[Samba] net ADS join MEMBER

Bob Wyatt bwyatt_sub at comcast.net
Thu Mar 26 20:08:52 UTC 2020 

From: Rowland penny <rpenny at samba.org> 
Sent: Saturday, February 29, 2020 8:48 AM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] net ADS join MEMBER

On 28/02/2020 23:22, Bob Wyatt wrote:
> Hi, Rowland,
>
> Joined the domain successfully.
> Winbindd and smbd started without error.
>
> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred.

There are several problems with your shares.

You have 'guest ok = yes' in a few of them, but guest access will still 
be denied because you do not have 'map to guest = bad user' in [global].

In one share you have 'valid users' and 'guest ok = yes', but this can 
never work (even after you fix the 'map to guest' problem) because the 
user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid 
users'.

++++++

Rowland, the above recommendations were implemented; shares no longer used have been deleted.

++++++

If this was using an ext4 filesystem (or similar), I would suggest 
adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A 
bit of investigation turned up 'vfs_aixacl2' which I think will do the 
same thing, try running 'man vfs_aixacl2', if this doesn't work, see 
here: 
https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt

If it does work similar to 'vfs_acl_xattr', you should be able to set 
the permissions from Windows (I am taking it that you do have Windows 
clients) and remove the 'valid users' etc.

++++++
Roland,

Unfortunately, man on vfs_aixacl2 is not fruitful.

The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I’d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery.

With Samba4 for AIX as distributed by IBM, these man pages are available:

/opt/freeware/man/man8/vfs_acl_tdb.8
/opt/freeware/man/man8/vfs_acl_xattr.8
/opt/freeware/man/man8/vfs_nfs4acl_xattr.8
/opt/freeware/man/man8/vfs_zfsacl.8

These "file system" acl libraries are available:

/opt/freeware/lib/samba/vfs/acl_tdb.so
/opt/freeware/lib/samba/vfs/acl_xattr.so

There are no *nfs*.so files on the system.

I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba.
Did see the Samba+ page, but am unsure if 
We are using IBM's version of OpenSSH, so that would have to be investigated as well...

Unless, of course, you have more sage advice you're willing to share.

After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive.

The current config file:

[global]
        workgroup = workgroup
        realm = WORKGROUP.COM
        server string = Samba Server Version %v
        interfaces = lo eth0 172.21.10.2/255.255.0.0
        case sensitive = Yes
        hide dot files = No
    idmap config * : backend        = tdb
    idmap config * : range          = 20000-20499
    idmap config boost : backend     = rid
    idmap config boost : range       = 10000 - 11999
        username map = /etc/samba/user.map
        map to guest = bad user
        log file = /var/log/samba/log.%m
        max log size = 50
        security = ADS
        passdb backend = tdbsam
        encrypt passwords = yes
        deadtime = 15
        local master = no
        load printers = no
        cups options = raw

#============================ Share Definitions ==============================
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
;       [netlogon]
;       comment = Network Logon Service
;       path = /var/lib/samba/netlogon
;       guest ok = yes
;       writable = no
;       share modes = no
[spool]
        comment = Spooled Files
        path = /spool
        read only = No
        create mask = 0666
        guest ok = Yes
[SEI.BP]
        path = /UVDATA/SEI.II/SEI.BP
    valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn
        read only = No
[MSBP]
        comment = MS/MSBP file
        path = /UVDATA/MSP/MS_MSBP/MS_MSBP
        valid users = lac,alb,arp,jlk,p9n,apn
        read only = No
[TEST.BP]
        path = /shumsky/SEI.II/SEI.II/TEST.BP
        valid users = mh,arp,p9n,apn
        read only = No
[archives]
        comment = archive directory
        path = /common/archives
        valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh
,stu,jlk,apn
        admin users = arp,lac,p9n,apn
        read only = No
        create mask = 0776
        directory mask = 0776
        inherit permissions = Yes
[mainlab]
        path = /tmp
        printable = Yes
[HOW.TO]
        path = /UVDATA/common/HOW.TO
        valid users = arp
        read only = No
[root]
        path = /
        valid users = arp,p9n,apn
        read only = No
        create mask = 0774
[UVspool]
        path = /UVDATA/spool
        guest ok = Yes
[emailorders]
        path = /UVDATA/common/ediin/nova_orders
[SH.BP]
        path = /UVDATA/common/SH.BP
        valid users = arp,alb,lac,jlk,p9n,apn
        read only = No
++++++

Rowland

Thanks for everything Rowland!

Bob Wyatt

More information about the samba mailing list