Hi all,

What I am trying to do:

Have a win2k AD domain and would like to setup a FC4 samba file server. I would like the user accounts to come from ADS and would like to be able to set ACL permissions on the share using AD accounts. In other words, when sitting at a windows box, is it possible to go the ACL (permissions) and see Active Directory accounts there?

Just wondering if this is possible? If so, how can I set this up?

Thanks,
Rob

PS - if it's not possible, let me know since this is driving me nuts

Making some progress - hopefully I can get a little help with this :)

I joined my FC4 box to the domain.

I installed webmin to make things a little easier.

Setup authconfig to use winbind, ADS & my domain info.

I then tinkered a little while and actually got some success! After a few changes, I went into Samba Users (the gui samba config) and there were my domain accounts! I did a quick test, but for whatever reason I could not access the share from my windows PCs.

I have since been unable to replicate this - I have NO IDEA what I did to make this work - and then not work! Yes, this is driving me crazy...

So - How do I get my domain accounts to be seen in the Samba Users? I know it works - I had it "sorta" working earlier...

Any help greatly appreciated,

Rob

how did you add your machine to the windows domain?

joined it by going into terminal and typing: net ads join -U administrator --- and it worked.

But I cannot for the life of me figure out what I did to both make it work, then screw it up. My Samba users actually came from AD - then I messed something up and now it is just the regular Linux users.

Any help greatly appreciated!

Thanks,
Rob

Setting up Samba on a ADS domain is very complex, in my opinion. You've got to check each item in turn:

1) check 'wbinfo -u' to see if winbind is returning correct user accounts
2) check nsswitch is looking up account names from winbind (run 'getent passwd' and it should return the names of your ADS accounts)
3) check pam_winbind is actually using ADS accounts for authentication (by loging into an ADS account from a console terminal i.e. <ctrl><alt>f5 -> login); you'll need to restart gdm if you change your pam configuration, to get this working from the normal GUI login.
4) Configure your shares in smb.conf. winbind maps ADS accounts to linux UIDs. You must make sure your your linux UIDs have access to the shared resources.
5) if you want ACL support, make sure it's activated in your kernel (probably not an issue) and activated for the filesystem concerned (i.e. the filesystem must have been mounted with the acl option).

Don't use the System-Config-Samba utility on FC4; it will re-write your samba config and stands a good chance of screwing things up. Writing a smb.conf file from scatch is easiest, since you then know exactly what's going on. Most samba configuration params have sensible defaults so they canbe left out of the config file unless you have a specific need to change them i.e. only put in what you need.

replies inline

Setting up Samba on a ADS domain is very complex, in my opinion. You've got to check each item in turn:

1) check 'wbinfo -u' to see if winbind is returning correct user accountsthis works - I get the list
2) check nsswitch is looking up account names from winbind (run 'getent passwd' and it should return the names of your ADS accounts)this doesn't work - I'm getting the Unix/Linux accounts
3) check pam_winbind is actually using ADS accounts for authentication (by loging into an ADS account from a console terminal i.e. <ctrl><alt>f5 -> login); you'll need to restart gdm if you change your pam configuration, to get this working from the normal GUI login.Since the above didn't work, I will leave this til later
4) Configure your shares in smb.conf. winbind maps ADS accounts to linux UIDs. You must make sure your your linux UIDs have access to the shared resources.
5) if you want ACL support, make sure it's activated in your kernel (probably not an issue) and activated for the filesystem concerned (i.e. the filesystem must have been mounted with the acl option).

Don't use the System-Config-Samba utility on FC4; it will re-write your samba config and stands a good chance of screwing things up. Writing a smb.conf file from scatch is easiest, since you then know exactly what's going on. Most samba configuration params have sensible defaults so they canbe left out of the config file unless you have a specific need to change them i.e. only put in what you need.

Filesystem mounted with ACL option? Not sure what this means - I did a classic install of FC4 - did not see this option etc.

Thanks for your help,
Rob

Thanks for your help.

1 = yes, I see my AD accounts

2 = Not working. All I see are the unix/linux accounts

3 = I get "account not recognized"

4 = I think this is OK - I managed to get into the shares

5 = not sure about this one - I did a "normal" install. I thought ACL was automatically enabled with EXT3?? Do I have to do something else?

Not sure how close I am to making this work, if I'm not close - I will probably just reinstall samba to get back to defaults and try this in a lab situation.

Thanks again,
Rob

Rob ... I have a suspicion your ACL problem is primarily related to the fact that you have different SIDs between the Active Directory Domain and your Samba server and that Group Mapping from the Samba server to AD is not configured to cater for these different SIDs. This is the dark secret that allows Samba ACLs to work with Windows 2000/2003 ACLs (although with some limitations due to inherent mapping problems) .... however .... please give me a couple of days to finish a step-by-step guide that may help. I'll post it in the How-To Articles and let you know.

doctorpacket - thanks for all your help. I know of at least three admins that would LOVE to figure this out. Any and all help is greatly appreciated.

Thanks,

Rob

count me in, looking forward to it, thanks doctorpacket

Doctorpacket - didn't mention this on my previous post, but I am volunteering to test out whatever Howto you come up with in regards to this issue.

Thanks again,
Rob

I have now completed a first draft of a How To: Samba + Windows Active Directory + ACLs on FC4.

If anyone is interested in 'beta testing' this document, please send me a private message and I can send the draft document in PDF format.

... david

Was this document ever posted or published online? I'm in the middle of setting up the same thing...testing on two FC6 and CentOS machines to see what works best.

thanks for putting it together, wherever it is...

Hi KKJensen

I guess your reference is to my comment:

I have now completed a first draft of a How To: Samba + Windows Active Directory + ACLs on FC4.

At this stage the document allows a setup on FC4, FC5 and FC6 to the point where ADS authentication and ACLs are working. It does not yet cover setting up of Home Drives etc.

However I am happy to send anyone a copy. Just send me a private message and address to where I can email the PDF version.

Doctorpacket - Send to me too!

Thanks,
Rob

Doctorpacket - Send to me too!

Thanks,
Rob

Rob,

just send me a private message with your email address and I will forward you a copy.

cheers .. david