Ubuntu Servers :: Samba Share Using Domain User/group In Valid Users?
May 20, 2010
I have Ubuntu server 10.04 joined to a domain using Likewise Open. I can login using my domain credentials and have added my domain account to the sudoers file. Now that I've got it joined to the domain I want to add some samba shares and have domain members use their accounts to access them. However, no matter what combination of my domain name and the domain user or group I use in the valid users field it won't let me in. What's the proper way of inputting a domain user or group in the valid user field?
This is the entry I'm using for the share:
path = /srv/testshare
valid users = @"Domain Name+Domain Group" (Have tried many things here)
public = no
writable = yes
printable = no
create mask = 0765
I have server 9.04 and joined thru winbind to Windows Domain and subversion installed.Windows AD users can use their own credentials to join and everything is working fine.However the group svn which is used to access the repos in /etc/groups has some users.However I would like to add the domain users group to the svn group but the domain users contains Space. And /etc/groups does not happend to read the space any ideas on how to add "domain users" to the svn group in /etc/groups
The company I work for, as usual, is Microsoft-centric. I'm attempting to integrate my Ubuntu server into the domain to allow domain users to authenticate to the server and access file shares using Samba. Here's my current configuration:
I have a couple of user accounts where each member belongs to a group i have created: Each user access the share using their own user account credentials. How can I configure Samba in a way so that each modification done on the share gets the owner of the user and my group instead of the user and the users own group? I would also like the access rights to be 770 to each modification.
In other words, today each modification by "userA" get the owner "userA.userA" and I would like it to be "userA.MyGroup" with "rwxrwx---" permissions.
In my ongoing hunt for a Samba GUI that is feature packed, well supported, easy to use, yet doesn't suck, I found myself tinkering with eBox. I have it installed and fired up but I'm a little confused. I can add a Samba share - okay great. But I sorta need to add users. Where on earth can I add users? The users and group section of eBox doesn't appear to be related to what I need, and I also cannot get into the access control section of the very share I just created.
I feel ashamed for even asking this, since it seems like there's about 3 samba questions here every day. However after an hour of searching, I keep finding strange variants that aren't what I need.
My Goal: Create a single file share on an Ubuntu Server - share it via samba to Windows clients that are on a domain with active directory. It sure would be nice if AD authentication would work - so users don't have to type in a linux user/passsword each time they want to access the share.
In my adventures, I've found the following items (which may overlap)
1. Joining the server to a Windows Domain
2. Turning the server into a Windows Domain Controller
3. Authentication with LDAP (still not quite sure how/what this would do)
4. Stuff with Kerberos
5. Lots of people bickering about Samba 3/4 & how it's impossible to make Samba a PDC.
I'm not sure if I need to make the ubuntu server a domain controller or not...all I want to do is create a file share and share it on the domain...I don't need to make the ubuntu server a domain controller for that, right? Maybe just a member? Maybe nothing at all?
I guess if I want to authenticate stuff correctly (or forward authentication requests? Not sure), I probably need to join the ubuntu server to the domain...I think.
But let's say I do join it to the domain...then how to I create a file share that is authenticated via active directory rather than a local ubuntu server account? I see a dozen guides on joining the server to the domain, but nobody ever mentions sharing the folder over the domain.
The lines are also blurred between joining Ubuntu to the domain and making it a domain controller. What should I keep an eye out to avoid in these tutorials?
I get lost between the Kerberos/LDAP/Samba/WinBind etc...and I have a feeling I don't need all of these for something this simple.
how to map all domain users form group Domain Users to local group users (and maybe some more)? Im using Ubuntu 10.04 x32. Its connected to my domain using Samba and Winbind, I can login using my domain credentials, automatically map user folder form DFS server, but I think that domain users have too much priviledges in the system and want to restrict them as much as possible
How can I set permissions for users within the share? Example: I have a share called Programming and some user can create folders within it most others can not, can read the documents. How do I set permissions?
I've installed Ubuntu Server 7.10 Gutsy and Webmin 1.500 on it. The thing that I want to do is: I want to share a folder an sub folders for windows users ( guest user) I should modify those folders from my ubuntu desktop 9.10 karmic they are all same folders. Is it possible? if yes how can i make it. you can tell from webmin or samba configuration file.
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211) User COGITANSalberto not in 'valid users' [2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617) user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
I am trying to set up a Samba share on one of my machines where I am the owner and a special group manages permissions for read-only access ( me:specialgroup ). If I log into the share as me, there is no problem (I have read/write privs as per usual). However, I am not able to log into the share using any of the group members (there is only one currently). That user is not able to access the share (failed to mount).
The folder (which is the share) is owned by me:specialgroup and the permissions have been forced down the folder. Samba is set to Share this folder with no guest or others write access.
I want to set a log off script for samba domain users. Actually I am facing a huge temp files related problem. So I want to set a batch file which will run when domain user log off. When user logout then batch file run and delete all temp files.I have already set batch file local group policy and it works for me, but I wants to set it from server side.
I don't know if this is possible... I want that only some of a Windows Domain(Samba) users can to logging in a machine.For example: The user Peter of the domain WORKSPACE can connect to the PC1, but the user Charly of the domain WORKSPACE can not connect to the PC1. How I can implement this?
Im currently using an english book to setup my samba server, and im having problems understanding it.
I dont want to use root to join clients to the domain; i prefer creating a plain user.
Ok, so, the steps i follow are:
net groupmap add unixgroup=srvadmins ntgroup="Server Admins" net groupmap add ntgroup="Domain Admins" unixgroup=dmnadmins rid=512 type=d net rpc rights grant 'ORAServer Admins' seMachineAccountPrivilege
This way, i have a group called srvadmins with permissions to join clients, a group called dmnadmins with permissions to manage users and other permissions, and root.
Now, users: "root", "dmnadmin"(from dmnadmins group) and "srvadmin" (from srvadmins group) can add machines to domain. Root because is root, srvadmin because i granted permissions, and dmnadmin because is admin
So i wonder, why srvadmins group is needed to be granted privileges?
I tryed to lower dmnadmins privileges by revoking semachineaccountprivilege privilege, but didnt worked
net rpc rights revoke 'ORADomain Admins' seMachineAccountPrivilege
looks like its privileges comes from another group and it user managed to add a machine to the domain correctly.
Ok, so, is this really usefull? why do i need 3 kind of users to be able to join to the domain?
I have a samba share setup as the following. When I browse to it from PC's added to my AD domain, they connect instantly. When i browse to it from a laptop that's not part of the domain, i get prompted for login credentials. what credentials should I be putting in? I can't seem to figure it out. or is it because i have the workgroup set to what my AD domain name is, and the laptops aren't part of that domain.
path = /data/photos browseable = yes force user = pictures force group = picturesgroup
If I want to add Windows & Mac users as Samba users, must I first add them all as Ubuntu users? If so, since none of the other users will actually be working on the Ubuntu Server, how do I disable the other non-admin users on the Ubuntu Server login screen. I am using Webmin to administer some server settings, and command line for others.
I have configure few folders access by 3 users, In common folder only users that create that document can do changes. The rest of the users can only read the file but can not do changes. Ownership of the folder is admin, group is sambashare which already have the access create and delete files. All the 3 users already in sambashare main group, and they only can edit the file that they copy or create to the common folder .........
how you allow a domain user to access a smb share when the linux machine (RHEL) that the share is on is on the same subnet as the domain but not joined to it (it has the name of a DC for the domain configured in /etc/hosts.conf also)
want to made 2 users in samba by which windows machine we access share, say user1 has read,execute permission, user2 has read write delete update full permission. we have done user1 configuration as premia user. we need your guideline for user2
we change the smb.conf file # less /etc/samba/smb.conf [global]
how to configure samba share that users from ip pool (for example 192.168.1.200-210) have accest without login and rest users form ip pool (192.168.1.2-199 and 192.168.1.211-254) have to past autorization.
This is the scenario: Active Directory Server = 192.168.0.1 Squid/Dansguardian Proxy Server w/NTLM Auth = 192.168.0.10 The Linux box has been integrated with AD and works fine. Users can authenticate automatically when login the AD or when they access the web through Basic authentication. That part is just fine.
But, when I add a new user, or change a users' primary group, I have to change the 'filtergroups' file in Dansguardian. I tried to make auto this process using the USERMAP and USERMAP2 scripts in [URL].. at the "Extras and Add Ons" section, but both scripts doesn't run properly in Ubuntu if they are not changed. I tried, following the instructions, but got a lot of syntax errors. So, I wrote a very simple script using 'net rpc' to retrieve all users according to the AD Security and Domain Groups. I created an output folder in dansguardian to dump the rpc outputs into files. And read the files to apply filtering groups.
In the office there is a local network with samba+openldap PDC. The local domain name is company.net. The company desided to create a corporate Website on a remote hosting and desided that the site's domain should be company.net which is same as local network's domain name. So now it is not possible to reach that corporate website from within the company's local network because, as I guess, bind9 which is installed on above menioned PDC looks for company.net on a local webserver. Is there a possibility to let people from this local network browse the remote site?
I have currently have opensuse 11.2 installed. I am trying to setup samba shares which you can only access as certain user. Currently looks like the only way I can access these share is use root username/password!
I want to which GUI I need to use to setup this up properly. And of course what setting to exactly to use.
I installed Samba on CentOS, create a principal share called "public" . I want to populate this share with subfolders, and to grant access rights to specific folders for specific users. The content of "public" will be visible for all Samba users, but they will have read/write access only to the specified subfolders based on my security policy. I need the best way for doing this kind of stuff...
I've a few group shares setup with samba and a PDC (using windows 7 clients) and the home directory for each user gets mounted automatically. I've configured group shares and only members of the respective group have access to them, but my question is how do I tell samba to automount group shares based on the user group?
I've been reading for a while about samba but I haven't found a solution to my problem yet.I'd like to know if, the configuration I have in mind, is possible at all ("security = user" is what I'm using now).I want a directory to be: 1) read only for guests and some UNIX users; 2) write for some other UNIX users.
The advantage of this configuration would be that every single user in my LAN (with or without a UNIX account) would be able to read the content of the shared directory Music and I (UNIX user andrea) could manage the folder directly trough samba preserving the correct owner/group and permissions on the new files/folder created.
Notes about my configuration above: 1) as it is now every user gets authenticated by samba as nobody so even I (andrea) cannot write in it; 2) commenting out the line "guest ok = yes" I can authenticate as "andrea" and write in it but guest access is not possible any longer.