- Join the server to the domain
- Allow domain admins to be Ubuntu Server administrators
- Allow Windows clients in domain groups access to Samba shares
Thanks to this post for helping with this portion. The steps are:
sudo apt-get update
sudo apt-get install likewise-open
sudo domainjoin-cli join fqdn.of.your.domain Administrator
sudo update-rc.d likewise-open defaults
sudo /etc/init.d/likewise-open start
Ubuntu Forums to the rescue... thanks, gotee12. This will allow members of the Domain Admins AD group to issue sudo commands. From a command prompt:
- visudo
- Add this line to the resulting file:
Note the carat symbol to substitute for spaces.%YOURDOMAINNAME\\domain^admins ALL=(ALL) ALL
Goal #3: Allow Windows Clients in Domain Groups to Access Samba Shares
*** UPDATE *** My friend Chris got the plumbing to wire up Likewise Open with Samba figured out. Good grief, this was opaque:
http://chrplunk.blogspot.com/2008/06/allow-windows-clients-in-active.html
Now you have to set up your shares. The shares are defined as individual text files under /var/lib/samba/usershares. Create a file in this folder named with the name of the share (e.g. "test") and contents like the following, but be careful--match the spaces and casing with nothing extra, and **make sure the file name is in all lowercase regardless of the casing of the share name**:
#VERSION 2For example:
path=/path/to/shared/folder
comment=
usershare_acl=<Group SID>:<access modifier>
guest_ok=y
#VERSION 2To get the SID of the group that will have access to enter in the usershare_acl row, execute:
path=/testShare
comment=
usershare_acl=S-1-1-0:F
guest_ok=y
wbinfo -n "DOMAIN\group"(S-1-1-0 is Everyone.)
The access modifiers after the group SID are as follows:
- R - read-only
- F - full access
- D - deny access
chmod -R 0777 /path/to/shared/folderIf anyone knows how to get the group security to work at the folder level so it need not be world-writable, I'd appreciate a comment. I tried:
chgrp -R 'DOMAIN\group' /path/to/shared/folder...but I kept getting access denied.
chmod -R 2770 /path/to/shared/folder
*** UPDATE 2 *** I had to grant read access to everyone for the usershares folder to avoid 'cannot stat' errors by ordinary users:
chmod o+r /var/lib/samba/usershares
Original post for this section follows:
Oooh, I haven't managed to get this one to work. I can issue successful commands like the following while logged on to the Ubuntu machine with my domain credentials:
smbclient -k -L //dmsc01
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]
Sharename Type Comment
--------- ---- -------
C$ Disk Default share
IPC$ IPC Remote IPC
ADMIN$ Disk Remote Admin
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]
Server Comment
--------- -------
Workgroup Master
--------- -------
So SOMETHING's working, but I can't manage to get remote machines to connect to hosted shares. I've tried the following smb.conf (key lines included):
workgroup = mydomain
security = ads
realm = MYDOMAIN.LOCAL
encrypt passwords = yes
idmap uid = 10000-40000
idmap gid = 10000-40000
template homedir = /dev/null
template shell = /bin/false
winbind separator = \
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind nested groups = yes
#=====================Shares====================
[tmp]
path = /tmp
browseable = yes
writeable = yes
guest ok = no
All I get when attempting to connect, however, is errors like the following in the client logs:
[2008/05/05 10:27:14, 1] libads/kerberos_verify.c:ads_secrets_verify_ticket(237)
ads_secrets_verify_ticket: failed to fetch machine password
[2008/05/05 10:27:14, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
And from the log.winbindd-idmap:
[2008/05/05 10:25:11, 1] nsswitch/idmap_tdb.c:idmap_tdb_alloc_init(397)
idmap uid range missing or invalid
idmap will be unable to map foreign SIDs
[2008/05/05 10:25:11, 0] nsswitch/idmap.c:idmap_alloc_init(750)
ERROR: Initialization failed for alloc backend, deferred!
Any ideas?
Assuming you (or other readers) have likewise-open and samba installed, try this:
ReplyDeletein smb.conf, set
security = user
save and restart samba
in Nautilus, rt-click the folder you want to share, and pick Sharing Options.
Check the appropriate boxes and click Create Share.
seems to work well in a limited way.
Shawn, any chance you could post your working smb.conf?
ReplyDeleteHi.
ReplyDeleteI'm sorry, maybe I did something wrong, but there's no /usr/centeris directory containing anything regarding idmap on my system.
I'm running Ubuntu Server Hardy 8.04 with Likewise Open, installed via apt-get.
Could you give me a hand? Thanks! Actually, I want to put access control on files using AD groups, and allow access to samba shares using AD groups as well. When using a line like:
usershare_acl=S-1-1-0:F
in my smb.conf, samba complains since it doesn't understand usershare_acl.
(subscribing to comments)
ReplyDeleteJürgen, just follow the instructions on the centeris bit exactly--the path doesn't exist, but you're going to link it there so it looks like it does.
ReplyDeleteHi Arthur,
ReplyDeletedid you manage to give acces to a shared folder just to an AD group?
I have been trying doing it a week but I cannot find the solution.
Any help will be appreciated.
Thanks