Gehaktbal,
Excellent work ! I'm sure you'll enjoy OMV.
greetings,
Gehaktbal,
Excellent work ! I'm sure you'll enjoy OMV.
greetings,
Dethegeek,
thanks again, everything is running fine (as far as my knowledge reaches), but there are two questions:
1. How is it possible to access the user folders from outside? When connected via ssh to the OMV then I see the folder(s) in the filesystem on the harddrives (/Domain/Username), but I am not able to access them from my windows machine via samba or anything else.
2. The second issue is possibly connected with the first one: In Windows 7 explorer when opening network environment my NAS is showing up. When clicking on it, I see all my shared samba folders and with a mouseclick I can browse the contents without logging in, because of AD integration. But there are two shared folders in the list, which I don't know: homes and fafnir (my testuser), I didn't create then manually on any harddrive. Also there are no such folders on the harddrives or I do not find them. Whenever I try to access them, the login window opens up in W7 and I must enter my credentials, but they do not work. So as a result I am not able to acces these shares. What is that?
Thanks again in advance for your answer.
Regards,
D. Mueller
If i remember correctly, homes should be an (automatic) share, which is individual for each user.
Greetings
David
Hi davidh2k
I didn't try to access a folder from outside (I'm supposing you mean "from a computer which is not a member of your domain"). I'll give a try with a XP virtual machine.
About your two shares "homes" and "fafnir" : as you said : "homes" is a special share : any user going into it will access his home folder. For example
* userA opens \\omv\homes : he will find his own documents
* userB open \omv\homes : he will also find his own documents
fafnir is an share making his home accessible. It is visible because you ticked "Set browseable" in the SMB/CIFS configuration. If you disable this option, "fafnir" will become invisible when you browse your server (\\omv\). However it still exists if you try to browse \\omv\fafnir\.
OK, thankyou so far, I thought about this possibility, but was not sure.
So if these are the shares for users to access their folders, why am I asked to enter username and password when trying to acces these folders, although I'm logged in on a machine which is part of the domain and the user is a domain-user?
And finally the access is denied, even if I enter the correct username (domain) and password.
Thanks in advance.
Edit:
After reading your answer I tried the setting "make browsable" and found that the folder "homes" dissappeared, when unchecking the box "make browsable".
My individual share "fafnir" still remains, but I'm not able to access the folder either.
ZitatAfter reading your answer I tried the setting "make browsable" and found that the folder "homes" dissappeared, when unchecking the box "make browsable".
My individual share "fafnir" still remains, but I'm not able to access the folder either.
Sorry, I was wrong.
ZitatHow is it possible to access the user folders from outside? When connected via ssh to the OMV then I see the folder(s) in the filesystem on the harddrives (/Domain/Username), but I am not able to access them from my windows machine via samba or anything else.
Well I tried an XP virtual machine against my personal OMV setup : I could not access my home directory. I'll try some further testings.
I tried a windows 7 professional fresh VM and it worked without any tweak : type in an explorer the path to your personal share \\omv\my_ad_account\ . Your computer will ask you a login and a password.
* login should be something like WORKGROUP\user
* password ... well you guessed it
no problem and thanks for your support. I also tried a few things. With all the other domain user it works without any problems. I logged in with the user, the home directory is created and I can access the folder, as well as all the other shares.
With the user "fafnir" all the other shares also are working. I logged in as root via ssh and deleted the home folder "fafnir". Then after logging in again as "fafnir", the folder was newly created, but is still not accessible. Asking again for username and password and ends in a no connection.
Very suspect issue.
WiiFriik
I succeeded to login into my home directory from a XP computer. My problem was a clock skew betweek XP and my OMV server. The XP virtual machine was a fresh install without vmware tools and has no time synchronization with the host.
You should check your non member computer :
what is the local username used to open your session ?
is the password of this local user the same as the password of your account on your AD ?
WiiFriik
Can you double check part 2.10 - Enable mkhomedir and umask in the tutorial ?
Can you tell me the owners and the permissions on the home directory ?
No Problem.
Greetings
David
First of all, I think I desribed the situation not very precise and so there was a misunderstanding. With "access from ouside" I wanted to say, that I was not logged in onto the console at OMV. I tried to access my home folder via network access (samba) using a domain-computer with W7 and a domain-user (fafnir).
I checked the permissions and owner of the user folders following your gide and found something really strange:
home folder of user fafnir:
file: media/2742c29e-9839-4c2d-b892-f506f55dc72c/GREYSKIN/fafnir
# owner: fafnir
# group: users
user::rwx
other user:
# file: media/2742c29e-9839-4c2d-b892-f506f55dc72c/GREYSKIN/nico
# owner: nico
# group: domänen-benutzer
user::rwx
group::---
other::---
The main difference is the user group and I think here is the problem located. Although fafnir is a domain-user (like nico), the group displayed is "users".
It seems that the ACL is a little bit messed up, and I have no ida how to fix this, so proposals are welcome.
Regards,
Wiifriik.
I'm comparing your permissions with my own OMV setup :
my home is setup as the following :
root@srv-filer-01:~# getfacl ~dethegeek
# file: media/3d62c5f4-7f78-4490-8d8d-a7cf03f15603/users/DETHEGEEK/dethegeek
# owner: dethegeek
# group: utilisateurs\040du\040domaine
user::rwx
group::--x
other::---
default:user::rwx
default:group::---
default:other::---
As you can see, my group is "utilisateurs du domaine". In an english/american windows 2008 R2 server, it is "domain users". Is it also the translation of "domänen-benutzer" ? (in german ?)
With your domain member computer running windows 7, can you tell me if the user "nico" is able to open a file in his home directory ?
I'm wondering if your user nico had his home folder created on first logon with your windows 7 domain member, and your home folder fafnir come from a previous installation of your file server (a linux box, OMV as standalone server).
I will try a similar case with a dummy user on my OMV and tell you if i find the same issue. Maybe changing the group of fafnir's home directory will be sufficient to solve your problem. I'll try your scenario.
EDIT : I joined a fresh XP into my domain, and created a user "test". I manually created his home folder in OMV with the following permissions :
root@srv-filer-01:/root # getfacl ~test
# file: media/3d62c5f4-7f78-4490-8d8d-a7cf03f15603/users/DETHEGEEK/test
# owner: test
# group: users
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---
I logged in the XP computer as "test" and I can open his home folder and write into it. Fixing the owner group on fafnir's home directory should not solve your issue.
If you want to fix the group owner of fafnir, use this command. It will set fafnir as owner and domänen-benutzer as group owner on all files and subfolders of your home
Be careful with special characters in the groupname.
Can you tell me what returns the following command ? It vill return any line in /etc/passwd containing the string "fafnir". I'd like to check if fafnir exists in the local OMV users.
@dethegeek:
Thanks for your real great support with my issue.
I'm a little step forward since my last post and this evening after work I will try some additional things.
Here is my actual status:
In the meanwhile the User-group of user "fafnir" is corrected. I deleted the user folder, restarted my NAS and my notebeook and logged in as "fafnir".
Now using "getfacl" the correct user-group "Domänenbenutzer" (domain-users) is displayed.
I thought that this was the solution of my problem, but wenn trying to acces the shared folder "fafnir", I still was prompted for the credentials. :shock:
After entering username and the correct password I was confronted with the well known message "acces denied". :?
After that, filled up with frustration, I found out another strange thing: While I was connected to my W2k8 server via remote desktop connection as user "administrator", I tried to open "NAS" in the network neighbourhood in explorer and saw a shared folder naned "fafnir" instead of "administrator" and the connection information in OMV web-interface also told me that user "fafnir" (instead of administrator) is connected over the ip of the server. Probably ther is a problem with the stored network logins in the administrator account on the server, which interfered with the ACL when creating the folder for user "fafnir". I also noticed a strange user group which user "fafnir" should be a member of (something like "rejected password ..., I do not remember the correct title) displayed in the user overview in OMV. I do not know where it should come from, and in the detailed view of user "fafnir" this user group is listed, but the box is not checked, only the groups "domain-users" and "domain-administrators"
This evening I will switch off the user folder option, delete the complete home directory on the harddisk and start again with only one machine (server) online, hoping that this will help.
It seems the winbind idmap database is probably messed in your OMV. Winbind uses a database to match SID (security identifier used in microsoft world) to UID and GID (used in linux world).
I suggest you close all opened sessions on all member computers (i think it is safer), and you clear that database.
On your OMV, log in as root and do the following. This will stop samba and winbind, move the idmap database in root's home folder (as a backup), and restart winbind and samba.
service samba stop
service winbind stop
mv /var/lib/samba/winbindd_idmap.tdb ~root/
service samba start
service winbind start
The idmap database will repopulated automatically. When I was fine tuning the howto, I had to do it to solve a ID mess, and it worked. I'm feeling we are on the good way by doing this, and this may solve your issue.
EDIT : I found a nice tool to find the SID of an entity in your AD. Have a look here : http://www.petri.co.il/obj_sid.htm
You may do the same in your OMV with the following command
You may use both of them to compare the SID of fafnir given by your OMV box and your domain controler. If you got different SID, clearing the idmap database will certainly do the trick.
Hi dethegeek,
thanks again for your support.
Yesterday evening was another day of testing and the result is that everything remains the same.
Here is a brief summary of the actual situation, due to shortage of time I was not able to test as extensive as I have planned.
Using cat /etc/passwd|grep fafnir shows up no result.
Then first of all I tested the SIDs in my AD and OMV with the help of the tool (thankyou for that) and wbinfo for the user "fafnir". The SIDs in both systems are identical, so I think this could not really be the problem.
Second I moved the idmap database as you mentioned it in your post, restarted the system and tested the acces to the folders again. The situation is unchanged.
User "fafnir" is shown in the user-section of OMV with the correct informaion and connection to user groups as in AD.
The situation is still the same, when I select the NAS in the network section of windows explorer all shared folders are displayed in the right explorer window like this (no network drives are mapped).
I can access all (except for one) displayed folders without entering my credentials (I think this is the way it should work, because of joining the AD). Only the folder "fafnir" is not accessible. When clicking on it, the login window of W7 pops up and after entering username and password for the user "fafnir" the access is denied. For all the other users I tried, it works like a charm. All folders can be accessed, also the individual home folders. I encounter the identical situation when trying to connect network drives - all folders work, except for home folder of "fafnir".
When logged in to the OMV using the user "fafnir" via ssh (using putty) everything is fine. I can access the home folder of "fafnir" using Midnight Commander, to the home folders of the other users the access is denied.
Ist a very confusing situation and I have no idea where this is coming from and I'm starting to believe that this is probably a problem in WIndows and not in OMV.
I'm close to desperation and actually have no concrete idea what else to check.
This evening I will create a new user account in the AD and try with this one. Next step is, making a fresh install of W7 on a different notebook which wasn't part of the domain yet. Then I will try logging in with user "fafnir".
I'm very excited what the results will be.
Edit:
The last time I tried to access the shared folder "fafnir" I received a message window in W7 after entering username and password saying: "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.", but there were no other connections from this notebook to the nas .
Do you know where the permissions for the home folders are stored in OMV, probaly I must add a special group?
Hi ow we are sure fafnir does not exist in /etc/passwd, and your id mapping is not messed up.
I'm thinking too your OMV is not faulty.
I agree with you about creating a new domain member with a fresh windows 7. Let's have a try.
I'd like to compare fafnir and nico further to find why fafnir doesn't work as expected.
Can you login as root in your OMV and type these commands and report the results ? they show for both fafnir and nico the user information (as they would be in /etc/passwd), and the numeric owner for their home directory.
getent passwd | grep nico
ls -lnd ~nico
getent passwd |grep fafnir
ls -lnd ~fafnir
Can you also compare the group memberships of fafnir and nico in your AD ? Did you create and use custom security groups for your users ? (there is a limitation about group nesting in the tutorial because linux does not handle it natively)
I also suggest you to delete the user "fafnir" from your AD supposing you are able to backup and restore his data (or there is nothing to backup yet ). I did not try to delete and recreate a user. Your DC should use a new SID when you will recreate fafnir. You may check this by using the tool I gave you yesterday and check with wbinfo that the "new" fafnir" has the new SID (wbinfo -n fafnir).
Maybe you may talk about your domain controller's life : is it a fresh DC setup to run with OMV ? did you a particular setup for any other purpose ?
The last time I tried to access the shared folder "fafnir" I received a message window in W7 after entering username and password saying: "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.", but there were no other connections from this notebook to the nas .
When windows is accessing a resource on a SAMBA server, windows cannot handle for the same session several samba login/passwords. For example you open a session with the user "nico" and open a samba share (let's say "fafnir-shared") not accessible for "nico", but accessible for "fafnir". Windows will ask you a login and a password and you will log in as "fafnir". If you try to open an other share on the same server not allowed for both "nico" and "fafnir" (lets say "an-other-share"), you will not be able to open it. This is a limitation from windows. To access "an-other-share" you have to close and reopen your session as "nico" to let your worstation forget the credentials for you typed to open the "fafnir-shared".
I need more time to explain you the ACL and the SAMBA user restrictions. I'll talk about that later in a few hours. Stay tuned
EDIT : Well I already told you how samba works (this is also true for a share under windows). I tried to summarize very shortly.
ZitatRemember that a user allowed to access a share needs to be allowed by both SAMBA and the filesystem. My personal choice is to allow any access in SAMBA (that's why i don't tick anything in "privileges"), but I restrict access on the filesystem's ACL.
Hi dethegeek,
time was very short in the last days, so the testing was not really extensive, but here a short status.
First of all: The problem persists and I don't know, what else to try. :?
I think my Windows AD for user "fafnir" is messed up in a strange way and so I will create a new user and copy all data and (hopefully) then be happy. (May be there is another explanation, but I don't know if I still will know it).
What I did in the meantime:
1. I changed the user-groups of user "fafnir". At last he only was member of the group "domain-users" like all the other users too (before he was nearly in the same groups as user "administrator" and "administrator" worked well) - cleaned up the database like you described in your post:
service samba stop
service winbind stop
mv /var/lib/samba/winbindd_idmap.tdb ~root/
service samba start
service winbind start
Then I restarted OMV. In OMV the correct user group for "fafnir" was displayed, but the situation was unchanged - user "fafnir" can access all directories as set in ACL, but not his own home directory.
2. Then I tried the commands you mentioned in your post:
I do not have the exact results available, but the displayed data semm to be ok for me, so now I'm convinced that the problem is located in AD.
3. I set up a fresh W7 install on a new computer and logged in at OMV with the user "fafnir" - what do you think?
Exactly - the same problem.
4. Last thing I did for now was creating a new user in AD and logging in at OMV.
The result is as expected - everything is fine, teh user can access all shared folders, including his home folder.
Something must have been happened to user "fafnir" in the past, probably he is cursed or something else. Although I'm very curious about the reason for this behaviour, I decided that my time is too valuable to spend in research for this issue. My wife and my three children are waiting for me too, so I think I will copy the user data of "fafnir" to a new account (I will try the same name!) and then I hope everything will be fine.
And yes, you are right: I'm german (you guessed it because of group name: Domänenbenutzer)
Thank you again so far and you will hear about any new problem I will encounter when making the new user and copying the data from one account to another.
And if you have any new proposals wht to try, please feel free to post them - I will leave the user in my AD and try to experiment with him (if my time allows that).
Nevertheless I learned a bit about (debian) linux and now am hungry for more! I will try to use it on one of my notebooks (as substitue for W7 possibly).
One final question: In which cycles the user data will be refreshed in OMV? I made the AD users and groups visible as you described in your tutorial, but when I changed the group membership of user "fafnir" in AD, it was not visible in OMV.
Only after manually moving the database and restarting OMV the new user-groups where shown.
Thanks again and best regards.
Hi WiiFriik
Zitat von "WiiFriik"
One final question: In which cycles the user data will be refreshed in OMV? I made the AD users and groups visible as you described in your tutorial, but when I changed the group membership of user "fafnir" in AD, it was not visible in OMV.
Only after manually moving the database and restarting OMV the new user-groups where shown.
I tried this scenario :
I created a "test" user and in OMV shows "test" belongs to the grup "utilisateurs du domaine" ("domain users"). I got some custom groups for my personal purpose. I then added "test" into an other group. In OMV I refreshed the users list. The new group does not appear. I tried to restart the service winbindd
After this command and refreshing the users list, the new groups appears in front of "test".
This is something I should compare when I'll try an other howto with openLDAP. With openLDAP there should be a delay before the changes done on the DC are propagated.
About your user "fafnir" : i don't have any clue of what to do for now. I'm thinking your user is somewhat corrupted in the DC side, as you said. I will think about that.
Anyway, with a newly created user, is your issue solved ?
edit : I found a possible fix to speedup propagation on changes made on DC. This applies to Red Hat but I think the described options are available on debian based distros. http://agix.com.au/blog/?p=2861
I'll try this soon.
Well after adding these three options and checked their meaning, I tried to remove a membership grom my "test" user and refresh in OMV the users list. The membership does not reflect my change despite more tha one second elapsed betwen removing the membership and refreshing the list.
edit : The samba documentation about the three cache settings : http://www.samba.org/samba/doc…anpages-3/smb.conf.5.html
Hi WiiFriik
I'm thinking about your problem with your user fafnir. I wish to check some fields in the properties of this account.
Did you rename the login in the account tab ? the login appears in two fields : the user's login name and the user's login name for windows 2000 and older. They should be the same. Can you have a look on your AD ?
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!