I can't connect to the Linux Samba share just created from Windows 10.
I get the "You do not have permission to access..." error message on Windows.
Any help will be appreciated. It looks like I am sooo close! FYI, I can ping, ssh into the linux box, etc. Network connectivity doesn't appear to be an issue.
Here's the smb.conf...
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
log level = 2
printcap name = cups
load printers = yes
cups options = raw
hosts allow = 192.168.1.220 192.158.1.230 192.168.1.240 192.168.1.0/24
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = #printadmin root
force group = #printadmin
create mask = 0664
directory mask = 0775
[fshare]
browseable = yes
path = /home/fshare
public = yes
writeable = yes
read only = no
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777
valid users = sambauser
In my case, I had to chmod the share folder. As root :
chmod -R 777 /home/shares/
Quite brutal, but enough for my home needs.
Related
My samba server was working fine until last week. I did a search all over the internet and tried the below and still no go.
My smb.conf:
[global]
workgroup = INET
server string = File on-Line
security = ADS
passdb backend = tdbsam
log level = 3
realm = inet.xyz.com
encrypt passwords = yes
unix extensions = no
wins server = 10.X.X.X 10.X.X.X
netbios name = sharefiles
template shell = /bin/bash
strict locking = no
min protocol = NT1
max protocol = SMB3_11
server signing = mandatory
client signing = mandatory
# I added the below after some Google search
idmap config INET : backend = rid
idmap config INET : base_rid = 0
idmap config INET : range = 10000-20000
================================================
On my windows machine - I do a //sharefiles
It asks me for my login and my login is not accepted.
In /var/log/messages - I get this error:
../../source3/auth/auth_util.c:1889(check_account)
Feb 15 16:31:55 sambaserver smbd[9354]: check_account: Failed to convert SID S-1-5-21-1474414563-1125766349-1731688626-161484 to a UID (dom_user[INET\jean])
Feb 15 16:31:55 sambaserver smbd[9356]: [2022/02/15 16:31:55.498012, 0] ../../source3/auth/auth_util.c:1889(check_account)
Feb 15 16:31:55 sambaserver smbd[9356]: check_account: Failed to convert SID S-1-5-21-1474414563-1125766349-1731688626-161484 to a UID (dom_user[INET\jean])
**SAMBA version:**
Samba version 4.10.16
Anyone seen this before? Thank you in advance!
Your range is too small, 161484 is larger than 20000, add a couple of zeros to 20000. You also need another line:
idmap config * : range = 3000-7999
I would like to know if there is a way using Ansible to append text to the end of a line in certain section of a file, an example is going to clarify what I want to do:
Think of a file like this:
[section01]
path = /home/section01
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section03]
path = /home/section03
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
I would like to add "brazil" on host_allow in [section02] to get this "new file"
[section01]
path = /home/section01
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada,brazil
[section03]
path = /home/section03
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
As #Dan Farrell mentioned in the comments, you are better off generating the entire file as partial updates can be unreliable, and problematic.
You can however use ansible templates to accomplish this as well.
You create a template file(file.ini for example) with the contents below(removed other blocks for brevity). This file would contain the full INI file contents.
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = {{allow_hosts}}
Then, in your playbook, add a task to template this file.
- name: Template INI file
template:
dest: "/path/to/some/file.ini"
src: file.ini
mode: 664
owner: root
group: root
When you instantiate the playbook, you can pass the full list of allowed hosts via extra-vars.
ansible-playbook -i hosts --extra-vars="allow_hosts=mexico,usa,canada,brazil" my-playbook.yml
This however will only work for you if you know all of the allowed hosts at the time the playbook is run.
The text in file looks like this:
[homes]
comment = Home Directories
path =
browseable =
writable = yes
valid users = %S
valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
I want output as:
[homes]
comment = Home Directories
path = /data
browseable = yes
writable = yes
valid users = %S
valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
I am using this command:
sed -i "\#path# s#.*#& /data#" file
It makes changes to everywhere in file where path is located.
Can anyone help me with this?
sed '/path[ ]*=[ ]*$/s#$#/data#'
On lines that have path =before the endline with any amount of whitespace, replace the endline, $ with your replacement string.
I'm using Mint distro 18.1.
I configure my laptop to join AD domain on Windows 2008R2 Server.
here my configuration:
/etc/krb5.conf
[libdefaults]
default_realm = ACMEAD.COM
clockskew = 300
ticket_lifetime = 60d
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
[realms]
PRIMEURAD.COM = {
kdc = AD.ACME.COM:88
admin_server = AD.ACME.COM:749
default_domain = ACMEAD.COM
ticket_lifetime = 60d
}
[domain_realm]
.kerberos.server = ACMEAD.COM
.acmead.com = ACMEAD.COM
acmead.com = ACMEAD.COM
acmead = ACMEAD.COM
ticket_lifetime = 60d
[appdefaults]
pam = {
ticket_lifetime = 60d
renew_lifetime = 60d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
[login]
krb4_convert = true
krb4_get_tickets = false
/etc/samba/smb.conf
[global]
workgroup = primeurad
realm = primeurad.com
netbios name = lap-pc-1976
security = ADS
dns forwarder = 172.16.0.3
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind cache time = 300
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
preferred master = no
dns proxy = no
wins server = ad.primeur.com
wins proxy = no
inherit acls = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
/etc/security/pam_winbind.conf
[global]
debug = no
debug_state = no
try_first_pass = yes
krb5_auth = yes
krb5_ccache_type = FILE
cached_login = yes
silent = no
# mkhomedir = yes
I'm able to login and authenticate my self. I add my PC to the domain with no problem. And I'm also able to login when I'm offline, which is what I want most.
I'm trying to increase the ticket lifetime to 60days, now if I type klist this is what I see
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1#ACMEAD.COM
Valid starting Expires Service principal
07/11/2017 12:25:02 07/11/2017 22:25:02 krbtgt/ACMEAD.COM#ACMEAD.COM
renew until 07/18/2017 12:24:59
It seems to me that takes the default of 10h instead of 60 days.
How can I increase it?
The Active Directory domain defaults take precedence here.
Best Practice would be to let the Maximum lifetime for Kerberos service ticket remain at the default of 10 hours. In various technical guides and Active Directory Group Policy, you will see that value written out as 600 minutes which is 10 hours, but shown as 600 minutes instead. I've never known why they did this. If you want to change the value, you will have to open up the Active Directory domain Group Policy Management Console tool (GPMC.msc) and edit the "Default Domain Policy" Group Policy Object. Once that GPO is opened, navigate to the following path, and change 600 minutes to its 60 day equivalent which would be 86400.
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for service ticket
Reference: Maximum lifetime for service ticket
Note that changing this this would considered a security risk, as it gives potential hackers that much more time to potentially decrypt the service ticket and use for themselves. Just google "silver ticket attack". This is why why 10 hours is set as the default. It is also the default for all major Identity Management implementations using Kerberos, not just Active Directory. It is considered a trade-off between security and usability. You also asked "I see I have to increase also the kerberos principal but not sure how to do it". What did you mean by that? Did you mean "service principal name"? Or the Ticket Granting Ticket? Or the user account? What do you mean by "increasing it?" If you meant about increasing other Kerberos ticket lifetimes, such as the Ticket Granting Ticket, AKA "user ticket", then you can also modify them in the same area of the GPO mentioned above. In that GPO, the Ticket Granting Ticket (TGT), is written as "user ticket". It has the same lifetime of 10 hours. The screenshot below is from my lab, showing everything at the defaults:
EDIT/UPDATE:
To allow for offline logins to an AD domain-joined Windows PC when it is not connected to the network, or in case a domain controller is not available, you will have to allow for what is known as "cached credentials". This allows for the PC to re-use the service ticket and not be prompted to go get a new one. You can either do this on a one-off basis for a single machine, or domain-wide via a GPO. Both methods are described below:
For a single machine, just edit the Registry
For a domain-wide method, use a GPO
Note to the above: This setting would be ignored on a Linux OS joined to AD, since there is no Registry on Linux. In short, you cannot allow for cached (offline) logon to an AD domain for Linux laptops - that is a Windows OS-only feature.
I'm trying to set up global user / group access to all my svn repositories on Linux. Since I am very new to svn / linux stuff can someone take a look at what I have set up. I still get a "Invalid authz configuration". Here is how I proceed :
Svn installed / properly working. Serving path home/svn/repos/.
"my_project" created, works using simple auth. Path is home/svn/repos/my_project/.
My "global" user / password + groups file /home/svn/passwd
[groups]
team_a = tom, sim
team_b = jake, roy
prod = frank
[users]
tom = j9uems
sim = 90uifs
jake = fd9j8p
roy = 8ujwek
frank = 8jfjel
My configuration file home/svn/repos/my_project/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = /home/svn/passwd
authz-db = authz
My authorization file home/svn/repos/my_project/conf/authz
[/]
# this project is a team_a project. But jake can have a read acces to it
#team_a = rw
#team_b =
jake = r
#prod = r
Ok I Found out a better way to set up a global authentifications / access. If that info could help...
To remove or create a new user, I used a a global "passwd" file (no groups!) /home/svn/passwd
[users]
tom = j9uems
sim = 90uifs
jake = fd9j8p
roy = 8ujwek
frank = 8jfjel
To manage groups and global access to repositories on the server, I used a global "authz" file /home/svn/authz
[groups]
team_a = tom, sim
team_b = jake, roy
prod = frank
[my_project:/]
# access denied for everyone
* =
#team_a = rw
jake = r
#prod = r
All repositories must have the same svnserve.conf home/svn/repos/my_project/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = /home/svn/passwd
authz-db = /home/svn/authz
Note that access may be granted to any groups / users to any path of any repos. For example if "prod" group needs to have full access to "production" folder of that project, that is possible :
[my_project:/production]
#prod = rw