it with the following options for optimum scalability:
kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, winbind,
ads, async, automount, doc, examples, fam, quotas, selinux, swat, syslog.
In gentoo linux the following will give you everything you need:
%> USE="kerberos acl caps cups ipv6 ldap pam python readline winbind ads async
automount doc examples fam quotas selinux swat syslog" /
emerge mit-krb5 pam_krb5 pam_ldap openldap nss_ldap openssl cyrus-sasl
ntp samba -va
After reading Samba documentation we don't even understand what programs we
need. in some documents we are told to use PAM, LDAP, krb or winbind. In
some documents you are advised NOT to use this if you are using that. It is
a total chaos.
Is there any example of a working case like this ?
Is there any script which takes care of the configuration ?
Here is are a few file configuration examples to get you going:
/etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
[realms]
UTAH.EDU = {
kdc = 192.168.xxx.xxx
}
[domain_realm]
.domain.com = DOMAIN.COM
[loggin]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
=
/etc/nsswitch.conf
=
passwd: compat winbind
shadow: compat
group: compat winbind
# passwd:db files nis
# shadow:db files nis
# group: db files nis
hosts: files dns wins
networks:files dns
services:db files
protocols: db files
rpc: db files
ethers: db files
netmasks:files
netgroup:files
bootparams: files
automount: files
aliases: files
==
/etc/samba/smb.conf
Change anything with DOMAIN.COM to match your own domain
==
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = servername.domain.com
netbios name = servername
password server = *
encrypt passwords = true
security = ads
lanman auth = no
ntlm auth = no
os level = 20
allow trusted domains = yes
auth methods = winbind
interfaces = eth0, lo
bind interfaces only = yes
socket options = TCP_NODELAY
hosts allow = 192.168.xxx.xxx/24 #add more subnets if needed
hosts deny = 0.0.0.0/0
log level = 40
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
obey pam restrictions = yes
template shell = /bin/bash
nt acl support = yes
inherit permissions = yes
create mask = 0022
template homedir = /home/Authenticated Users/%U
winbind uid = 1000-200
winbind gid = 500-200
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
winbind nss info = rfc2307
idmap uid = 1000-200
idmap gid = 500-200
idmap domains = SCL
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 3
[classes]
comment = Class software
browsable = yes
writeable = no
create mask = 0022
force create mode = 0022
directory mask = 0022
force directory mode = 0022
inherit permissions = yes
path = /path/to/share
[staff]
comment = Staff
[Samba] how to join to AD ?
We have a small Ubuntu 9.10 file server in a large Win 2003/2008 domain. There is no X nor web browser in the server. I have rights to join machines to the domain, but I'm not an Administrator There is about 10 users in this server, who want to authenticate with domain passwords when they mount their home directories to WindowsXP workstations. The ssh passwords should be local and separated from domain passwords. The server should not try to play any master roles. Just deliver directories to windows. We have tried this for about a month and gone through many books, web pages and forums. After reading Samba documentation we don't even understand what programs we need. in some documents we are told to use PAM, LDAP, krb or winbind. In some documents you are advised NOT to use this if you are using that. It is a total chaos. Is there any example of a working case like this ? Is there any script which takes care of the configuration ? -- View this message in context: http://old.nabble.com/how-to-join-to-AD---tp26513594p26513594.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
