Winbind, samba, proftpd

It is configured in the following way.

Winbind, samba, proftpd.
It uses kerberos and security = ADS


Now. Users can login via proftpd and their home directory is created by
samba.
There group is set to "Domain Users"

When logging in via a Linux command line ftp client, all seems to
function as expected, but when using a browser, this is where things go
wrong. First thing I notice is when compared to a "normal" (see
attachment "good.png") ftp  browser connection the folders/files are
listed out with a date. See the attachment "good.png" and look at the
difference between the file "hosts" in when compared to "nogood.png".
You will see the bad(un usable) files are listed with dates and the host
file in "good.png" lists without dates.


When I select the hosts file when it is in the "Domain Users" group, I
get this message from my browser.

    An error occurred while loading
ftp://simonj@10.0.2.239/home/STAFF/simonj/29 04:43 hosts:
    The file or folder /home/STAFF/simonj/29 04:43 hosts does not exist.


See what it's doing? It thinks the date is a part of the name "hosts"

The "host" file is fixed when I change the group from "Domain Users" to
a normal unix group like "users".
But when I switch "DirFakeGroup on ~" on, the problem resurfaces, even
with the unix group "users" set.

I'm using proftpd-1.2.9-7mdk and I was using an earlier version that
comes with mandrake but I wanted to see if it was a version specific bug.

Any ideas, Can you suggest anything that I can try. Below are some of
the config files.


smb.conf[global]
        workgroup = STAFF
        server string = Samba Server %v
        security = ADS
        realm = STAFF
        encrypt passwords = Yes
        #;server = dangnamit2.staff
        password server = *
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        #;character set = ISO8859-15
        os level = 18
        local master = No
        dns proxy = No
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind separator = +
        #template homedir = /home/%U
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind use default domain = yes
        template primary group = "Domain Users"
        printing = cups
        unix charset = LOCALE

[homes]
   comment = Home Directories
        browseable = yes
        writeable = yes
        preserve case = yes
        short preserve case = yes






pam.d/ftp file
---------------
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

##auth       required   pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
##auth       required   pam_pwdb.so shadow nullok

# If this is enabled, anonymous logins will fail because the 'ftp' user does
# not have a "valid" shell, as listed in /etc/shells.
#
# If you enable this, it is recommended that you do *not* give the 'ftp'
# user a real shell. Instead, give the 'ftp' user /bin/false for a shell and
# add /bin/false to /etc/shells.
#auth       required    pam_shells.so

##account    required   pam_pwdb.so
##session    required   pam_pwdb.so





Proftpd.conf
-------------

ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on
#DirFakeGroup on ~

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.
AllowStoreRestart               on

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            nobody
Group                           nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
<Directory />
  AllowOverwrite                on
</Directory>

# Needed for NIS.

PersistentPasswd              off

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
# DefaultRoot /home/foo foo





Any help or advice to this proftpd beginner would be welcome. TA

Here's what i've done to make it work:

<Directory /users/sca/*>
        <Limit WRITE>
                DenyUser sca
        </Limit>
</Directory>

Integrate Linux with Active Directory using Samba, Winbind, and Kerberos

by Robert B.

See other resources Robert B. has shared

43

 

 

Spiciness

Steps

Print

This is the summary of my experience setting up a Linux machine to become a member of an existing Active Directory domain.
Last year I was new to an organization that has an unhealthy affinity for Dell. Anyway, we needed some more storage space, so my solution was to build a server from parts and use Centos 5.1 and Samba to share files with the Windows domain. I wound up with a 3U file server with a 12 TB Raid 6 array with a hot spare (redundancy is serious business) for just shy of $4,000. Given the cost of a similar solution from Dell, major brownie points for me. But, I digress. Here's the meat and potatoes of getting a linux box to play well with an AD environment.
I hope this helps someone!

1.	Get your linux box configured, with the relevant packages installed. So, you've got your server/workstation up with your favorite flavor of linux installed, and it's time to join the Windows domain. For this, we'll be needing samba and kerberos. Most distros come with samba installed, but it's best to go ahead and grab the newest version either from your distro's repositories or the samba website itself. Also, make sure you have the krb5 packages installed.
2.	Time synchronization... AD is very picky about the time matching during authentication, so you'll need to point the ntpd process to a server on your network. A domain controller is a good choice. On redhat flavored linux (CentOS, RHEL, and maybe SuSE, I'm not sure on that one) you can configure NTP without editing a .conf file like so: ntpdate HOSTNAME For debian flavored linux, edit /etc/ntp.conf with your favorite text editor. Real men use vi. You'll see a servers section; just replace what's there with one or more NTP servers on your domain, like so: server HOSTNAME iburst dynamic Now, restart the NTP service like so: service ntp restart or /etc/init.d/ntp restart or /etc/rc.d/init.d/ntp restart depending on your particular brand of *nix. Make sure it's working with the following command: ntpq -p You'll see some output that should include the NTP server you pointed it to, and some stats.
3.	Edit /etc/hosts Add this line to /etc/hosts for each domain controller: xxx.xxx.xxx.xxx adserver.yourdomain adserver
4.	Edit /etc/krb5.conf Edit /etc/krb5.conf to look something like this: [libdefaults] ticket_lifetime = 600 default_realm = YOURDOMAIN default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] YOURDOMAIN = { kdc = ip of you ads server default_domain = YOURDOMAIN } [domain_realm] .yourdomain = YOURDOMAIN yourdomain = YOURDOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.logog
5.	Test kerberos authentication Enter the following at the shell to test kerberos authentication: kinit username@DOMAIN It will prompt for a password, and if all is well, return you to the prompt. Use the command klist to verify you received a ticket. If you have a ticket, then you're doing great. If not, double check your /etc/krb5.conf file.
6.	Configure Samba and Winbind to be a domain member. Almost done. Now we need to edit the /etc/samba/smb.conf file. I'll include the important parameters. Your smb.conf file should look something like this: [global] workgroup = domainname password server = hostname of domain controller wins server = IP of wins server realm = DOMAIN security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = false winbind offline logon = false winbind separator = + <<very important, as the default \ character does strange things in unix/linux. allow trusted domains = Yes <<if you have them Those are the important bits, but you'll find that there are hundreds of valid parameters for the samba config file. Explore them; it's a very powerful program.
7.	Tell linux to allow winbind to handle authentication. Edit your /etc/nsswitch.conf to look something like this: passwd: compat winbind shadow: compat group: compat winbind
8.	Moment of truth: Join the domain. Once the /etc/samba/smb.conf file is properly edited, enter the following at the shell: testparm It gives you the rundown of your samba config file, and will let you know if something is wrong. If all is well, it's time to start the smb and winbind services, like so: (depending on *nix flavor) service smb restart service winbind restart or /etc/init.d/smb restart /etc/init.d/winbind restart or /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart If they both come back up fine, lets move to joining the domain, like so: net ads join -U DOMAIN+username%password Then test the join using: net ads testjoin If it reports "Join is OK", the test winbind: wbinfo -u <lists all of your AD users> wbinfo -g <lists all of your AD groups> If it works, your linux box is now integrated into the AD domain.
9.	Lastly, configure the smb and winbind services to start automatically Every distro has a different way of doing this, so I won't delve into too much detail. Just have a google on it; theres a wealth of information out there. install proftpd useradd userftp -p your_password -d /home/FTP-shared -s /bin/BASH <----> bin/false dont work

Conclusion

That should do it. If you run into errors, I may be able to help you. I had a bumpy road getting this up and running, but in the end this is what worked.
Enjoy, and again, I hope this helps someone.

CronMod-INT2EXT+ i zbogom link2sd

Sta je potrebno : 2.3 rom(gingerbread, ja sam radio na v5h6-0), sd kartica, recovery i root..

Ako vec imate ext particiju napravljenu ovo preskacete, ako ne radite ovo...
1. Povezite telefon i sve sa kartice prekopirajte npr na desktop u folder SD.
OBAVEZNO! ovo uradite jer posle ovog procesa sve sa kartice se brise, jer se ona formatira..
2. Udjite u recovery, idite advanced, pa partition sd card, izaberite 512M, i swap 0.
3. kada to zavrsite udjite u mounts and storage pa mount usb storage sve vratite na karticu..
_______________________________________________________________________________
1. skinite skriptu odavde

  Kod:

http://d-h.st/1vK

i prekopirajte je na sd karticu..(naravno pre toga udjite u recovery ako vec niste)
2. instalirajte cist rom, pre toga wipe data, cache partition i dalvik cache, kad se instalira ne izlazite iz recovery-ja vratite se nazad..
3. idite install zip from sd card i izaberite CronMod-INT2EXT+_singed.zip
4. kad se instalira idite back i onda udjite u mounts and storage i idite format sd-ext, potvrdite sa yes, sacekajte da se zavrsi i idite back.
5. rebootujte telefon na reboot my phone now, i to je to.. trebace mu malo duze da se prvi put upali ali kad se upali rezultat je sledeci.. i recite zbogom link2sd i ostalim cudima za prebacivanje aplikacija...
hvala didiju sa xda

evo na mom telefonu posle par instaliranih aplikacija fb, twiter, instagram..