topic Re: CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31 in Operating System - HP-UX

CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31

senthil_kumar_1 — Thu, 28 Jan 2010 19:26:36 GMT

Hi All,

I have configured samba 3.1 as domain member in HP-UX 11.31, I have used following steps:

1)copied the kerberos sample file:

# cp /usr/contrib/krb5/sample/krb5.conf.sample /etc/krb5.conf

2)Configured /etc/krb5.conf:

-----------------------------------------------
#vi /etc/krb5.conf

[libdefaults]
default_realm = ABC.XYZ.COM
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2

[realms]
ABC.XYZ.COM = {
kdc = emdlagdc67.abc.xyz.com:88
admin_server = emdlagdc67.abc.xyz.com
}

[domain_realm]
.abc.xyz.com = ABC.XYZ.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log

-----------------------------------------------

3) Kerberos Client Authentication:

---------------------------------------------
#/usr/bin/kinit Administrator@ABC.XYZ.COM

Password for Administrator@ABC.XYZ.COM:
-------------------------------------------
Here I have entered the administrator's password, it is working fine.

4)Configured /etc/opt/samba/smb.conf:

----------------------------------------------
# vi /etc/opt/samba/smb.conf

[global]
workgroup = EMDNA
realm = EMDNA.EMDIESELS.COM
preferred master = no
domain master = no
local master = yes
server string = emdlagas71
netbios name = emdlagas71
security = ADS
password server = emdlagdc67.emdna.emdiesels.com emdlondc02.emdna.emdiesels.com
encrypt passwords = yes
winbind separator = /
idmap uid = 10000-20000
idmap gid = 10000-20000
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
-----------------------------------------------

5)Testing samba configuration file:

----------------------------------------------
# /opt/samba/bin/testparm

Load smb config files from /etc/opt/samba/smb.conf
Processing section "[homes]"
Processing section "[tmp]"
Loaded services file OK.
Processing comments in /etc/opt/samba/smb.conf
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
-----------------------------------------------

6)samba has been started.

7)Integrating with ADS

----------------------------------------------
# /opt/samba/bin/net ads join -U administrator
administrator's password:
Using short domain name -- EMDNA
Joined 'EMDLAGHPV01' to realm 'EMDNA.EMDIESELS.COM'
-----------------------------------------------

8)Viewing if it is integrated successfully:

----------------------------------------------
# /opt/samba/bin/net ads info
LDAP server: 143.242.67.117
LDAP server name: emdlagdc67
Realm: EMDNA.EMDIESELS.COM
Bind Path: dc=EMDNA,dc=EMDIESELS,dc=COM
LDAP port: 389
Server time: Thu, 15 Oct 2009 13:10:06 CDT
KDC server: 143.242.67.117
Server time offset: -221
----------------------------------------------

Actually my purpose is "all the domain (ABC.XYZ.COM) users should access the files and directories availabil in samba server", for that we have created the users of domain (ABC.XYZ.COM) in samba servers also, so if the users are having permission, they can connect and access samba share by using domain username and password, so the users are not required to enter the username and password while open / access the shares.

I am succeded in this, so that it is not asking username and password since alread I have logged in using domain credential.

But It is only allowing others permission.

For example, we take one user's (ze4egi) home directory:

# ll -d /home/ze4egi
drwxr-xr-x 3 ze4egi tcs 8192 Jul 28 2009 /home/ze4egi

The user id "ze4egi" is being created in domain (ABC.XYZ.COM) and samba server.

And the users home directories are shared through samba, so I am able to open the "//sambaserver/home/ze4egi" with out giving the password from windows client if I have logged in by ze4gi (domain user id).

And as mentioned above, ze4egi has read, write and execute access to //sambaserver/home/ze4egi

But I am not able to write (create / edit) the files or directories with in //sambaserver/home/ze4egi by the domain user "ze4egi".

Actullay it is taking only the others permission of the directory and file. In above mentioned home directory "/home/ze4egi" , others permission is read and execute only.

So that I am able to only read the files or directories with in //sambaserver/home/ze4egi by the domain user "ze4egi".

How to resolve this.

Re: CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31

senthil_kumar_1 — Fri, 29 Jan 2010 10:59:52 GMT

Hi All,

Could any of you help me to solve this issue?

Re: CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31

eric roseme — Wed, 03 Feb 2010 22:24:58 GMT

your Windows domain users are being *authenticated* by the Windows DC/KDC okay, but they are not being *authorized* on the HP-UX Samba server, so they are being treated as "other". You are using winbind, which is okay, but your winbind config is not quite right. Do this:

idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
template shell = /usr/bin/sh
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap backend = rid:EMDNA=10000-20000

Winbind is kind of tricky. What you eventually want is to do an "id ze4egi" and get a UID mapping of 10001 or something like that (in your 10000-20000 range).

Even better would be to not use winbind and instead use Unified Login. That will give you a more permanent and predictable Windows user config on your HP-UX box. The whitepaper here shows you how to set it up:

http://docs.hp.com/en/16322/CIFSUnifiedLoginV2.pdf

Good job on getting this far, anyway. You almost have it!

Eric Roseme

Re: CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31

senthil_kumar_1 — Thu, 11 Feb 2010 19:07:06 GMT

If we are configuring "Unified Login" on domain (ADS).

Then will it cause any issues to the samba server already integrated with in domain, they are configured before configuring "Unified Login"?

Since we have already integrated samba server with domain (ADS).

Re: CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31

eric roseme — Thu, 11 Feb 2010 20:35:11 GMT

I assume that by "integrated" you really mean that you joined the domain. If you have winbind working (which does not appear to be true) then you might have winbind mapping IDs assigned to access control lists for directories and/or files. If you lose the mappings for some reason, then all of those ACLs have random UIDs/GIDs. Aside from that, there's really no investment in your current "joined" state. For Unified Login, you would not have to re-join, but the entire purpose is to get rid of the winbind mappings. Anyway, it's all explained in the whitepaper.

Re: CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31

Steven E. Protter — Thu, 11 Feb 2010 20:39:46 GMT

Shalom,

You need to check the patch state of the windows 2003 systems. If they are release 1 it will not work. If its SP2 or later, there still may be needed patches.

net join or net join ads must be run and you need a Windows Server Administrator password to join the domain.

SEP

Re: CIFS-A.02.03.04 (SAMBA 3.1) issue in HP-UX 11.31

senthil_kumar_1 — Mon, 08 Mar 2010 19:27:22 GMT

Hi All,

Now the issue has been resolved.

I have done following steps.

I have created the entry "username map" in /etc/samba/smb.conf

1)# more /etc/samba/smb.conf

username map = /etc/samba/username.map

2)more /etc/samba/username.map

john = ABC/john

Now the domain (ABC) user (john) is able to access the samba share with his own privileges.

Now the issue has been resolved.

thanks a lot.