First off,
Cheers to everyone contributing to this post. I spent the better part of 3-4 days working on setting up a Fileserver and this thread has kept me sane. I pretty much followed this to the t:
Quote:
- shut down smb
- remove /var/cache/samba/* - get rid of prior misconfigured files
- remove /etc/samba/secrets.tdb
- remove host from the ASD domain (done from the windows side)
- configure /etc/krb5.conf (though this is supposed to be unnecessary with kerberos 1.3.1)
- configure /etc/samba/smb.conf - below is the global section of our conf:
# Global parameters
[global]
unix charset = LOCALE
workgroup = OURADSGROUP
realm = OURADSDOMAIN.COM
security = ADS
log level = 5
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
domain master = No
wins server = (wins server IP)
ldap ssl = no
idmap uid = 15000-20000
idmap gid = 15000-20000
template primary group = sambausers
winbind separator = +
winbind use default domain = Yes
- added 'sambausers' group to samba host
- added 'SambaUsers' group to ASD
- edit /etc/samba/smbusers to include line 'root = administrator'
- join ADS domain: net ads join -U administrator
- verify it worked: wbinfo -u ; wbinfo -g
- map some NT/Unix groups:
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap add ntgroup="SambaUsers" unixgroup=sambausers
- verify changes: net groupman list
- restart winbind (may not be necessary).
|
I am was able to join the domain, i can query users and groups (wbinfo -u or -g), wbinfo -t is successful, I can chown dir's to users and groups create on the Win AD server I can even log in locally on the linux machine using an AD account created on the Win machine.....BUT I'm still having a little issue. I can't seem to modify permissions on shares from a win machine. For example:
right clicking on a share on a win machine and going to the security tab, I try to remove "Everyone" from the list. As soon as a hit apply "Everyone" comes right back. If I try to add a user or group I get "Unable to change permission changes on ***** Acess Denied."
The share is owned by the user and I've chmod'ed 755 that dir. Can anyone point me in the direction of where I may have gone wrong?
Heres my samba config
Quote:
unix charset = LOCALE
workgroup = DOMAIN
realm = rochester.domain.com
netbios name = PSCFILE01
security = ADS
client signing = yes
client use spnego = yes
server string = PSCFILE01
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
preferred master = no
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum users = yes
winbind enum groups = yes
local master = no
domain master = no
template primary group = sambausers
winbind separator = +
winbind use default domain = no
ldap ssl = no
;security and logging settings
password server = PSCMAIL01.ROCHESTER.DOMAIN.COM
encrypt passwords = yes
domain logons = no
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hosts allow = 127.0.0.1 10.0.0.0/255.255.255.0
interfaces = 10.0.0.3
[new]
path = /home/newfolder
fstype = NTFS
read only = no
browseable = yes
writable = yes
security mask = 0750
acl support = yes
directory mask = 0750
force security mode = 0750
force directory security mode = 0750
directory security mask = 0750
|
I modified nsswitch.conf as follows:
Quote:
passwd: files winbind
shadow: files winbind
group: files winbind
|
and krb5.conf as follows:
Quote:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = ROCHESTER.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
ROCHESTER.DOMAIN.COM = {
kdc = PSCMAIL01.ROCHESTER.DOMAIN.COM:88
admin_server = PSCMAIL01.ROCHESTER.DOMAIN.COM:749
default_domain = ROCHESTER.DOMAIN.COM
}
[domain_realm]
.rochester.domain.com = ROCHESTER.DOMAIN.COM
rochester.domain.com = ROCHESTER.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
|
One last thing... is an LDAP server nessecary for this to work properly?
Any help is greatly appreciated ..... thanx again !