Inizio  >  Docs  >  Linux  >  Trucchi veloci  >  SAMBA  
SAMBASAMBA

Index

condivisioni con spazio nel nome (server o directory)

sostituire lo spazio con \040

 

 

To top

Configure permissions and ownership for Samba on Linux

2. Change /etc/samba/smb.conf

Originally the share-defitinion looks like this (created with the X Samba-configuration tool): <code class="screen"> [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes </code> We are now going to have look at different Samba options...

2.1 security mask

Essentially, zero bits in the security mask mask may be treated as a set of bits the user is not allowed to change, and one bits are those the user is allowed to change.
If not set explicitly this parameter is <code>0777</code>, allowing a user to modify all the user/group/world permissions on a file.
To make sure that a windows-user can never change the access right for "other" we define the security-mask to be <code>0770</code>:
<code class="screen">security mask = 0770</code>

2.2 create masks / force create mode / directory mode / force directory mode

When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default. Let's make following changes to these settings and observe the result by editing a file with the backup option of ultra edit on:
First change the <code>samba.conf</code> file: <code class="screen"> [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes </code> to <code class="screen"> [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes create mask = 0770 force create mode = 0770 directory mode = 0770 force directory mode = 0770 </code> and restart Samba (<code>/sbin/service smb restart</code>).

Initially the file looks like this: <code class="screen"> -rwxrwx--- 1 karin home_users 4883 Nov 6 09:21 </code> after editing it with ultra edit it look now like this: <code class="screen"> -rwxrwx--- 1 sven sven 4881 Nov 6 09:42 -rwxrwx--- 1 karin home_users 4883 Nov 6 09:21 </code>

You can see that Ultra edit still has move the original file to .bak and created a new file (with a new owner/group), but the permissions are as specified in <code>samba.conf</code>.

Still the problem is there, that the file was moved to <code>.bak</code> and the new file created with user/group <code>sven</code>, preventing any other user to edit the file after that (as permissions are <code>0770</code>).

To get rid of this we will now set the option <code>force group</code> to force the group of any created file in this directory structure to be <code>home_users</code>: <code class="screen"> [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes create mask = 0770 force create mode = 0770 force group = home_users </code>

(and restart Samba)

Before editing the file the situation looks like this: <code class="screen"> -rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.html </code> After editing the file with Ultra Edit it is: <code class="screen"> -rwxrwx--- 1 sven home_users 4883 Nov 6 09:54 index.html -rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.html.bak </code> The owner has changed correctly, but the group was set by Samba from the option <code>force group<code>.

The same way the user can also be forced using <code>force user</code>. </code></code>

To top

join AD with likewise-open (ubuntu 8.04 server)

ict-freak.nl/2008/10/26/how-to-ubuntu-in-a-windows-domain/

chrplunk.blogspot.com/2008/06/allow-windows-clients-in-active.html

ubuntuforums.org/showthread.php

sudo apt-get update
sudo apt-get install likewise-open
sudo domainjoin-cli join fqdn.of.your.domain Administrator
sudo update-rc.d likewise-open defaults
sudo /etc/init.d/likewise-open start

1) $> sudo apt-get install samba winbind
Though you probably have samba installed already.

2)
$> cd /usr/lib/samba/idmap/
You might have to make the idmap directory
$> sudo ln -sf /usr/lib/likewise-open/idmap/lwopen.so

3) Now modify the samba config file, so it contains the following (in addition to whatever else you want)

$> vim /etc/samba/smb.conf
security = ads
workgroup = enter workgroup from /etc/samba/lwiauthd.conf here
realm = enter realm from /etc/samba/lwiauthd.conf here
idmap backend = lwopen
idmap uid = 50-9999999999
idmap gid = 50-9999999999


4)
mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig
ln –s /etc/samba/secrets.tdb /var/lib/samba/secrets.tdb

5)
$> sudo /etc/init.d/samba restart
$> sudo /etc/init.d/winbind restart

 

join AD and samba (ubuntu 8.04 server)

ubuntuforums.org/showthread.php

 

CHECK SYSTEM TIME BEFORE JOIN!!!!!

ntpdate timeserver

configure ntpd to sistematically update time!!!!

 

Step 1: Install the Required Packages

apt-get install krb5-user
apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File

[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
#################################################################
My file is:
[libdefaults]
default_realm =IT.GETRAG.COM
clockskew = 900
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
IT.domain.COM = {
kdc = 10.18.1.122:88
admin_server = 10.18.1.122:749
default_domain = IT
kpasswd_server = 10.18.1.122:88
}
[domain_realm]
.it.domain.com = IT.domain.COM
it.domain.com = IT.domain.COM
.IT = IT.domain.COM
[login]
krb4_convert = true
krb4_get_tickets = false


Step 3: Edit /etc/samba/smb/conf
[global]
security = ads
netbios name = CMHRG02
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
#################################################################
My file is:
[global]
workgroup = IT
realm = IT.Domain.COM
netbios name = itb-s0039
server string = %h server (Samba, Ubuntu)
wins support = no
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
password server = itb-s0022
encrypt passwords = true
guest account = nobody
invalid users = root
template homedir = /home/%D/%U
template shell = /bin/false
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = no
preferred master = no
domain logons = no
name resolve order = host lmhosts bcast
wins support = no
dns proxy = no
wins server = itb-s0022
idmap uid = 16777217-33554431
idmap gid = 16777217-33554431
winbind enum users = yes
winbind enum groups = yes
winbind separator = +

 
Step 4:  Edit /etc/nsswitch.conf to look like the example below
passwd:      files winbind
shadow: compat
group: files winbind

#passwd: compat
#group: compat
#shadow: compat

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Step 5:  Initialize Kerberos kinit administrator
sudo kinit administrator

 Password for administrator@DOMAIN:

sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN

Valid starting Expires Service principal
10/28/08 11:26:08 10/28/08 21:26:11 krbtgt/DOMAIN@DOMAIN
renew until 10/28/08 21:26:08


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Step 6:  Join the system to the AD
sudo net ads join -U domainadminuser@DOMAIN
or
sudo net ads join -U domainadminuser
domainadminuser's password: 
Joined 'hostname' to realm 'DOMAIN'
Step 7:  Test the join to the AD
sudo net ads testjoin
Join is OK
Step 8: restart services 
sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba start
sudo /etc/init.d/winbind start
 
notes:
on joining to solve this error:
net ads join -U administrator
administrator's password:
Using short domain name -- DOMAIN
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'hostname' in realm 'DOMAIN'
Failed to join domain: Type or value exists
vim /etc/hosts
127.0.0.1	localhost.localdomain localhost 
ipaddress hostname hostname.DOMAIN
net ads join -U administrator
administrator's password:
Using short domain name -- DOMAIN
Joined 'hostname' to realm 'DOMAIN'