ACLs (File Security & Permissions) using Samba

hello to all,

just to update this thread, i am now recreating my scenario in my test network and would start from scratch.

by the way, thanks oakie for the advice but i have already changed the owner to nobody before but still the problem persists. nonetheless thank you for posting.

i do not know if this has something to do with it. i forgot to mention that our domain lies within a Windows 2003 SBS server. now checking the logs in event viewer showed me the following errors with regards to netlogon and KDC

[code:1]
The session setup from computer 'SAMBA' failed because the security database
does not contain a trust account 'SAMBA$' referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:

If 'SAMBA$' is a legitimate machine account for the computer 'SAMBA', then 'SAMBA' should be rejoined to the domain.

If 'SAMBA$' is a legitimate interdomain trust account, then the trust should be recreated.

Otherwise, assuming that 'SAMBA$' is not a legitimate account, the following action should be taken on 'SAMBA':

If 'SAMBA' is a Domain Controller, then the trust associated with 'SAMBA$' should be deleted.

If 'SAMBA' is not a Domain Controller, it should be disjoined from the domain.
[/code:1]

[code:1]
The session setup from the computer SAMBA failed to authenticate. The name(s) of the account(s) referenced in the security database is SAMBA$. The following error occurred:

Access is denied.
[/code:1]

[code:1]
While processing a TGS request for the target server SAMBA$, the account SAMBA$@DOMAIN.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 17. The accounts available etypes were 23 -133 -128 3 1.
[/code:1]

the weird part is whenever i execute commands on the samba server to join as a member server on the windows sbs domain it does not produce errors. also it makes an entry in active directory that the computer account and name is added unto the domain

so now i'm into understanding further kerberos and anything with referenced to the above mentioned errors and hopefully in my test network all would be fine :lol:

i would update you all on how things would turn out. again thanks for your replies and keep 'em coming :lol:

I wish I could be of help but I have no experience at all with the involved windows technologies. However what you find will help us others when we find ourselves in your position, so thanks for bothering to provide details on your progress -not many do!

thanks nske,
it is always a pleasure to be able to contribute back to the community i just hope this would benefit someone...

Hi

Are you using winbind? Can you get a list of domain users/groups by running the command wbinfo -g or wbinfo -u?

There is a slight trick when joining the samba server to the domain. In my experience, you need to reset the administrator password before running the command to join the domain. Just reset the admin password to the same password. Doesn't really matter.

FYI, I have samba server joined to a Win2000 Domain. Never joined to 2003 but I don't imagine there would be much difference.

Also, as well as setting up the shares you need to set the permissions on the individual folders. If your using winbind with + seperator then you would do the following:

chown Domain+user folder - domain being your domain name and folder the name of the folder you want to allow access too. Setting the owner to nobody would not help unless its mapped to a domain group.

Makesure you can query the list of users and groups first by running wbinfo -g for groups and wbinfo -u for users.

Post up your smb.conf if you like I'll take a look.

hi all,

dph, yes i am using winbind and i am able to get a list of objects (users and computers) from active directory of my windows domain with the command wbinfo.

although i haven't tried resetting the password of the administrator but it would be something that i would try and experiment

the account i used to join to the domain is a member of the domain admins and not the administrator itself.

also, i've already set the permissions on the shared folders to be own by domain users but still unable to accomplish my task.

my apologies if i haven't been able to post my configs yet because of a hectic schedule, nonetheless, i would still find time to post them.

thanks again for those who have replied and shared their thoughts.