samba help

der.hans PLUGd at LuftHans.com
Thu Apr 19 20:06:42 MST 2007


Am 18. Apr, 2007 schwätzte Bryan O'Neal so:

> Since I am chiming in three days late I suppose I should ask; have you
> got it working yet?

No, I do not :(.

> I can tell you how I do it and why.
>
> 0) I use Red Hat derivatives (FC5, FC6, RHEL4, and CentOS4) because they
> do this much easier for me then any other flavor.

That's what I've got in this instance.

Red Hat Enterprise Linux WS release 3 (Taroon Update 8)

$ rpm -qa | grep samba
samba-client-3.0.9-1.3E.10
samba-common-3.0.9-1.3E.10
samba-3.0.9-1.3E.10
redhat-config-samba-1.0.16-5

$ rpm -qa | grep krb
krbafs-1.1.1-11
pam_krb5-1.77-1
krb5-workstation-1.2.7-56
krb5-libs-1.2.7-56
krb5-devel-1.2.7-56
krbafs-utils-1.1.1-11
krbafs-devel-1.1.1-11

Do I have everything I need? Am I missing some kerberos stuff?

If I am where do I get it? This box doesn't have apt or yum and I've
successfully avoided RedHat long enough to not remember vanilla RH.

> 1) I do join my nix boxes to the AD because I want single sign on and
> have need for basic user group permission sets. However if you want read
> or write to the world or if you don't mind managing multiple
> authentication schemes or if you get you AD to be subservient to you
> nix's then you do not need to do this.

The client would like the GNU/Linux box to be available in the same way as
the m$ shares from the desktop user perspective.

> 	a. I use straight up Kerberos and the account you use to proxy
> the tickets must have administrative rights or you must set up an
> account with access to authenticate to and read all accounts in the AD
> node in question.  I personally use the default Admin account because I
> deal with the Windows SBS server and it is just to funky to mess with.
> Also, as we all know, I am incredibly cavalier.

How do I determine what rights my machine's account has?

Do I need to remind the account about its responsibilities as well? :)

Do I have to have kerberos running to authenticate to the AD? How do I
test to see if I have kerberos setup properly?

> 	b. You must change the password of the account on the windows
> server at least once or else AD will not issue you a ticket via krb.  It
> is a security "feature" that is only reasonably well documented by MS.
> 	c. I use winbind to get all of my user and group listings from
> Windows.  I have seen it work with LDAP but never were and AD server was
> not the primary LDAP server.  Even then you have to have pretty open

AD will be the primary LDAP server for now.

danke,

der.hans

> trust relationships pushed through the forest or else it chokes up on
> you.  This is just my experience, your mileage may very.
> 	d. If you are using winbind and samba, do not use any of the
> GUI's to join the server to the domain (I am sure this is not a problem
> for you ;) as you must issue a clean ADS join command or else it will
> join like some legacy win98 system and your domain permissions will not
> work correctly
>
> 2) Once you join correctly there is a matter of permissions.  I use
> stander out of the box ACL's as I don't need much more then standard
> RWX, the 169 different permission combinations available to each
> user/group for ever file/folder in windows is just over kill for my
> small business.  However I do need the ability for someone to have
> permission to  /some/folder/that/lives/here/example.mpg without having
> permission to anything else in /some/.
> 	a. Mount partition with ACL support
> 	b. Set ACL's on the files
> 	c. Realize you just get just RWX
> 	d. Understand that you must trust your krb and acl and not smb
> to handle permissions.
> 	e. Know that RWX gives the windows user the right to give any
> one else in your domain RWX.
> 	f. mount smb shares and browse to them from windows network
> neighborhood.
>
> And yes I let my users handle their own permission settings from windows
> If some one is making six figures and is in charge of an entire
> department it is not my job to baby sit what permissions they give their
> people in their folders.
>
>
>
>
>
> -----Original Message-----
> From: plug-discuss-bounces at lists.plug.phoenix.az.us
> [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of
> Jeremy C. Reed
> Sent: Wednesday, April 18, 2007 6:28 AM
> To: Main PLUG discussion list
> Subject: Re: samba help
>
>> I'm trying to advertise shares from a RHEL3 box to an m$ domain.
>>
>> I gather one must first get the box to join the domain. The account
> that
>> joins the domain has to have administrator rights?
>>
>> I have been given a userid and password for the domain, but they're
> not
>> working.
>>
>>
>> $ smbclient -L $pdcname -U $username
>> Password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>
> What type of Microsoft server?
>
> Maybe in your smb.conf use:
>
>  client ntlmv2 auth = yes
>
> Check your smb.conf(5) man page about what that breaks too.
>
> Or make changes on your Windows system for LMCompatibility. See
> http://www.microsoft.com/technet/community/columns/profwin/pw0203.mspx
> or
> http://support.microsoft.com/default.aspx?scid=KB;en-us;239869
>
>
>  Jeremy C. Reed
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

-- 
#  https://www.LuftHans.com/        http://www.CiscoLearning.org/
#  "We are better than we think, not quite what we want to be."
#    -- Nikki Giovanni, 17Apr2007


More information about the PLUG-discuss mailing list