HPE Community
Operating System - HP-UX
1752589 Members
3995 Online
108788 Solutions
New Discussion юеВ

Re: Use Windows NT Permissions on SAMBA shares with Server 2008

 
SOLVED
Go to solution
William Timmons
New Member

тАО10-02-2009 07:12 AM

тАО10-02-2009 07:12 AM

Use Windows NT Permissions on SAMBA shares with Server 2008

Hi, I am trying to get a unified login system working consisting of multiple HP UX servers hosting Samba Shares, and a single Windows 2008 Domain. I have been advised by HP Support to use winbind and have setup Smb.conf to use the new rfc2307 format:

workgroup = DOMAIN
realm = DOMAIN.CO.UK
server string = Testbed Server
interfaces = w.x.y.z
security = ADS
client schannel = No
server schannel = No
password server = S01DC.DOMAIN.CO.UK, *
use kerberos keytab = Yes
log level = 10
syslog = 0
log file = /var/opt/samba/log.%
max log size = 1000
ldap server = S01DC.DOMAIN.CO.UK
ldap group suffix = ou=Users
ldap suffix = dc=domain,dc=co,dc=uk
ldap user suffix = ou=Users
panic action = /var/opt/samba/panic-action %d
idmap backend = tdb
idmap uid = 16001-30000
idmap gid = 16001-30000
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 16001 - 30000
idmap config DOMAIN:schema_mode = rfc2307
read only = No
disk quotas = Yes
dos filetime resolution = Yes

Originally I was told to set the User and Group ID's to 10000 - 16000 but this was causing the RID to be changed constantly as wbindd could not see the original RID in the tdb so it issued a new one.

My issue is that I cannot change the permissions on SAMBA shares, or add new users or groups through Windows Eplorer. I have been able to see the Windows users on the Unix side using wbind -u and wbind -r. The kerberos seems to be opereational in that after the net ADS join to the domain it created the new keytab file. I am not sure if there is any special LDAP config I need to carry out or if I should configure PAM?

Can anyone help?? Thanks
0 Kudos
Reply
5 REPLIES 5
eric roseme
Respected Contributor

тАО10-02-2009 01:49 PM

тАО10-02-2009 01:49 PM

Re: Use Windows NT Permissions on SAMBA shares with Server 2008

Is this your own compiled Samba? If so, what version (smbd -V)? This smb.conf does not look like HP CIFS Server A.02.04, which is what you would run to join a W2008 domain.

For HP CIFS Server, you need to ditch the "idmap config" parms and use "idmap backend = rid:domain=16001-30000" (where domain is the name of your domain in the workgroup parm).

If you are compiling your own Samba, then I doubt that a Windows client explorer will be able to manage permissions/users/groups. HP CIFS Server is enhanced to allow Windows client to manage that stuff and access control lists.

Just for clarifacation: idmap=rid caclulates the winbind uid/gid based upon the Windows domain relative ID (rid) and adds that rid to your base idmap range. That way the winbind mapping is consistent across all of the CIFS/Samba servers in your domain. Check the winbind tdb files in /var/opt/samba/locks to see if your mappings are really there - use /opt/samba/bin/tdbdump.

If you are not committed to winbind yet, you should consider using Unified Login instead. Winbind is a management headache (as you can see). Since you are using Windows 2008 anyway, you are halfway there for Unified Login. Check out how to do it at: http://www.docs.hp.com/en/16212/CIFSUnifiedLoginV2.pdf

Eric Roseme
0 Kudos
Reply
William Timmons
New Member

тАО10-05-2009 12:41 AM

тАО10-05-2009 12:41 AM

Re: Use Windows NT Permissions on SAMBA shares with Server 2008

Hi Eric. Thank you for the prompt reply. I had used the rid version prior to changing to the schema for rfc2307, but have reverted back to it based on your advice.

I have tried using version 1 (Feb 2009) and Version 2 (Sept 2009) of the document you mentioned. Version 1 was supposed to cover 2008 Domains but was really only for 200/2003 domains.

I am unsure, and maybe you could clarify for me, if I need to have PAM setup to implement the unified login system?

What we are trying to achieve is to allow users to access Samba shares throughout the Single Domain, across WAN links, by using DFS in the AD, based on their group membership and site location. Thanks again for your help....
0 Kudos
Reply
William Timmons
New Member

тАО10-05-2009 12:54 AM

тАО10-05-2009 12:54 AM

Re: Use Windows NT Permissions on SAMBA shares with Server 2008

Sorry, I forgot to update you with the version of Samba,

HP-UX ******* B.11.31 U ia64 1741442737 unlimited-user license

Version 3.0.30 based HP CIFS Server A.02.04

# swlist -l product | grep -i krb5*
KRB5-Client B.11.31 Kerberos V5 Client Version 1.3.5.03
PHSS_37666 1.0 KRB5-Client Version 1.3.5.03 Cumulative p
atch
krb5client E.1.6.2 Kerberos V5 Client Version 1.6.2
# swlist -l product | grep -i LDAP
LdapUxClient B.04.20 LDAP-UX Client Services
NisLdapServer B.04.20 The NIS/LDAP Gateway (ypldapd)
#

Rgds,

Willie
0 Kudos
Reply
eric roseme
Respected Contributor

тАО10-05-2009 02:32 PM

тАО10-05-2009 02:32 PM

Solution

Re: Use Windows NT Permissions on SAMBA shares with Server 2008

Actually, version 1 was *not* for 2008, because at the time it was written HP CIFS Server did not support 2008. Version 2 of the papers applies to W2008.

I include PAM configuration in the paper for HP-UX logins only. PAM is not required for HP CIFS Server operation. But the nsswitch configuration for ldap *is* required.

If you backed out all of the rid and winbind stuff from smb.conf, you should be able to just follow the directions in the paper.

Eric
Reply
William Timmons
New Member

тАО10-06-2009 01:16 AM

тАО10-06-2009 01:16 AM

Re: Use Windows NT Permissions on SAMBA shares with Server 2008

My apologies about my misunderstanding of the Ver 1 manual, you are of course correct.

I will back out rid and winbind as per your recommendations, and return the pam.conf to its original status, and follow the instructions from Ver 2.

Thanks again for your patience and assistance on this issue.

Willie
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.