Samba+AD

smart_shell · 03-09-2010, 02:45 AM

Hello, i added users to the group om PDC after it i shared folder on linux server and given permission for users from this group, the folder is showed correct. After it i removed users from group, but the folder is accessible. Where is mistake?
[global]
workgroup = STSCOMPANY
password server = *
realm = STS.LOCAL
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /var/usb2/STSCOMPANY/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
netbios name = storage
server string = Samba Server 3.0
auth methods = winbind
encrypt passwords = yes
printcap name = /etc/printcap
load printers = yes
printing = cups
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
dns proxy = no
smb ports = 445
time server = Yes
winbind refresh tickets = yes
winbind enum groups = yes
winbind enum users = yes
log level = 1
unix charset = UTF-8
dos charset = cp866
disable spoolss = Yes
show add printer wizard = No
case sensitive = no
default case = lower
preserve case = yes
interfaces = eth0
ldap ssl = no
username map = /etc/samba/smbusers
obey pam restrictions = yes

#============================ Share Definitions ==============================

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[Install]
comment = install
path = /var/usb2
guest ok = yes
writeable = yes
write list = @"sts.local\Domain Admins"
create mask = 0644

[IT Dep]
comment = install
path = /var/usb2/test
writeable = yes
write list = @"sts.local\IT Dep"
browseable = yes
create mask = 0644

Blue_Ice · 03-09-2010, 01:31 PM

2 questions...

- Is this the output of testparm?
- About which share are you talking? I see that you made 3 shares...

smart_shell · 03-09-2010, 10:10 PM

Quote:

Originally Posted by Blue_Ice

2 questions...

- Is this the output of testparm?
- About which share are you talking? I see that you made 3 shares...

[root@storage samba]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Install]"
Processing section "[OS]"
Processing section "[OS1]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

smb.conf

Code:

[global]
        dos charset = cp866
        workgroup = STSCOMPANY
        realm = STS.LOCAL
        server string = Samba Server 3.0
        interfaces = eth0
        security = ADS
        auth methods = winbind
        obey pam restrictions = Yes
        password server = redqueen.sts.local
        username map = /etc/samba/smbusers
        log level = 4
        log file = /var/log/samba/%m.log
        max log size = 0
        smb ports = 445
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        name cache timeout = 0
        printcap name = /etc/printcap
        disable spoolss = Yes
        show add printer wizard = No
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /var/usb2/STSCOMPANY/%U
        template shell = /bin/bash
        winbind cache time = 1
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        case sensitive = No

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        browseable = No

[Install]
        comment = install
        path = /var/usb2
        write list = @"STSCOMPANY\Itgroup"
        read only = No
        create mask = 0644
        valid users = @"STSCOMPANY\Itgroup"

krb5.conf

Code:

[root@storage etc]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
 default_realm = STS.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
STS.LOCAL= {
kdc = 10.19.0.220:88
admin_server = 10.19.0.220:749
kpasswd_server =10.19.0.220
default_domain =STS.LOCAL
}

[domain_realm]
.STP.LOCAL = STS.LOCAL
STP.LOCAL = STS.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[root@storage etc]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests

[root@storage etc]# wbinfo -u
administrator
guest
krbtgt
shell
troy
gyb

Please, say how can i give right share for a group of the PDC
thnx

Blue_Ice · 03-10-2010, 04:35 AM

For starters your create mask says that the owner, group and others. I think you might want your create mask to be something like: create mask = 0640. You might also want to put something like that in place for your directory mask.