[Samba] net ADS join MEMBER

Bob Wyatt bwyatt_sub at comcast.net
Fri Apr 3 00:04:17 UTC 2020


Rowland,

The wiki suggested doing "smbd -b | grep HAVE_LIBACL" and expecting to get back "HAVE_LIBACL".
This is not the case on our IBM system with 4.10.6.
The current version from IBM is 4.10.13 - considering upgrading in the hopes "HAVE_LIBACL" is present if I really need it.

On the other hand, "smbd -b" does report that smbd was built with vfs_aixacl and vfs_aixacl2.

Builtin modules:
   vfs_default vfs_not_implemented auth_builtin auth_sam auth_winbind vfs_aixacl vfs_aixacl2 nss_info_template idmap_tdb idmap_passd
b idmap_nss idmap_ldap

However, man does not return man page information for either.

Before I add that to the config file and test that out...
Do my valid users need to be in the form of bob.wyatt at boost.com instead of what you see below?
Would it be simpler to do that, or it won’t work?
Users testing shares still can’t access them - device not ready...

The wbinfo --ping-dc command was successful.

I'm feeling like we're a lot closer - maybe not having to back off...

Your thoughts, sir (I am keeping in mind that AIX is a foreign entity)... but hopefully I'm back to Samba config issues?

Regards,

Bob Wyatt
-----Original Message-----
From: Rowland penny <rpenny at samba.org> 
Sent: Thursday, March 26, 2020 5:25 PM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] net ADS join MEMBER

On 26/03/2020 20:08, Bob Wyatt wrote:
> From: Rowland penny <rpenny at samba.org>
> Sent: Saturday, February 29, 2020 8:48 AM
> To: sambalist <samba at lists.samba.org>
> Subject: Re: [Samba] net ADS join MEMBER
>
> On 28/02/2020 23:22, Bob Wyatt wrote:
>> Hi, Rowland,
>>
>> Joined the domain successfully.
>> Winbindd and smbd started without error.
>>
>> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred.
> There are several problems with your shares.
>
> You have 'guest ok = yes' in a few of them, but guest access will still
> be denied because you do not have 'map to guest = bad user' in [global].
>
> In one share you have 'valid users' and 'guest ok = yes', but this can
> never work (even after you fix the 'map to guest' problem) because the
> user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid
> users'.
>
> ++++++
>
> Rowland, the above recommendations were implemented; shares no longer used have been deleted.
>
> ++++++
>
> If this was using an ext4 filesystem (or similar), I would suggest
> adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A
> bit of investigation turned up 'vfs_aixacl2' which I think will do the
> same thing, try running 'man vfs_aixacl2', if this doesn't work, see
> here:
> https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt
>
> If it does work similar to 'vfs_acl_xattr', you should be able to set
> the permissions from Windows (I am taking it that you do have Windows
> clients) and remove the 'valid users' etc.
>
> ++++++
> Roland,
>
> Unfortunately, man on vfs_aixacl2 is not fruitful.
>
> The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I’d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery.
>
> With Samba4 for AIX as distributed by IBM, these man pages are available:
>
> /opt/freeware/man/man8/vfs_acl_tdb.8
> /opt/freeware/man/man8/vfs_acl_xattr.8
> /opt/freeware/man/man8/vfs_nfs4acl_xattr.8
> /opt/freeware/man/man8/vfs_zfsacl.8
>
> These "file system" acl libraries are available:
>
> /opt/freeware/lib/samba/vfs/acl_tdb.so
> /opt/freeware/lib/samba/vfs/acl_xattr.so
>
> There are no *nfs*.so files on the system.
>
> I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba.
> Did see the Samba+ page, but am unsure if
> We are using IBM's version of OpenSSH, so that would have to be investigated as well...
>
> Unless, of course, you have more sage advice you're willing to share.
>
> After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive.
>
> The current config file:
>
> [global]
>          workgroup = workgroup
>          realm = WORKGROUP.COM
>          server string = Samba Server Version %v
>          interfaces = lo eth0 172.21.10.2/255.255.0.0
>          case sensitive = Yes
>          hide dot files = No
>      idmap config * : backend        = tdb
>      idmap config * : range          = 20000-20499
>      idmap config boost : backend     = rid
>      idmap config boost : range       = 10000 - 11999
>          username map = /etc/samba/user.map
>          map to guest = bad user
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          security = ADS
>          passdb backend = tdbsam
>          encrypt passwords = yes
>          deadtime = 15
>          local master = no
>          load printers = no
>          cups options = raw
>
> #============================ Share Definitions ==============================
> [homes]
>          comment = Home Directories
>          browseable = no
>          writable = yes
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          browseable = no
>          guest ok = no
>          writable = no
>          printable = yes
> # Un-comment the following and create the netlogon directory for Domain Logons:
> ;       [netlogon]
> ;       comment = Network Logon Service
> ;       path = /var/lib/samba/netlogon
> ;       guest ok = yes
> ;       writable = no
> ;       share modes = no
> [spool]
>          comment = Spooled Files
>          path = /spool
>          read only = No
>          create mask = 0666
>          guest ok = Yes
> [SEI.BP]
>          path = /UVDATA/SEI.II/SEI.BP
>      valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn
>          read only = No
> [MSBP]
>          comment = MS/MSBP file
>          path = /UVDATA/MSP/MS_MSBP/MS_MSBP
>          valid users = lac,alb,arp,jlk,p9n,apn
>          read only = No
> [TEST.BP]
>          path = /shumsky/SEI.II/SEI.II/TEST.BP
>          valid users = mh,arp,p9n,apn
>          read only = No
> [archives]
>          comment = archive directory
>          path = /common/archives
>          valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh
> ,stu,jlk,apn
>          admin users = arp,lac,p9n,apn
>          read only = No
>          create mask = 0776
>          directory mask = 0776
>          inherit permissions = Yes
> [mainlab]
>          path = /tmp
>          printable = Yes
> [HOW.TO]
>          path = /UVDATA/common/HOW.TO
>          valid users = arp
>          read only = No
> [root]
>          path = /
>          valid users = arp,p9n,apn
>          read only = No
>          create mask = 0774
> [UVspool]
>          path = /UVDATA/spool
>          guest ok = Yes
> [emailorders]
>          path = /UVDATA/common/ediin/nova_orders
> [SH.BP]
>          path = /UVDATA/common/SH.BP
>          valid users = arp,alb,lac,jlk,p9n,apn
>          read only = No
> ++++++
>
> Rowland
>
> Thanks for everything Rowland!
>
> Bob Wyatt
>
>
>
>
Sorry, but I wouldn't know an AIX machine, even if it jumped up and bit 
me ;-) (local saying)

If you can upgrade to something more recent, you stand a better chance 
of getting it to work.

Rowland








More information about the samba mailing list