Show a little love.
(I’m just saying that brownies would be nice… )
Tag Archive for 'Active-Directory'
One of the key things that was missed in the HOWTO I linked yesterday was enumeration of users and groups by winbind. If you do not have this set to ‘yes’ than you’ll be gnashing your teeth in frustration trying to set up shares with Active Directory permissions. Check it out:
smb.conf–>
[global]
# Changes
security = ADS
netbios name = linux-foo
realm = bkm.com
password server = ADS.foo.bar
workgroup = FOO
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Wth that set you should be able to run getent group and see both the local groups as well as the AD groups which will then allow you to set AD permissions in the Samba share:
smb.conf–>
[Foo-Public]
comment = Foo Public Directory
read only = no
browseable = yes
path = /shares/public
users = @”FOO+Domain Users”
At the moment I have it semi-granular rights working in that everyone can browse the shares but only certain groups possess Read-Write-Execute rights. If I switch browseable = no than people just need to know the location of the share to get to it, i.e. security through obfuscation. So the challenge that remains now is to use the ACLs as determined by AD and to find a way to edit those ACLs through the Windows MMC. A thread over on the Samba newsgroup talked about needing to enable ACL on the mount point in fstab so I’m going to add another disk in VM-Ware and then mount it with ACL turned on rather than futzing with my primary mount. If I can get ACLs working than likely I can tighten security so that it is only viewable to those as indicated rather than to the general public.
Makes my eyes bleed.
So for the last couple of days I’ve been banging away on getting an Ubuntu box to authenticate against our Windows 2003 domain and if I’m successful I’ll be able to proceed with developing a new intranet based on FLOSS tools. So far everything has been progressing well in that the set up and configuration of krb5, Samba, and Winbind came off largely without a hitch thanks to the excellent How-To posted by tfieldfer. The only comment I have to add is that caps lock is your friend when performing net join ads and running kinit: your domain should be in caps like so james@FOO.BAR.
At the moment we are able to have all users in the domain login via GDM and auto-create a directory under /home/DOMAIN/username but the catch is that they cannot browse the network without running kinit, but (and it is huge but) the user has to be a domain admin. Head scratching for sure and added to the confusion is the fact that the sudoers list is not picking up the unix admins group we set up. Not that we really need uses to login, it was more of an exercise to see if we could roll out some non-windows boxes to folks who just need mail, Internet, and office applications (that would account for 99% of the company if it weren’t for the proprietary Windows based business system we run).
So what remains? Running a website will be the easy part. The big task is that we need to ensure that file sharing works, that a windows client can map a drive to a share on the Ubuntu box and additionally offer granular rights based on both individuals and groups as dictated by Active Directory. I’m making the slow crawl through The Official Samba HOWTO, dry for sure but I am hopeful that I can dig out some solutions and answers to our myriad and numerous questions.
At the very least the project is keeping my mind busy and imparting some solid Linux admin skills.
