[Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level

Rowland penny rpenny at samba.org
Sat Nov 2 08:24:04 UTC 2019

On 01/11/2019 23:32, Bob Wyatt wrote:
>> -----Original Message-----
>> From: Rowland penny <rpenny at samba.org>
>> Sent: Wednesday, October 30, 2019 4:06 AM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level
>> On 29/10/2019 22:47, Bob Wyatt via samba wrote:
>>> My apologies (again!) for asking about this old, venerable release.
>>> The client is upgrading to 4.10 or 4.11 in early December.
>>> The AIX server was joined to a functional Windows 2000 domain in 2015.
>>> The AD server has since been upgraded to functional Windows Server 2003
>>> sometime since.
>>> Sorry, Rowland - I need to find a better E-mail client for this than Outlook (or change my settings)...
>>> Anyway, not knowing whether attachments are accepted, here is an anonymized and shortened (not showing all of the shares) smb.conf file...
>>> I added a comment for Joe and Jane...
>>> # Samba config file created using SWAT
> That is something else that is dead, it no longer exists in supported
> Samba versions.
>>> # from UNKNOWN (172.16.XXX.yy)
>>> # Date: 2015/02/05 11:39:52
>>> [global]
>>>           interfaces = eth0 172.21.xx.yy/
>>>           workgroup = domainname
>>>           security = domain
>> You really should be using 'security = ADS'
> I can’t really use ADS, as the IBM implementation of 3.6.23 appears to not have been built with ADS support
Active Directory expects 'ADS', it will probably work with 'domain', but 
only over 'RPC'
> As in it will use the nameserver in resolv.conf, or it goes hunting?
The code in Samba will find the best DC to use.
>>> [homes]
>>>           path = /home/%u
>>>           valid users = fjf,root
>>>           admin users = fjf,root
>>>           read only = No
>>>           case sensitive = No
>> Have you only got two users (fjf & root) ? I ask this because they are
>> the only users that will get a home dir
> I snipped the rest of the conf file, which was doing a bunch more shares for a bunch more users
Yes, but you have 'valid users = fjf,root' which means the only users 
that can connect are fjf and root
>> Now we come to the main problem, you do not seem to have any
>> authentication lines.
> Which doesn’t really make sense...
> If I set password server to Joe's IP address, it works fine... no other edits.
> If I set password server to Jane's IP address, it does not work...
> With Joe, everything appears to be authenticated at the AD server.
>> Do you have your users in /etc/passwd and groups in /etc/group ?
> The users as described in smb.conf are in the /etc/passwd file as regular
> AIX system users... We are not using smb users or passwords, to my knowledge.

Then you are not using Samba, you need to have your users & groups in AD 
(and this computer joined to the domain) and mapped to Samba users & 
groups by having the relevant 'idmap config' lines in smb.conf


More information about the samba mailing list