- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Use Windows NT Permissions on SAMBA shares wit...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-02-2009 07:12 AM
тАО10-02-2009 07:12 AM
workgroup = DOMAIN
realm = DOMAIN.CO.UK
server string = Testbed Server
interfaces = w.x.y.z
security = ADS
client schannel = No
server schannel = No
password server = S01DC.DOMAIN.CO.UK, *
use kerberos keytab = Yes
log level = 10
syslog = 0
log file = /var/opt/samba/log.%
max log size = 1000
ldap server = S01DC.DOMAIN.CO.UK
ldap group suffix = ou=Users
ldap suffix = dc=domain,dc=co,dc=uk
ldap user suffix = ou=Users
panic action = /var/opt/samba/panic-action %d
idmap backend = tdb
idmap uid = 16001-30000
idmap gid = 16001-30000
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 16001 - 30000
idmap config DOMAIN:schema_mode = rfc2307
read only = No
disk quotas = Yes
dos filetime resolution = Yes
Originally I was told to set the User and Group ID's to 10000 - 16000 but this was causing the RID to be changed constantly as wbindd could not see the original RID in the tdb so it issued a new one.
My issue is that I cannot change the permissions on SAMBA shares, or add new users or groups through Windows Eplorer. I have been able to see the Windows users on the Unix side using wbind -u and wbind -r. The kerberos seems to be opereational in that after the net ADS join to the domain it created the new keytab file. I am not sure if there is any special LDAP config I need to carry out or if I should configure PAM?
Can anyone help?? Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-02-2009 01:49 PM
тАО10-02-2009 01:49 PM
Re: Use Windows NT Permissions on SAMBA shares with Server 2008
For HP CIFS Server, you need to ditch the "idmap config" parms and use "idmap backend = rid:domain=16001-30000" (where domain is the name of your domain in the workgroup parm).
If you are compiling your own Samba, then I doubt that a Windows client explorer will be able to manage permissions/users/groups. HP CIFS Server is enhanced to allow Windows client to manage that stuff and access control lists.
Just for clarifacation: idmap=rid caclulates the winbind uid/gid based upon the Windows domain relative ID (rid) and adds that rid to your base idmap range. That way the winbind mapping is consistent across all of the CIFS/Samba servers in your domain. Check the winbind tdb files in /var/opt/samba/locks to see if your mappings are really there - use /opt/samba/bin/tdbdump.
If you are not committed to winbind yet, you should consider using Unified Login instead. Winbind is a management headache (as you can see). Since you are using Windows 2008 anyway, you are halfway there for Unified Login. Check out how to do it at: http://www.docs.hp.com/en/16212/CIFSUnifiedLoginV2.pdf
Eric Roseme
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 12:41 AM
тАО10-05-2009 12:41 AM
Re: Use Windows NT Permissions on SAMBA shares with Server 2008
I have tried using version 1 (Feb 2009) and Version 2 (Sept 2009) of the document you mentioned. Version 1 was supposed to cover 2008 Domains but was really only for 200/2003 domains.
I am unsure, and maybe you could clarify for me, if I need to have PAM setup to implement the unified login system?
What we are trying to achieve is to allow users to access Samba shares throughout the Single Domain, across WAN links, by using DFS in the AD, based on their group membership and site location. Thanks again for your help....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 12:54 AM
тАО10-05-2009 12:54 AM
Re: Use Windows NT Permissions on SAMBA shares with Server 2008
HP-UX ******* B.11.31 U ia64 1741442737 unlimited-user license
Version 3.0.30 based HP CIFS Server A.02.04
# swlist -l product | grep -i krb5*
KRB5-Client B.11.31 Kerberos V5 Client Version 1.3.5.03
PHSS_37666 1.0 KRB5-Client Version 1.3.5.03 Cumulative p
atch
krb5client E.1.6.2 Kerberos V5 Client Version 1.6.2
# swlist -l product | grep -i LDAP
LdapUxClient B.04.20 LDAP-UX Client Services
NisLdapServer B.04.20 The NIS/LDAP Gateway (ypldapd)
#
Rgds,
Willie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 02:32 PM
тАО10-05-2009 02:32 PM
SolutionI include PAM configuration in the paper for HP-UX logins only. PAM is not required for HP CIFS Server operation. But the nsswitch configuration for ldap *is* required.
If you backed out all of the rid and winbind stuff from smb.conf, you should be able to just follow the directions in the paper.
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-06-2009 01:16 AM
тАО10-06-2009 01:16 AM
Re: Use Windows NT Permissions on SAMBA shares with Server 2008
I will back out rid and winbind as per your recommendations, and return the pam.conf to its original status, and follow the instructions from Ver 2.
Thanks again for your patience and assistance on this issue.
Willie