Ubuntu Servers :: Samba Shares Using Active Directory Permissions?
Jul 20, 2010
I am the IT Manager at a research facility. We have a fairly unique network configuration in order to support all of the different projects we have going on. We have Red Hat, Ubuntu, Windows XP/Vista/7, Windows Servers 2003, Ubuntu servers, Red Hat servers, and even a few Netgear ReadyNAS and Buffalo Terastations. Over the last few years, I have been migrating all of my users and accounts to a single ACL list, which I chose to be a Windows AD 2003 server. 95% of my users work on Windows platforms and just use ssh tunnels to develop on our linux boxes.
However, i ran in to a problem with our Linux boxes not being able to symbolic link on my Windows 2003 file shares. Of course, this is a problem with Windows not supporting symbolic links. I know 2008 does support this feature, but given the economy and the budget restraints, we cannot afford to purchase the updates we would need, so now I am moving all of my shares to a Ubuntu 10.04 server using Samba. I have joined the server to my AD domain successfully, i can login using my AD credentials, and even assign ownership and group permissions using AD users/groups.
Here is my question.
I would like to keep the AD permission schemes intact. I have several shares that contain folders that have individual permission settings. For example, I have a /shared directory that contains about 50 different folders. Some of these folders I allow my users to write data to, some just read, and others I deny access to complete groups and just allow key groups to access (for example, personnel data should only be accessed by the Administrative staff).
Is there a way to make this work?
I can assign uid and gid manually per folder in Samba, but i would like to have the possibility to add multiple users and groups with permissions to folders, which I do not believe can be done with the standard chown commands. Currently, I can see the folder permissions from my Windows box, but when I try to edit the permission settings, it defaults back to full access. So my AD permissions are not being saved.
The company I work for, as usual, is Microsoft-centric. I'm attempting to integrate my Ubuntu server into the domain to allow domain users to authenticate to the server and access file shares using Samba. Here's my current configuration:
Something that has been in the pipleline at work for a while is user-based web directories. Main PDCs are running Windows Server 2003 using Active Directory, ideally what would happen is that users have a web share under [URL].. - the server behind this would be Linux (either Fedora or CentOS).
What kind of configuration would be needed for Apache to make this possible? The way I have planned so far is to have the Linux box auth against the AD domain (possibly joined), with Apache setup to share local public_html folders. Not sure how I can get rid of the tilde from the start of the username, but it should be pretty easy.
I have ubuntu server 9.04 installed on my computer and I am trying to make a Domain Server. I have made sure that there are no problems in the configuration file. When I go to join the domain in windows 7 it tells me that it cannot find the Active Directory server.
We have a couple of Windows file servers that just share files. It is all they do. We'd like to use Ubuntu on two replacement servers allowing Windows XP and Windows 7 clients to access the files. Our network is active directory based due to Exchange and homegrown .NET apps, so it is important that active directory is used to authenticate the clients. Samba doesn't need to be a pdc or bdc, but provide pass through authentication.I understand that Samba can communicate with active directory through security-ads and security-domain.
Here are my questions to see if I should proceed:1) Folder permissions:If we move all our files to the Ubuntu server how do we set folder permissions and will we see the active directory accounts when we do this?2) Skipping ubuntu accounts: I know the domain and ads allow you to skip creating ubuntu accounts, right? If not, how do you keep the passwords synchronized?3) Easiest way? Is there a very easy way to pull this off that I've missed? My goal is to eliminate the Windows based file servers while ensuring the admin part of it is as easy as possible.To date I've been able to get the sharing to work with an ubuntu account mirroring the active directory account. I've been able to get Samba to talk to the pdc, but not successfully through domain security. ADS security was a complete cluster with winbindd
I have a Natty headless server that I would like to set up shared directories and grant specific users write permissions. I use a Windows 2008 R2 machine with Active Directory for authentication and have created a group GroupWithWriteAccess which I want to have write access to the shared directory. I want all other users to have read only access. I have edited my smb.conf file with the following
The machine is fully setup to work with Windows authentication and I can access shares from the ubuntu machine, it's just sharing local directories with the correct permissions that I can't work out. So far I can access the files from my other machine, but I do not have write access even though I am logged on as a user who is a member of GroupWithWriteAccess.
My boss has commissioned me with creating a new file server to replace a M$ server that is installed now. We want to go with Linux for many reasons, but one big thing we want to be able to do is still manage permissions using M$ type permissions from our XP desktop's rather than unix style permissions. How would this be accomplished on a CentOS box?
i have 3 shares on my samba. i have users - user, manager and boss projects is RW to everyone reference is R to everyone RW to manager and boss Proposals is RW only to boss, no access to others However when boss logs in and creates a directory in projects share, the directory can only be renamed bu users and manager, and directory contents are read only for users and managers, even deletion / rename is denied. How can i make sure that when ever boss creates a directory in projects, it retains base folder permissions and is writable to user this is my samba file... i am using red hat 6.1 with samba 3.5.6 (i think)
I have a freshly installed CentOS 5.4 box which I'm trying to get AD authentication working on. I have AD authentication via kerberos working for SSH, but when I try and have it work for SMB shares I'm getting an access denied error. What's even more odd is that when I tell pam to use winbind to authenticate SSH...it works just fine. Wbinfo -a username%password authenticates fine and getent passwd and group enumerates the AD users and groups ok. My smbd.log was throwing the following error "Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE" but has since stopped for some reason, but googling this indicated I needed re-join the machine to the domain, which I have.
I'm having a problem with Active Directory and Share permissions that I cant seem to figure out. I used likewise-open to join my ubuntu server to a windows 2008 domain. Everything seems to be working fine. The problem is, the only way I can access the shares is if I CHMOD 777 the share directory. If I CHMOD 770, the Domain owner or Domain group member of the directory cant access the directory. Also, when creating a folder within the share, I need to set the directory mask as 777 in order to enter those sub folders.
This morning my NFS shares mount but permissions are all NOBODY NOBODY. If I ssh to the server to check the drive(s) permissions are all as they should be! Exports there are fine as is my local fstab. I hope I am just suffering and update glitch because they usually go-away in a subsequent update.
I just spent an hour and a half trying to track it down with no success - time to give up before I do real damage (to which I am prone ).
I've been banging my head on this for a week... I finally got AD login working, but I can't get cached logins working. I installed SADMS, let it configure everything, and though I can now login, I still cannot login as my AD username when my machine is not connected to the AD network. I need to be able to login at home, connect to the VPN (if I can ever get that working), then sign on to services at work using my AD username.
Also, I cannot login to local accounts when the system is not connected to the AD network. Plus, home drive mapping is not working, our shares are \FILESERVERuseruser[I]username[I] so this does not work. UPDATE: I installed likewise-open, and now I can't login unless I use the full domain name when logging in via ssh, but I cannot login on the desktop, which is not what I want, now my username doesn't match the previous UID mapping, and my home directory is mapped to /home/likewise-open/DOMAIN/user, instead of /home/DOMAIN/user, like it was before.
My all production PC r running under ADC windows2008 server. Recently I implement a file server in CentOS 5. Now I want to integrate Samba (File sharing) using Active Directory so that all access permission to file server comes from AD's permission.
This is (I suspect) a Mac OS issue but they've given no help (or replies!) on Mac forums so I'll ask here.I've just got a Mac and I can connect to shares on my Ubuntu (10.04) server, read files and create directories but I cannot write. I get this error:"The operation cannot be completed because you do not have sufficient privileges for some of the items."I can connect from the command line with smbclinet and write fine. I have tried several different users on both the Mac (cannot write) and Ubuntu clients (can write).Is this something to do with the ._filename files that finder creates? Or is there something wrong with the way I've set up my server? This is the first time I've used it with a Mac client.
I have a fresh installation of Ubuntu 10.04 LTS I have installed Boxee on it that is all and I am trying to set it up as a Samba Server. I have followed the instructions on following page:[URL]..On the box that I am trying to setup as a Samba Server using Nautilus I can view the shares no problem. On another Ubuntu box no such luck. I can get too Windows Network and I can see my workgroup. When I try and open the workgroup I get the following dialogue box for some time: Opening "WORKGROUP". You can stop this operation by clicking cancel. And then this error dialogue box:
Unable to mount location Failed to retrieve share list from server I have spent sometime trying to resolve this myself but have had little luck. As far as I know I have no firewalls in place; Ubuntu does not have one by default is that correct? At this time I don't have a Windows computer to try to connect too the server at this time, but plan to in the future that is why I want to use Samba.
I am connecting the two boxes with an D-Link DIR-825 router; both boxes are on the same subnet. Are there settings in the router that could be affecting this?
Last night i updated to 9.10, all good except i can no longer access my samba shares!!
here is the info from log.smbd after i stared it this afternoon
Code: smbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009 [2010/01/12 16:35:57, 1] param/loadparm.c:6355(map_parameter) Unknown parameter encountered: "executable" [2010/01/12 16:35:57, 0] param/loadparm.c:7449(lp_do_parameter)
provide support for a small business that uses Windows machines to access files stored on an Ubuntu server which has just been upgraded from 8.04 to 10.04 (32 bit version). Before the upgrade the users accessed their share by this batch file:
net use x: \servernamesharename /user:username
This would then prompt the user for his or her password which they would enter to allow them access to the share.Since upgrading to 10.04, the user gets a "system error 58" stating "The specified server cannot perform the requested operation"If the batch file command is changed to:
net use x: \servernamesharename
The same error message is given. The only work around I have found is to modify the file to read:
net use x: \servernamesharename /user:username password
This is not ideal at all as it makes the password protection useless.When I performed the upgrade I left the smb.conf unchanged. The smb.conf file is:
# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the
I recently upgraded my ubuntu samba fileserver to 10.04 along with increasing the size of my RAID 1 /home directory.I am using the same smb.conf file setup I have used on intrepid ibis setup and hardy heron setup before that.On my new setup, I can see the ubuntu server on my windows 7 machines, but I can't see the shares and can't access them.In checking the logs (/var/log/samba), one log continues to look for a printer share from one Windows machine that I have not set up on samba yet.
I have found a few people who have reported similar problems online, even a few who have filed bugs, but then they say "my computer started working suddenly. I don't know what happened." so they closed the bug. or "my computer started working after I rebooted my machine." I have rebooted all machines on the network. That doesn't fix it.
I'm having some troubles with my samba shares on a fresh install of Fedora 10 x86_64 on my laptop. The laptop has only the KDE Desktop environment. I'm trying to share between this computer and my homebrew server via a wrt54g linksys router running DD-WRT firmware. The server is running Fedora 9 i386.
The shares on the server can be read by the laptop, and I have been consistently able to mount the server shares on the laptop using mount.cifs, but only when the firewall on the server is down. Shares are only visible between the machines when the firewall is down on the machine containing the share. I set up the shares using the system-config-samba tool, and the firewalls are both set to allow samba server and samba client. I can typically see the laptop from the server, but not the shares, and only when the laptop firewall is disabled. I can access the Laptop shares from the laptop. When trying to mount the laptop shares on the server, a warning message stating that the mount failed appears. Shares show up as correct in both the system-config-samba tool, and the KDE sharing tools. The share shows a "shared" icon in the dolphin browser.
From all that I know, the shares should work perfectly. I've searched the web, perused the man pages and how-to's, and combed through the forums, and everything I've found tells me that the shares should be working. Since they are not working, it leads me to believe that I must have made a mistake someone and not noticed it.
I've a few group shares setup with samba and a PDC (using windows 7 clients) and the home directory for each user gets mounted automatically. I've configured group shares and only members of the respective group have access to them, but my question is how do I tell samba to automount group shares based on the user group?
I am running Ubuntu 10.10 and have 5 shares that I have setup for Samba (assume names of share1, ..., share5). I find that shares(2,3,4) are accessible from my MS Windows system, but the share1 and share5 are listed but Windows gives an error accessing them that I may not have permissions.I have reviewed the sharesve the same owner, group, and permissions.Is this a known Samba bug or configuration issue? I have gone through the smb.conf file multiple times as well as examining the directories and do not see what the issue might be.
clean install of Slackware 13.1 64-bit. From day 1 I have been unable to browse Samba servers and shares on my home network. NFS, FTP, SSH, etc all seem to be working fine. I've been updating it regularly in case this was a bug, but I'm not so sure any more.
Reboot in WinXP sp3, I can browse fine. My wife's Win7 laptop works fine. My old Slack 12.2 system worked fine. I have not made any changes to the network other than adding this computer to the mix.
Pentium Dual Core e6700 @ 3.2GHz Asus P5G41T-M/CSM 4GB DDR3 Ram 1 TB Hitachi SATA Gigabyte ATI Radeon HD 5670 1GB Video PCIe
I had an older fedora box (I think it was Core 3) that acted as my file server in my small network (4). It worked fine when I had all XP clients connecting to it. Recently we decided to get all new computers. So now I have a fedora 10 box acting as my file/print server and all Vista Home premium computers as the clients. For the life of me I can not get samba to work. When I try to map the network drives on windows it will not let me authenticate. I install swat and try it that way, still no luck. Here is a copy of my smb.conf file:
Code: # Samba config file created using SWAT # from UNKNOWN # Date: 2009/05/19 21:47:31
[global] workgroup = AIVILANET server string = Bighat Samba Server interfaces = eth0 null passwords = Yes smb passwd file = /etc/samba/smbpasswd passdb backend = tdbsam username map = /etc/samba/smbusers syslog only = Yes announce version = 5.0 name resolve order = hosts wins bcast socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = CUPS wins support = Yes
[HP-LaserJet-1200] comment = HP LaserJet 1200 path = /var/spool/samba read only = No printable = Yes printer name = HP-LaserJet-1200 oplocks = No share modes = No
[printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No
[home] path = /home/savona/ username = savona valid users = @Users admin users = savona write list = savona force user = savona force group = savona read only = No hosts allow = 10.0.0.2