[Samba] net ADS join MEMBER
Bob Wyatt
bwyatt_sub at comcast.net
Thu Mar 26 20:08:52 UTC 2020
From: Rowland penny <rpenny at samba.org>
Sent: Saturday, February 29, 2020 8:48 AM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] net ADS join MEMBER
On 28/02/2020 23:22, Bob Wyatt wrote:
> Hi, Rowland,
>
> Joined the domain successfully.
> Winbindd and smbd started without error.
>
> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred.
There are several problems with your shares.
You have 'guest ok = yes' in a few of them, but guest access will still
be denied because you do not have 'map to guest = bad user' in [global].
In one share you have 'valid users' and 'guest ok = yes', but this can
never work (even after you fix the 'map to guest' problem) because the
user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid
users'.
++++++
Rowland, the above recommendations were implemented; shares no longer used have been deleted.
++++++
If this was using an ext4 filesystem (or similar), I would suggest
adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A
bit of investigation turned up 'vfs_aixacl2' which I think will do the
same thing, try running 'man vfs_aixacl2', if this doesn't work, see
here:
https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt
If it does work similar to 'vfs_acl_xattr', you should be able to set
the permissions from Windows (I am taking it that you do have Windows
clients) and remove the 'valid users' etc.
++++++
Roland,
Unfortunately, man on vfs_aixacl2 is not fruitful.
The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I’d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery.
With Samba4 for AIX as distributed by IBM, these man pages are available:
/opt/freeware/man/man8/vfs_acl_tdb.8
/opt/freeware/man/man8/vfs_acl_xattr.8
/opt/freeware/man/man8/vfs_nfs4acl_xattr.8
/opt/freeware/man/man8/vfs_zfsacl.8
These "file system" acl libraries are available:
/opt/freeware/lib/samba/vfs/acl_tdb.so
/opt/freeware/lib/samba/vfs/acl_xattr.so
There are no *nfs*.so files on the system.
I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba.
Did see the Samba+ page, but am unsure if
We are using IBM's version of OpenSSH, so that would have to be investigated as well...
Unless, of course, you have more sage advice you're willing to share.
After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive.
The current config file:
[global]
workgroup = workgroup
realm = WORKGROUP.COM
server string = Samba Server Version %v
interfaces = lo eth0 172.21.10.2/255.255.0.0
case sensitive = Yes
hide dot files = No
idmap config * : backend = tdb
idmap config * : range = 20000-20499
idmap config boost : backend = rid
idmap config boost : range = 10000 - 11999
username map = /etc/samba/user.map
map to guest = bad user
log file = /var/log/samba/log.%m
max log size = 50
security = ADS
passdb backend = tdbsam
encrypt passwords = yes
deadtime = 15
local master = no
load printers = no
cups options = raw
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
[spool]
comment = Spooled Files
path = /spool
read only = No
create mask = 0666
guest ok = Yes
[SEI.BP]
path = /UVDATA/SEI.II/SEI.BP
valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn
read only = No
[MSBP]
comment = MS/MSBP file
path = /UVDATA/MSP/MS_MSBP/MS_MSBP
valid users = lac,alb,arp,jlk,p9n,apn
read only = No
[TEST.BP]
path = /shumsky/SEI.II/SEI.II/TEST.BP
valid users = mh,arp,p9n,apn
read only = No
[archives]
comment = archive directory
path = /common/archives
valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh
,stu,jlk,apn
admin users = arp,lac,p9n,apn
read only = No
create mask = 0776
directory mask = 0776
inherit permissions = Yes
[mainlab]
path = /tmp
printable = Yes
[HOW.TO]
path = /UVDATA/common/HOW.TO
valid users = arp
read only = No
[root]
path = /
valid users = arp,p9n,apn
read only = No
create mask = 0774
[UVspool]
path = /UVDATA/spool
guest ok = Yes
[emailorders]
path = /UVDATA/common/ediin/nova_orders
[SH.BP]
path = /UVDATA/common/SH.BP
valid users = arp,alb,lac,jlk,p9n,apn
read only = No
++++++
Rowland
Thanks for everything Rowland!
Bob Wyatt
More information about the samba
mailing list