samba fs в домене nt4

[Ofinto]

Есть домен на нт4, и есть фс на базе самбы, не могу добиться дабы wbinfo -u видел юзеров, самба в домен входит без проблем.

Код: [Выделить]

[global]
   workgroup = MY-DOMAIN
   security = domain
   server string = File server
   wins server = 10.1.1.29
   netbios name = name
   dns proxy = yes
   name resolve order = wins bcast host
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind use default domain = yes
   display charset = koi8-r
   unix charset = koi8-r

[data]
   comment = Share
   path = /data
   read list = "@MY-DOMAIN\Domain Users"
   write list = "@MY-DOMAIN\Domain Users"
   admin users = "@MY-DOMAIN\Admin Users"
   read only = No
   create mask = 0660
   directory mask = 0770
   inherit owner = yes
   inherit acls = yes
   inhernit permissions = yes
   map acl inherit = yes
   locking = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
Пользователь решил продолжить мысль 29 Октября 2012, 14:39:32:Собственно получилось с таким конфигом:

Код: [Выделить]

[global]
   workgroup = DOMAIN
   security = domain
   username map = /etc/samba/smbusers
   log level = 1
   syslog = 0
   log file = /var/log/samba/%m
   max log size = 0
   smb ports = 139
   name resolve order = wins bcast hosts
   wins server = 10.1.1.17
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind separator = + 
   acl compatibility = auto

[data]
   comment = Share
   path = /data
   read only = no
   create mask = 0660
   directory mask = 0770
   nt acl support = yes
   map acl inherit = yes
   force unknown acl user = yes
   locking = no
   acl map full control = yes
   acl group control = yes   
Теперь вопрос как возможно рулить правами из под винды? Под данным конфигом каталоги создаются но ругается если пытаюсь добавить права юзеру из домена говорит - нет прав

[Aleksirk]

Все ниже представленные конфиги файлов полностью рабочие, на данный момент взял их со своей системы, машина в домене.

вот рабочий пример файла common-auth

# /etc/pam.d/common-auth - authentication settings common to all services

auth   [success=2 default=ignore]   pam_unix.so nullok_secure
auth   [success=1 default=ignore]   pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

# here's the fallback if no module succeeds

auth   requisite         pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around

auth   required         pam_permit.so
auth   required         pam_permit.so
auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok try_first_pass
auth        sufficient    pam_winbind.so use_first_pass krb5_auth krb5_ccache_type=FILE
auth        required      pam_deny.so

# and here are more per-package modules (the "Additional" block)

auth   optional         pam_cap.so

# end of pam-auth-update config

=======================================================================================
рабочий пример файла common-password

# /etc/pam.d/common-password - password-related modules common to all services

password   [success=2 default=ignore]   pam_unix.so obscure sha512
password   [success=1 default=ignore]   pam_winbind.so use_authtok try_first_pass

# here's the fallback if no module succeeds

password   requisite         pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around

password   required         pam_permit.so
password      required            pam_unix.so nullok obscure min=4 max=50 md5

# and here are more per-package modules (the "Additional" block)

password   optional   pam_gnome_keyring.so

==============================================================================================
пример файла common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update( for details.

# here are the per-package modules (the "Primary" block)

session   [default=1]         pam_permit.so

# here's the fallback if no module succeeds

session   requisite         pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around

session   required         pam_permit.so

# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".

session optional         pam_umask.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     optional      pam_ck_connector.so nox11
session     required      pam_limits.so
session     required      pam_env.so
session     required      pam_unix.so

# and here are more per-package modules (the "Additional" block)

session   optional         pam_winbind.so
session   optional         pam_ck_connector.so nox11


============================================================================================
пример файла  common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update( for details.
#

# here are the per-package modules (the "Primary" block)

account   [success=2 new_authtok_reqd=done default=ignore]   pam_unix.so
account   [success=1 new_authtok_reqd=done default=ignore]   pam_winbind.so

# here's the fallback if no module succeeds

account   requisite         pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around

account sufficient             pam_winbind.so
account required             pam_unix.so
account   required         pam_permit.so

# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

[Ofinto]

Спасибо за ваш конфиг решилось вроде все так
Все делал на debian squeeze
Устанавливаем samba, winbind, acl
Объясним системе. что у нас на файловой системе есть расширенное управление правами:
/dev/sda3 /data ext4 defaults,acl  0 2
после чего либо перемонтируем соответствующие разделы, либо перезагружаемся
Собственно конфиг самбы:

Код: [Выделить]

[global]
   workgroup = GOV
   security = domain
   username map = /etc/samba/smbusers
   log level = 1
   syslog = 0
   log file = /var/log/samba/%m
   max log size = 0
   smb ports = 139
   name resolve order = wins bcast hosts
   wins server = 10.1.1.17
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind separator = + 
   acl compatibility = auto
   disable spoolss = yes
   show add printer wizard = no
   hide files = /$RECYCLE.BIN/desktop.ini/lost+found/Thumbs.db/~*/

[data]
   comment = Share
   path = /data
   valid users = "@GOV+Domain Users"
   read list = "@GOV+Domain Users"
   write list = "@GOV+Domain Users","@GOV+Domain Admins"
   admin users = "@GOV+Domain Admins"
   read only = no
   create mask = 0660
   directory mask = 0770
   nt acl support = yes
   map acl inherit = yes
   force unknown acl user = yes
   locking = no
   acl map full control = yes
   acl group control = yes   
После чего дал sudo chmod 777 на /data
Далее настраиваем nsswitch а то без него wbinfo жалуется на ошибки
/etc/nsswitch.conf. Оставляем, редактируем в нем только следующие записи:

Код: [Выделить]

passwd:          files winbind
shadow:          files
group:           files winbind
Далее вводим в домен

Код: [Выделить]

net join -U admin
Enter admins's password:
Joined domain GOV.

Файлы переносил с помощью robocopy \from \to /MIR /sec
И еще вопрос как резервировать данный сервер? Есть какой то аналог robocopy для никсов?

upd: Возникла еще одна проблема необходимы квоты, поставил quota добавил в fstab grpquota,usrquota
сделал
setquota -u GOV+user 0 524288 0 0 /dev/sda3
но repquota -a ничего не показывает кроме рута