CentOS 5 Server :: Samba 3.0.33-3.29.el5_5 + Winbind: Cannot Use UNIX Groups As Valid Users For Shares
Sep 11, 2010
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
[code]....
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANSalberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
[code]....
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
Grants and ownership on the '/repositories/shared/finance' folder are
root:domain users with permissions 775
View 2 Replies
ADVERTISEMENT
Jul 14, 2009
I have a Samba File Server that can authenticate users in my Windows AD to log into the server. Anyways, I have a good amount of Windows Admins on staff but our org wants to cut budget so our first "slash" as it were is cutting down the actual Windows based File Servers.So my question is, now that I have this test server up and authenticating for logins using Windbind....is there a way I can get system-config-samba to "see" winbind users and groups so that file servers can still be "point and click" for my Windows Admins?
View 3 Replies
View Related
Nov 10, 2009
following situation and configuring authentication for Windows users on my CentOS clients please:IHAC WIN2003 R2 Domaincontroller with ALL my users and groups maintained there. For Usermapping (SID to UID/GID) I want to use IMU which is included with WIN2003 R2 srv and extends my Active Directory schema for UID, GID, NIS Domain etc. I want now authenticate my Windows users on my CentOS clients via their "domainnameusername" and passwords on the CentOS clients.
I also have a NAS server which has usermapping integrated and resolves the Windows SID's to the UID/GID's configured within the IMU schema extensions. Now I have no idea to setup my CentOS clients to use winbind, PAM and LDAP (IMU supports LDAP queries for UID/GID resolving) WITHOUT needing any Samaba Server or functionality.
* Do I need to configure the smb.conf file because my usermapping is done on the NAS Server and I want to resolve my Windows Users/Groups UID/GID's from IMU via LDAP?
* Do I (just) need to Join the AD (2003 native) or even using Kerberos with generating ktpass.exe keytab files (what is needed/recommended and what is the difference?) Can I authenticate the users without using Kerberos?
For e.g. my username is "domainuser_a" and within the IMU the UID is set to "12345", I don't want Samba/winbind to do usermapping again based on the configured values in the smb.conf file. Some hints would be really nice for me to understand how exactly it works and what is needed...
View 1 Replies
View Related
Feb 9, 2011
this is really a brainstorming thread seeking advise on how to setup some samba shares within a small office network. For the quick judgers:
-no I'm not an IT expect and I'm not even the IT at the office, I just fill in this gap too.
-I have looked into several samba 'by example' tutorials - none seems to fit my needs or answer some of my Qs.
So I seek advise from your experience: What do I know:
-the functionality of the setgid to have subfolders inherit the group owner of the parent folder
-the fact that I don't want samba in 'share' level in order to register the owners of files
-the functionality of acls that enables inheritance of rwx permissions to subfoldrs of a parent folder.
- the groupmod -o option but that doesn't help apparently.
So this is a 25ppl civil engineer consulting office. The physical groups of ppl working here are: engineers, drafters (those who generate the drawings , i'm not sure if thats the correct term), and secretaries. The job usually is done in the following way, once a project commences a project folder gets generated and everything is done in there. incoming mail arrives there (secretaries put it there), engineers do they calculations on speadsheets, write reports and do draft drawings and, finally, drafters take the draft drawings and finalize them. So pretty much everyone of these 3 groups needs write access to the main project folder.
How do I accomplish that? as which group should I create the project folders? It came to mind the notion of group of groups. Now that the actual owner of the file is not so important anymore (several engineers will need to have write access to the folder) and group becomes important, it would be nice to have the ability to add... groups (instead of users) to groups! so that the permissions to a group are inherited by its children groups... Does such functionality exist of can it be implemented somehow?
How do I go about giving access to everyone and at the same time, NOT giving up on the 'user' secutiry level of samba (and NOT just giving rwx permission to 'others'? Is it possible? or Should I instead forget about individuals and match the 'physical groups' to 'linux users' and 'groups of groups' to 'linux groups'? ( This means I should give on ownership of files by individuals )? Since its a small office some work is mixed - engineers might pickup incoming email, a secretary might do abit of drafting work etcetc.
View 4 Replies
View Related
Nov 12, 2010
Have recently setup Samba on a fresh install of Fedora 14 so that I can use it as a workstation in a Windows 2003 (win2k3) domain.
The install of Samba seems to have worked as I can connect to the Domain using ADS and kerberos. selinux and firewall have been disabled until I have it working 100%
The problem lies when i try to login to Gnome or TTY. It begins to create the home directory for the domain user logging in but after a certain process Fedora logs the user out of the system.
Have looked through several log files (/var/log/messages, log.winbindd, log.winbindd-dc-connect) but am unable to debug it any further.
Have posted the config files below which shows the Fedora machine is successfully connected to the domain as it lists its groups, users and validates logon credentials - it just won't logon!
Where i can go about debugging. Also if you need additional configs.
View 1 Replies
View Related
Feb 13, 2011
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
View 3 Replies
View Related
Dec 4, 2010
Still new to Linux and especially samba. I have setup samba for 2 shares, will list below shares. 1 which requires a login and 1 temp folder which I would like guest access to. Currently I have security = user which works great for the data folder which requires a login. If I try to access temp I get asked for a user name and password as well. I tried to set security = share which then allowed access to temp with out a login but also allowed access to the data folder. From the data folder I emoved public = yes. I then get asked for a user name and password like I should but the system will not accept it. This is a Centos 5.5 server with a mail server on it.
[data]
comment = Data Folder
path = /home/data/
public = yes
writable = yes
browseable = yes
printable = no
avaliable = yes
write list = glenn,
force create mode = 0660
force directory mode = 0770
[temp]
comment = temp folder
path = /home/temp/
public = yes
writeable = yes
browseable = yes
guest ok = yes
guest only = yes
guest account = nobody
available = yes
force user = nobody
force group = nobody
View 1 Replies
View Related
Dec 14, 2010
Exim user can get owned by a remote exploit [URL].. I was running Exim 4.63 5.el5_5.1 on CentOS 5.5 x86_64 and my Exim user got owned by that exploit.
Now I ran yum update and exim updated to 4.63 5.el5_5.2 I cannot find anywhere if this updated fixes the exploit.
View 8 Replies
View Related
May 10, 2010
Can anyone point me in the direction of setting up shares for windows machines on centos. I have found a few document but never managed to get it up and running correctly. I need to be able to get access to subfolder etc for different users. Is there any way of doing it with some sort of gui?
View 2 Replies
View Related
Oct 12, 2010
I am currently trying to set up a Samba domain server. In the Samba-HOWTO-Collection I found an
example file.(Point 3.3.3.1) In the explanations of the example below, the author says I need to map UNIX Groups to NT Groups. He writes a shell-script of how one could do it, but when I copy it and then execute it, I get the error:
Bad option: rid=512
Bad option: rid=513
Bad option: rid=514
The other groups do get mapped, just the Domain Admins, Domain Users and Domain Guests dont. This is the shell from the HOWTO:
#!/bin/bash
#### Shell-Skript f ̈r sp ̈tere Verwendung aufbewahren
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins rid=512
net groupmap modify ntgroup="Domain Users" unixgroup=users rid=513
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody rid=514
[Code]...
View 2 Replies
View Related
May 20, 2010
I have Ubuntu server 10.04 joined to a domain using Likewise Open. I can login using my domain credentials and have added my domain account to the sudoers file. Now that I've got it joined to the domain I want to add some samba shares and have domain members use their accounts to access them. However, no matter what combination of my domain name and the domain user or group I use in the valid users field it won't let me in. What's the proper way of inputting a domain user or group in the valid user field?
This is the entry I'm using for the share:
Code:
[testshare]
path = /srv/testshare
valid users = @"Domain Name+Domain Group" (Have tried many things here)
public = no
writable = yes
printable = no
create mask = 0765
View 2 Replies
View Related
May 13, 2010
The company I work for, as usual, is Microsoft-centric. I'm attempting to integrate my Ubuntu server into the domain to allow domain users to authenticate to the server and access file shares using Samba. Here's my current configuration:
[Code].....
View 9 Replies
View Related
Jun 8, 2011
I would like to know how can I share folder with samba that samba does not show it to those users that have no access to it?
View 4 Replies
View Related
Jul 3, 2010
I've been searching around the web for help and have been really pulling my hair on this one. I have a Windows 2003 Server w/ AD on it. I have two linux machine, both running the same version of RHEL 5 (compute-1, compute-4)
When I log into compute-1, and do an "id dhuynh", I get this:
uid=1501(dhuynh) gid=1500(domain users) groups=1500(domain users),2013(dusers),1501(certsvc_dcom_access),1507 (BUILTIN+users)
When I log into compute-4, do do the same command, I get this:
uid=1500(dhuynh) gid=1504(domain users) groups=1504(domain users),1505(certsvc_dcom_access),1501(BUILTIN+user s)
Notice that the uid and gid are different. How do I get them to be the same? This is affective the file permissions in certain shared directories. I've check /etc/samba/smb.conf and they are identical. I also check /etc/nsswitch.conf and they are identical too.
View 2 Replies
View Related
Feb 7, 2010
We have an existing Windows 2000 network that I am trying to add an Ubuntu 8.04 server to. I have put links into the windows domain DFS to the linux machine's samba shares.
The shares work fine for local users that are physically on the same network (192.168.0.X). Remote users from other offices or dialing in with a vpn client can not access the these particular folders off the DFS. However, they can map them directly from the ubuntu server.
View 5 Replies
View Related
Mar 31, 2010
I have centos 5.4 installed (2.6.18-128.2.1.el5 #1 SMP Tue Jul 14 06:36:37 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux), and I am using WHM/Cpanel to manage my server. I am looking for a GUI utility, so I can graphically manage users/groups.
View 1 Replies
View Related
Sep 3, 2009
I'm using on my smb.conf
# Sincronizacion de cuentas LDAP, NT y LM
# unix password sync = Yes
ldap passwd sync = Yes
[code]....
View 2 Replies
View Related
Mar 4, 2010
I installed Samba on CentOS, create a principal share called "public" . I want to populate this share with subfolders, and to grant access rights to specific folders for specific users. The content of "public" will be visible for all Samba users, but they will have read/write access only to the specified subfolders based on my security policy. I need the best way for doing this kind of stuff...
View 1 Replies
View Related
Apr 13, 2010
Recently i configured Postfix with Cyrus-Imap and it all worked fine unless i wanted to allow also AD users to use Squirrelmail.Currently AD users are able to logon to ssh server without any problems.
- wbinfo -u & -g is fine
- testsaslauth - passed
- telnet to localhost 143 + a LOGIN user password - passed
- cyradm shows active mailbox for particular user
imap i pam.d:
#%PAM-1.0
auth include system-auth
account include system-auth
View 1 Replies
View Related
Dec 23, 2010
Is it possible to nest groups so that users can access directories owned by other groups?
View 1 Replies
View Related
Jan 18, 2010
how to add users to groups with ldap? Further, could someone point me towards some good command-line management tools? Creating each dn manually is going to get old real fast...
View 14 Replies
View Related
May 25, 2011
How do I turn winbind authentication off or vsftpd. I keep getting these error messages in the /var/log/ secure:vsftpd: pam_winbind(vsftpd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER.I already tried remarking out different things in the config files. Is it safe to remark out the winbind stuff in /etc/pam.d/system-auth if we are using the smbclient to connect to a Windows share?Why would you want to to use AD to authenticate users for something simple like FTP is beyond me.I merely want it to authenticate against local system users.
View 3 Replies
View Related
Sep 15, 2009
Having set up many windows servers with complex permissions on shared folders, I now have to do the same in Linux (and I'm such a noob to Linux) I understand that each file/folder is assigned a user + group, and that the rights can be set for the user, the group and global (aka everybody else) My challenge is this, inside my shared folder there is a folder that should be RW to some users, READ ONLY to others, and not accessible at all to the rest of the users. (lets call the folder MyFolder ) All 3 groups have more than 1 user, so they have to be groups (right?) How would this model work in Linux ? If there is no other way, I guess I can nest the MyFolder in a folder that has permissions to allow all users that may access MyFolder, and block the rest, then on MyFolder, set owner group the RW users, and set global to READ ONLY.
Ps : The server I'm setting up runs Debian Lenny, files will be accessed from windows workstations using samba.
View 2 Replies
View Related
Apr 8, 2010
Centos 5.4 64bit fully updated. What I am doing is vsftpd is setup and nfs shares are mounted to a NAS server which is running openfiler 2.3 fully updated. openfiler is winbind to AD and pulling users and groups over.
I have it confirmed working when a ftp users connects the username/password is authenticated against AD which works. User can login and is directed to the users folder on the nfs share.
Openfiler shows me UID and GID numbers for users and groups, centos also shows me UID and GID but they are different which is causing permissions/quota's to not work right.
Both servers are setup with krb and winbind, openfiler has a more recent version of winbind.
Here is an example...
AD Users are
user UID of 160010 as an example
user1 UID 160011
When user logs into the vsftp server it works and chrooted into the directory for that user. When user uploads files I can upload but the UID in the ftp client shows 1600011 which is user1 UID
logging into windows to that share shows in the security tab that user1 uploaded the files.
Centos is mapping user as 160011
openfiler is mapping user as 160010
windows is showing the user1 in the security tab.
So it appears that centos is not mapping the right numbers to the right users and groups.
If you need details please ask for it and I will provide.
Both configs are nearly a match and I have made small changes to the config files smb.conf but it failed resolve these issues to work so I reverted back. kinit works with authentication, getent works, wbinfo -a and -u works. wbinfo -u user shows different results on both servers, but authentication works user/password and I tried a different password to test.
Is this a known bug or a silly misconfiguration? I had authentication GUI tool configure the winbind stuff so its all fairly standard on the centos machine and the openfiler gui configure winbind configs.
View 2 Replies
View Related
Jun 15, 2010
Anyway i have a very old Mandrake server where a previous owner hosted mailboxes on. This server is getting very slow and does alot of e-mail related tasks like:popsmtpmxIt runs on sendmail (which is also very outdated...) and it doesnt seem to respond to its config files. And the whole smtp and mx thing leaves us with some really weird mail problems...So i want to implement it in our current mail setup in which i have it all on seperate servers:2 smtp server (dns roundrobbing) (postfix)4 mx servers (1 etrn) (postfix)1 webmail server (v-webmail) (just apache and connects to the pop/imap server)And 1 pop/imap server (postfix, dovecot)I also want to implement smtp authentication because of all the mobile clients i have to host... This is where it gets tricky.
I want to export the unix user table of the old mandrake server and import that into a mysql database. This database will be used to authenticate the smtp users.I also want the export of the unix users to import it to the other pop/imap server so users can logon to that server instead of the crappy Mandrake server.I would expect that the export from unux users to mysql (including passwords) is the hardest part. I googled it, but some of the stuff i found didnt seem to be very reliable, so thats where you guys kick in :-). So is this possible? If so, how can i do it?I know i should go with some kind of ldap situation but that seems a way bigger hassle then this setup.
View 1 Replies
View Related
Jun 21, 2010
I am currently using the following code in order to set a user's primary group in samba.Code: force group = +group.This almost does what I need but I was wondering if it is possible to list multiple groups. Something like this would be exactly what I need.
Code:#If user is in group1 set it as primary group, if in group2 set it as primary.force group = +group1, +group2. Does anyone know if this is possible or if I could use a script to force the primary group?
View 2 Replies
View Related
Feb 2, 2011
I'm having the following problem:I have a machine logging into Win2003, which is working to authenticate. But when any user logs in, it appears some ID's that do not exist.
Example:
root @ ubuntu: ~ # su - nomades
groups: can not find name for group ID 10003
[code]....
View 1 Replies
View Related
Jun 9, 2010
i want to know how to connect it to debian,fedora, mandriva, puppy (or any other distro thats independant and most software needs to be installed with tarballs)and i also want to learn to connect to it with mac os x, and solaris (open solaris)
View 10 Replies
View Related
Jun 17, 2011
I want to setup a Linux File Server for a small windows network (around 50 users). I do know that I am gona need Smb service/pkg for that. I haven't used Samba for a while now and as per the best of my knowledge, entire communication (including usernames and passwords) between a samba server & windows client machines will be plain text. Is there any way to secure all this communication??
Secondly, if i remember correctly, MS windows wont let me mount more than one samba shares as network disk when all my shares can be accessed by different smb users with different passwords?? is there a solution to this problem? OR may be if there is any other package available for this purpose so that i wont have to use samba?
View 4 Replies
View Related
Jul 28, 2010
I am working as a Linux administrator in a very small data centre with 5 servers with following routine tasks.
1. Managing SAMBA shares and giving user specific access for the shares.
2. Scheduling backup of some mount points with rsycn to store data in remote hard disk
3. User and group administration, with sudo access.
4. Creating and Managing Xen Virtual machines and giving access to other project teams.
5. Automating some tasks with Shell Scripting.
6. Managing FTP server for user uploads.
I have practiced a lot in my home laptop without RHEL training, Cleared RHCE and LPIC1. I want to do some advanced system admin tasks, but do not have option in my current data centre. With Above skills is it possible to get a job ?
View 9 Replies
View Related
