Ubuntu Servers :: Mapping UNIX Groups To Windows Groups?
Oct 12, 2010
I am currently trying to set up a Samba domain server. In the Samba-HOWTO-Collection I found an
example file.(Point 3.3.3.1) In the explanations of the example below, the author says I need to map UNIX Groups to NT Groups. He writes a shell-script of how one could do it, but when I copy it and then execute it, I get the error:
Bad option: rid=512
Bad option: rid=513
Bad option: rid=514
The other groups do get mapped, just the Domain Admins, Domain Users and Domain Guests dont. This is the shell from the HOWTO:
#!/bin/bash
#### Shell-Skript f ̈r sp ̈tere Verwendung aufbewahren
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins rid=512
net groupmap modify ntgroup="Domain Users" unixgroup=users rid=513
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody rid=514
I already know of a work around to fix this problem, but I guess my question is why is this not working as expected? I am using a Windows Server 2008 R2 Active Directory for authentication.
I have run auth-client-config for the ldap profile and pam-auth-update. When running getent passwd, I get a list of both the local users and the users in the active directory (with populated information in the Unix schema extension). When running getent group I get a list of both the local groups and the groups in the active directory (with populated information in the Unix schema extension).
Interestingly enough, though, when I run su DOMAINUSER, after the prompt for the password I get an authentication error. In /var/log/auth.log I can see an entry with pam_ldap: missing "host" in file "/etc/ldap.conf". The SRV records in the DNS servers resolve correctly. I've checked this with nslookup and I have seen the records within my zone file. Obviously if the ldap.conf file is working with getent and the ldap server is resolving from the SRV records, it is working fine.
The interesting part is that the Windows Server 2008 R2 AD machine shows in the event viewer that there was a successful authentication, yet the Ubuntu box says no. When I add the host within the ldap.conf file, everything works...getent and the actual authentication, either initial login or su.
So i am at the stage of about to install the basic system and am using a derivation of the package management provided by Matthias S. Benkmann. To this end I am using his useradd and groupadd scripts to update the files:
/etc/passwd /etc/group
My issue is that when I run the commands(created as part of temporary system when installing coreutils):
Code:
/tools/bin/su linux #then as user /tools/bin/groups
(here linux is the name of the user) This only returns the user being in the group named after user but not the additional group of 'install' Also, prior to logging in as user, if I use this command as root:
Code:
/tools/bin/groups linux
linux install This then returns that the user is in the correct groups. Lines from relevant files look like:
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211) User COGITANSalberto not in 'valid users' [2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617) user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
[code]....
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
Looking for a way to add multiple groups to a folder. This feature is obviously available in most other platforms (Mac, Windows). Why can't I find any reference to this, or better yet, why doesn't this feature exist?
I'm currently running a small server using 9.10 and I wondered if using groups was a possible route in order to keep users away from the bulk of the file system and keep them in locked their home directories.
What I planned to do is use a group named 'allowsystemfiles' to be added to admin accounts, then to set parts of the file system to that group, along with the permissions 0760 to keep non-admin users out.
I successfully configured a VPN using IPSec(Openswan) and xl2ptd. While roughly following this guide (among countless others): [URL]
The VPN-Connection works fine, connecting to it is also a swirl, I can reach all that I want in the network, and also the gateway to the Internet works - everything being routed through that VPN.
Now my problem is actually the next steps, and I didn't succeed finding the right result on any possible search:
a) I want to limit, that the VPN-Connection is only used for distinct connections to hosts, that aren't in a "company subnet", but the IP's are publicly available. (Example: The Target-IP 8.8.8.8 allows per iptables, that only my VPN-Host 1.2.3.4 accesses it via SSH, and thus I only can access that Target-IP via SSH when I'm on the VPN). When actually browsing to the ubuntu-website, I want, that NOT the VPN-Connection is used but rather my normal connection (as a reference: i'm on a Windows-Client - not my choice, btw.)
b) I want to have several such "limitations" grouped, and give users 'access-rights' to certain hosts (Examples: Admin gets access to all on all ports Testers get access to some machines on distinct ports CEO gets access only to the mailserver via POP3 or IMAP
I have Apache up and running and have a few virtual sites enabled. All these sites belong to the same user and group and the directory root for each site is in /home/{same-user}/www/{site-name}/htdocs/
I use Samba to connect from Windows to these directories and by default, files and directories are saved as the {same-user} and {same-group}. My question is, would it cause a problem if I changed the user and group in the virtual server directives in /etc/apache2/sites-available/site.conf files, giving apache permission to write to these files and directories. In the past I have changed the user and group to www-data (the default) but this seems inefficient an cumbersome compared to what I intend to do.
I use the server mostly for development, although at times I have a small site or two available to the public. Before I do this I want to be sure I'm not leaving a gaping security hole by changing these things. If this is all wrong, what is the standard way of running virtual hosts from apache and what is the standard document root for virtual sites?
I have Ubuntu 10.04.2 (Linux 2.6.32-33-server on x86_64) with OpenLDAP 2.4.21 and Webmin1.550. I converted my ldap database from another system with the older style schema (OpenLDAP 2.3.3 with slightly older Webmin version 1.480) and no longer use slapd.conf, but the newer slapd.d format.
It all works fine except for one thing. When I add a new user, it lets me type in the additional LDAP fields:
But when I click the Create button, all the fields get jumbled together in the Title/Position box with a diamond question mark delimiting the fields:
Modifying existing users (which have the Additional fields displaying correctly) also has the same result - it moves the fields all into the one Title/Position box with the diamond shapes with question marks inside between each entry. Is it a problem with my schema files? I tried reverting to the older shema files and slapd.conf and it still did the same thing on the new system. I am really at a loss.
Here is also the output of ldapsearch for that user (host and samba ids are sanitized):
Previously added users that show the fields properly have "description:" and then the field listed for each Additional LDAP field. Also shouldn't the "title" be visible in plain human readable text here? - it looks like it encrypted it somehow - similar to a password hash. The older system works fine and the fields are all readable and in their proper locations. But the new system just doesn't work right.
The scenario is I have a Windows Server 2003 Domain Controller which runs ADUC. I have created some security groups which I would like to apply to my network shares. The problem is, the majority of my network shares are based on Open Suse machines which, although are part of the domain, when trying to configure the shares using SMB, do not allow me to select the Active Directory groups. Any solution which will allow me to use ADUC security groups?
So i have a fresh install of the server edition of Karmic, i'm running the Xfce desktop. When I attempt to manage users and groups through the GUI, I am prompted for what I think is the root password, the reason I say this is because the account I am currently logged in has sudo privileges and it does not accept that password at all, but I read that by default the root account is 'locked,' (to be honest it was so long ago since I last installed Ubuntu I completely forgot if it is or isn't, my current desktop installation has su access) is it asking for the root password? why doesn't my current user account password work if the root account is 'locked'? I can perform all other administrative tasks with sudo no problem.
the funny thing is, I have the exact same setup in a virtual machine, the same problem happens, except for some strange reason after changing the password on the only account (besides root), the password required to administer users and groups stayed the same after the change. (at the time of installation I just put both the user and root password the same and now that it is setup), i'm now ready to change the passwords. except now I read that the root account is locked by default, but this strange problem occurs.
The question is, as far as I know Ubuntu distro adds a user created with useradd to supplementary groups automatically. For instance, I want to enable sudo for all newly created users on my LiveCD and want them to be added to the group 'wheel' on creation. I'm sure it is possible to do it in Fedora, but how?
I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech. I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute. I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech. simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:
Samba up and running on my pc. pc runs FC12 with kde. A laptop has win vista. The pc can access the shares on the laptop but the laptop has authentication issues to access the pc. Note that windows doesnt enforce authentication forincoming network connections.Using the system-config-samba util i tried to map a windows user to the unix user "feduser". The laptop (named LAPPY) has a user (lapuser) which has on windows no password.What should I tell samba config what the windows username should be? lapuser or LAPPYlapuser doesnt work because when accessing the pc via the laptop, the authentication fails. The only auth that is successful is when choosing the same winusername as the unix username.
Secondary, id like to setup the laptop so that the user doesnt have to provide a name and password, or at least not more then once in the lifetime of the laptop. Note that you cant provide an empty password to system-config-samba. How is that possible?
Strange but not really on issue imho:the samba - KDE control module(kcmshall4) (and the smb.conf) shows 2 shares: the homedirs and the data dir the samba server configurator (system-config-samba) shows only the datadir.
I am logged in with the account i created with ubuntu back in 10.4 but i cant do anything with the users and groups management tool any idea's what might be wrong? It also doesnt ask to escalate provilages when i run it which i suspect is part of the issue.
Running 9.04 with Kmail 1.12.2 with KDE 4.3. Akonadi is activated. Everything works except I cannot email to a distribution list. Am using POP3 with SMPTE. Comes back with
p, li { white-space: pre-wrap; } Message sending failed since the following recipients were rejected by the server: test@steve-laptop (The server responded: "test@steve-laptop failed to route the address")
So I unchecked the default-domain inside my sending option for SMPTE and same thing.
Is there a manual switch or setting in kmailrc? I looked and didn't see anything. Doing the same thing on 3 different computers. Tried searching the net but couldn't find anything.
I'm running 10.10 64-bit and have configured it for root graphical login for administration of the system. When I log in as root, I can run all menu items in System -> Administration with the exception of Users and Groups. When I try running this, the application starts, but I only get an animated spinning disk that doesn't stop, can't modify the users properties and I can't close the application unless I go to System -> Administration -> System Monitor -> Processes tab , highlight users-admin and click End Process.
I have a laptop which has no function keys (F1-F12), but does have a row of arbitrary keys at the top (volume control, multimedia, etc.). I've been able to remap these keys using xmodmap (e.g. 'keycode 000 = F1 NoSymbol F1'). However, this means that I lose the original function.Is there a way (using xmodmap or otherwise) to set these keys to produce a different keysym (e.g. XF86AudioRaiseVolume) only when the Super* key is pressed?* I would have preferred Fn, but it doesn't show up in xev so I'm guessing that's not possible.
I have a FTP server (vsftpd), and would like to setup different file permissions for different groups:
-"ftpusers" group should only be able to browse and download.
-"ftpadmins" group should be able to browse, download, AND WRITE (RNFR, RNTO, MKDIR....).
Let's say my main directory is /var/ftp/docs/. It should be accessible by "ftpusers" group, but only writeable by "ftpadmins" group. Other groups or users may not access it. Which permissions and ownership should I give? My problem is that the dir can't be owned by two groups...
Imported users and groups (UIDs 500 and above) from Redhad to Ubuntu 9.10 by appending users to the passwd, shadow and group files. Users and groups appear to work, but they do not show in the Users/Groups GUI. Is that because they do not start at a UID 1000 and up? What are my options to make them visable?
I upgraded from 8.04LTS to 10.04LTS desktop. I can do sudo as root at the terminal, but I can't pass authentication trying to add a user (System->Administration->Users and Groups).
Here is what I got: An error occurred while checking for authorizations: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. You may report this as a bug.
I'm currently using an NFS server to share data on our small business network. It works a bit faster than SAMBA, but I do have a problem. NFS takes group id from the first 16 groups a member belongs to when mounted - let's not get into how that doesn't make huge amount of sense
Since I assigned about 6 different groups to our users internally to control directory access, some internal groups do not pass when mounting the server's files (as ubuntu has at least 8 or so groups that are system dependent). Is there a way to change the ORDER of the groups a user belongs to? I see that what gets passed to NFS mount follows exactly the order given when I type "group" when logged in. The groups do not come in alphabetical order or group ID number. I did try changing the order of entries in /etc/group and that also doesn't do anything. Essentially they seem completely random.
I recently tried installing a new version of VirtualBox PUEL version, after uninstalling an earlier version. But the major issue I have now is that I can no longer modify my User Settings. Clicking on the "Autnenticate" icon gets me a failure notice: "System policy prevents modifying the system configuration", with details reading "Action: org.freedesktop.systemtoolsbackends.set". Hovering over this link says to click on the link to edit the file, but nothing happens. Searching the file system tells me this file does not exist. Prior to this episode with VirtualBox, I had no trouble modifying Users and Groups. I was able to remove a group from the command line, but the cannot get the GUI authorization to work. I have searched the forums and bugs for similar problems, and, although there appear to be a number of similar issues, no where can I find any clear information on how this system is supposed to work, or what I need to do to correct the problem.
I recently installed 10.10 on a Mac Powerbook G4. Everything seems to be working ok, except I cannot access the Users and Groups. If I try to launch it from the terminal I get the following error: "Glib-GIO-ERROR **: Settings schema 'org.gnome.system-tools.users' is not installed"
This is a clean install, with no changes made to the system. I then ran all the waiting updates and am still experiencing this problem.
I am using Ubuntu 10.10 64-bit.I have installed Firefox 4 beta 12 using the Foxtester extension[URL]I want to know what the keyboard shortcut for Tab Groups is.I have tried both Ctrl + Space and Ctrl + e but neither of them work.
just getting startedin linux <fedora9> and haveseveral questions. first what bookwould be best to start the learning process? have looked at fedora 9 and enterprise and the newest fedora 10 with enterprise and these seem to be aimed at networking setups which I do not have.also in adding users and groups which I have done I think successfully however when I use the newgrp command and try to access a file I have saved under a group with two members the file does not show in the ls command.
users are jevans in group programmers cevans in group programmers in creating the file I didthe newgrp programmers command and created the filein the cevans spotand changed to jevans and negrp programmers and the filedoes not show.so what do I do here, or is my understaning of this incorrect?
I'm setting up a Fedora 11 server for the company of one of my friends. So far so good. But now he has asked me to setup access restrictions to folders through samba. Now I'm quite familiar with user access policies, even though I'm quite new to the GNU/Linux world. What I want to know is : what is the best way to give and remove, on the go, rwx access for a specific user to a certain folder in a linux system? Can I create groups for each folders, whose members will have the given permissions? Or do I have to create users for each folder and add to their group the user witch i want to give privilege to?
