LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-31-2011, 05:07 AM   #1
hesisaboury
Member
 
Registered: Dec 2010
Location: iran
Posts: 167

Rep: Reputation: 0
Samba File Serve & Win Domain Users


Hello,
i want to run file server with samba and domain users could only change(rw) their files , How can i implement it ?

Best Regards,
Hesaum
 
Old 10-31-2011, 09:03 AM   #2
Passmossis
LQ Newbie
 
Registered: Jul 2011
Location: USA
Distribution: RHEL 6.5
Posts: 28

Rep: Reputation: 2
So you want to integrate your Linux Samba into a Windows 2003/2008 Active Directory?
 
Old 11-01-2011, 01:41 AM   #3
hesisaboury
Member
 
Registered: Dec 2010
Location: iran
Posts: 167

Original Poster
Rep: Reputation: 0
yes , i want domain users can accesss file server in linux Samba, i want to replace windows file server with linux file server

Best Regards.
 
Old 11-01-2011, 09:58 AM   #4
Passmossis
LQ Newbie
 
Registered: Jul 2011
Location: USA
Distribution: RHEL 6.5
Posts: 28

Rep: Reputation: 2
One of your first steps is to ensure kerberos is able to authenticate with your Active Directory. I'm familiar with RHEL config file layout, so that's what I'll be listing.

You want to update /etc/krb5.conf.

An example of this file:
Code:
[libdefaults]
         default_realm = ATHENA.MIT.EDU
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
         dns_lookup_kdc = true
         dns_lookup_realm = false
     
[realms]
         ATHENA.MIT.EDU = {
             kdc = kerberos.mit.edu
             admin_server = kerberos.mit.edu
             master_kdc = kerberos.mit.edu
             default_domain = mit.edu
         }
         EXAMPLE.COM = {
             kdc = kerberos.example.com
             kdc = kerberos-1.example.com
             admin_server = kerberos.example.com
         }
     
[domain_realm]
         .mit.edu = ATHENA.MIT.EDU
         mit.edu = ATHENA.MIT.EDU
          
[logging]
         kdc = SYSLOG:INFO
         admin_server = FILE=/var/kadm5.log
In your krb5.conf you need to update your default_realm, entries under [realms], and [domain_realm]. Keep in mind your character case matters, your realm is always upper case.

Once you have a good krb5.conf, you can test it by

Code:
kinit user@ATHENA.MIT.EDU
Again, case matters. Also ensure the clocks between your kdc and this system are within 5 minutes of each other. Once you are able to establish a kerberos ticket you are ready to move onto the samba integration. You can verify the authentication was good by typing klist, and clear the current kerberos authenticated tickets with kdestroy.



Once you have this working post back, and I'll help you setup the Samba config.
 
Old 11-01-2011, 12:35 PM   #5
pma083
LQ Newbie
 
Registered: Oct 2009
Posts: 5

Rep: Reputation: 0
Quote:
Originally Posted by Passmossis View Post
One of your first steps is to ensure kerberos is able to authenticate with your Active Directory. I'm familiar with RHEL config file layout, so that's what I'll be listing.

You want to update /etc/krb5.conf.

An example of this file:
Code:
[libdefaults]
         default_realm = ATHENA.MIT.EDU
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
         dns_lookup_kdc = true
         dns_lookup_realm = false
     
[realms]
         ATHENA.MIT.EDU = {
             kdc = kerberos.mit.edu
             admin_server = kerberos.mit.edu
             master_kdc = kerberos.mit.edu
             default_domain = mit.edu
         }
         EXAMPLE.COM = {
             kdc = kerberos.example.com
             kdc = kerberos-1.example.com
             admin_server = kerberos.example.com
         }
     
[domain_realm]
         .mit.edu = ATHENA.MIT.EDU
         mit.edu = ATHENA.MIT.EDU
          
[logging]
         kdc = SYSLOG:INFO
         admin_server = FILE=/var/kadm5.log
In your krb5.conf you need to update your default_realm, entries under [realms], and [domain_realm]. Keep in mind your character case matters, your realm is always upper case.

Once you have a good krb5.conf, you can test it by

Code:
kinit user@ATHENA.MIT.EDU
Again, case matters. Also ensure the clocks between your kdc and this system are within 5 minutes of each other. Once you are able to establish a kerberos ticket you are ready to move onto the samba integration. You can verify the authentication was good by typing klist, and clear the current kerberos authenticated tickets with kdestroy.



Once you have this working post back, and I'll help you setup the Samba config.
I'm done with this part, can you help me out with the samba part?
Thank in advance!
 
Old 11-02-2011, 08:43 AM   #6
pma083
LQ Newbie
 
Registered: Oct 2009
Posts: 5

Rep: Reputation: 0
Quote:
Originally Posted by pma083 View Post
I'm done with this part, can you help me out with the samba part?
Thank in advance!
Nevermind, Just anf FYI, if someone have the same project ahead, execute the #authconfig command and that's all!

Peace.
PMA
 
Old 11-04-2011, 05:00 AM   #7
hesisaboury
Member
 
Registered: Dec 2010
Location: iran
Posts: 167

Original Poster
Rep: Reputation: 0
Hello,
i implement kerberos auth on debian linux , now i want to install samba , what configuration do i need ?

Best Regards,
 
Old 11-04-2011, 06:01 AM   #8
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,188
Blog Entries: 4

Rep: Reputation: 219Reputation: 219Reputation: 219
Quote:
Originally Posted by hesisaboury View Post
Hello,
i want to run file server with samba and domain users could only change(rw) their files , How can i implement it ?

Best Regards,
Hesaum
As I guess you want to configure a samba server
Code:

#yum -y install samba
Code:
#vi /etc/samba/smb.conf

workgroup = (your workgroup)
hosts allow 127. 192.168.0. (give the Ip range of your network)

(at the bottom)
[share name]
        comment = share
        path = /path/to/file/
        valid users = abc xyz john etc
        writable = yes
        create mask = 0766
        browseable = yes
and also give 766 permission to the file which you will share in samba to give rw permission to groups and others
 
Old 11-04-2011, 09:11 AM   #9
hesisaboury
Member
 
Registered: Dec 2010
Location: iran
Posts: 167

Original Poster
Rep: Reputation: 0
thanks for your reply,
but my users are windows domain users and authentication must be done by ADS, config of samba work with ADS?

Best Regards.
 
Old 11-04-2011, 09:27 AM   #10
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,188
Blog Entries: 4

Rep: Reputation: 219Reputation: 219Reputation: 219
Quote:
Originally Posted by hesisaboury View Post
thanks for your reply,
but my users are windows domain users and authentication must be done by ADS, config of samba work with ADS?

Best Regards.
I have not tried with ADS but I did a little Google and here is what I found

http://www.linuxmail.info/active-dir...amba-centos-5/

You can try this
 
Old 11-04-2011, 11:53 AM   #11
Passmossis
LQ Newbie
 
Registered: Jul 2011
Location: USA
Distribution: RHEL 6.5
Posts: 28

Rep: Reputation: 2
pma083, is your kinit user@domain functioning? You got me confused.


hesisaboury, if you have your kerberos able to authenticate to your ads then you are 1/3 the way there!

I do not have my config files here, so I will be shooting from the hip on some of this. Here are some lines you will need in your smb.conf:

Code:
   workgroup = DOMAIN
   realm = DOMAIN.INTERNAL
   password server = domainserver.domain.internal
   preferred master = no
   server string = Linux Test Machine
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   winbind use default domain = Yes
   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   obey pam restrictions = yes
   idmap uid = 1000-20000
   idmap gid = 1000-20000
   template shell = /bin/bash
   allow trusted domains = no
   idmap backend = idmap_rid:acme=16777216-33554431
That is at least a start, I am sure to be missing something though. Once you feel your smb.conf is ready to join the domain, you can attempt to join by:

Code:
net ads join -U Administrator@$FQDN_OF_YOUR_DOMAIN
Remember, after modifying your /etc/samba/smb.conf to restart your samba service.
Code:
service samba restart

Administrator can be any admin account on your domain, but must be an admin. If that is successful then your samba is now able to act as a member of your domain. This doesn't mean you are finished with the configuration.

Last edited by Passmossis; 11-04-2011 at 11:55 AM. Reason: Add service restart.
 
Old 11-05-2011, 08:08 AM   #12
hesisaboury
Member
 
Registered: Dec 2010
Location: iran
Posts: 167

Original Poster
Rep: Reputation: 0
Hi,
Finally i joined debian linux to ADS , i got error about DNS but it joined successfully,


root@debian:/home/hesaum# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- POGC
Joined 'DEBIAN' to realm 'POGC.COM'
DNS update failed!

in active directory->computers i see my linux host name and also i used this command for test
root@debian:/home/hesaum# wbinfo -n user1
S-1-5-21-2670042356-3564497424-2797598806-1106 SID_USER (1)

i used your guide (Passmossis) and the following forum :
http://ubuntuforums.org/showthread.php?t=91510

now i want to know what should i have to next?

Best Regards,

Last edited by hesisaboury; 11-05-2011 at 08:11 AM.
 
Old 11-05-2011, 08:27 AM   #13
Passmossis
LQ Newbie
 
Registered: Jul 2011
Location: USA
Distribution: RHEL 6.5
Posts: 28

Rep: Reputation: 2
You can now share files/folders between Windows and Linux. From here, it's as simple as setting up a share for any other security method. Your active directory users should be able to access it so long as they are referenced in the share.

A tool I use with valid users is @group to specify the windows group (ie administrators) that can access the share.
Code:
[WinAdmin]
path = /Administration/WindowsAdmin/
comment = Windows Administration Files
valid users = @admin
read only = no
guest ok = no
Now on your windows side, logged in as a member of the admin group, you can navigate to \\ip\WinAdmin and access your share.

To mount a windows share to the linux box you can mount the windows share utilizing the cifs format. There is also a specific cifsmount command you can find I'm sure.



You can also setup to allow your windows users to log in to the Linux system directly.
If you are ubuntu, I do not know the setup for authentication. I think your link covered it.
As your link describes, you need to update your:
Code:
/etc/nsswitch.conf
Also ensure the winbind/winbindd service is running. I've seen it run under either of those names.



I have not received or seen the DNS error before. Perhaps view your samba log for additional information, being log level 3 should help. You can always increase the log level, but trust me once you go 5 and above it gets really hard to truly see what is going on (to me anyway).

Last edited by Passmossis; 11-05-2011 at 08:30 AM.
 
Old 11-05-2011, 10:35 AM   #14
hesisaboury
Member
 
Registered: Dec 2010
Location: iran
Posts: 167

Original Poster
Rep: Reputation: 0
Hi,

Your guide was helpful , but now i want to know, if users want it's own folder (read,write,execute) and others only read ,i have to create folders for every user and set permissions , or there are other ways ...

Thank You,
 
Old 11-05-2011, 10:49 AM   #15
Passmossis
LQ Newbie
 
Registered: Jul 2011
Location: USA
Distribution: RHEL 6.5
Posts: 28

Rep: Reputation: 2
You can set up two separate shares that link to the same directory. One share, the user/users can read/write/execute and for the second share you can set read only

Here is an example:

Code:
[WinAdmin]
path = /Administration/WindowsAdmin/
comment = Windows Administration Files
valid users = @admin
read only = no
guest ok = no

[WinAudit]
path = /Administration/WindowsAdmin/
comment = Windows Administration Audit
valid users = auditor
read only = yes
guest ok = no
So the first one allows anyone that is a member of the admin group to read/write/execute in the /Administration/WindowsAdmin/ folder. The second share allows the active directory user 'auditor' to mount and read the /Administration/WindowsAdmin/ folder. Note the read only flag.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
domain users can't access samba shares on domain member server noahbeach Linux - Server 1 11-24-2010 05:16 AM
Join a samba 2.2.7a to a win 2003 domain cuongtim Linux - Networking 3 03-31-2006 06:50 AM
WIN 98/NT Domain cannot access SAMBA JUSTAUSER Linux - Networking 0 12-08-2003 02:46 PM
Question about Samba in WIN Domain ikw38 Linux - Networking 4 06-25-2003 10:24 AM
SAMBA (again) using a Win-Domain-Controller Lutzer Linux - Networking 3 07-23-2002 11:28 AM


All times are GMT -5. The time now is 04:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration