RE: samba help

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMJeremy C. Reed at <-
MMDan Lund at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Bryan O'Neal
Date:  
To: Main PLUG discussion list
Subject: RE: samba help
Since I am chiming in three days late I suppose I should ask; have you
got it working yet?

I can tell you how I do it and why.

0) I use Red Hat derivatives (FC5, FC6, RHEL4, and CentOS4) because they
do this much easier for me then any other flavor. 

1) I do join my nix boxes to the AD because I want single sign on and
have need for basic user group permission sets. However if you want read
or write to the world or if you don't mind managing multiple
authentication schemes or if you get you AD to be subservient to you
nix's then you do not need to do this.
    a. I use straight up Kerberos and the account you use to proxy
the tickets must have administrative rights or you must set up an
account with access to authenticate to and read all accounts in the AD
node in question.  I personally use the default Admin account because I
deal with the Windows SBS server and it is just to funky to mess with.
Also, as we all know, I am incredibly cavalier.
    b. You must change the password of the account on the windows
server at least once or else AD will not issue you a ticket via krb.  It
is a security "feature" that is only reasonably well documented by MS.
    c. I use winbind to get all of my user and group listings from
Windows.  I have seen it work with LDAP but never were and AD server was
not the primary LDAP server.  Even then you have to have pretty open
trust relationships pushed through the forest or else it chokes up on
you.  This is just my experience, your mileage may very.
    d. If you are using winbind and samba, do not use any of the
GUI's to join the server to the domain (I am sure this is not a problem
for you ;) as you must issue a clean ADS join command or else it will
join like some legacy win98 system and your domain permissions will not
work correctly


2) Once you join correctly there is a matter of permissions.  I use
stander out of the box ACL's as I don't need much more then standard
RWX, the 169 different permission combinations available to each
user/group for ever file/folder in windows is just over kill for my
small business.  However I do need the ability for someone to have
permission to  /some/folder/that/lives/here/example.mpg without having
permission to anything else in /some/.   
    a. Mount partition with ACL support
    b. Set ACL's on the files
    c. Realize you just get just RWX
    d. Understand that you must trust your krb and acl and not smb
to handle permissions.
    e. Know that RWX gives the windows user the right to give any
one else in your domain RWX.
    f. mount smb shares and browse to them from windows network
neighborhood.


And yes I let my users handle their own permission settings from windows
If some one is making six figures and is in charge of an entire
department it is not my job to baby sit what permissions they give their
people in their folders.





-----Original Message-----
From:
[mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of
Jeremy C. Reed
Sent: Wednesday, April 18, 2007 6:28 AM
To: Main PLUG discussion list
Subject: Re: samba help

> I'm trying to advertise shares from a RHEL3 box to an m$ domain.
>
> I gather one must first get the box to join the domain. The account
that
> joins the domain has to have administrator rights?
>
> I have been given a userid and password for the domain, but they're
not
> working.
>
>
> $ smbclient -L $pdcname -U $username
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE

What type of Microsoft server?

Maybe in your smb.conf use:

client ntlmv2 auth = yes

Check your smb.conf(5) man page about what that breaks too.

Or make changes on your Windows system for LMCompatibility. See
http://www.microsoft.com/technet/community/columns/profwin/pw0203.mspx
or
http://support.microsoft.com/default.aspx?scid=KB;en-us;239869


Jeremy C. Reed
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-comments from a local highlighted at freesoftwaremagazine.com (was: Fwd: [...] FSM Newsletter 9th of April 2007)Re: No AZ Feisty release party?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)