[Samba] net ADS join MEMBER
Rowland penny
rpenny at samba.org
Thu Mar 26 21:25:12 UTC 2020
On 26/03/2020 20:08, Bob Wyatt wrote:
> From: Rowland penny <rpenny at samba.org>
> Sent: Saturday, February 29, 2020 8:48 AM
> To: sambalist <samba at lists.samba.org>
> Subject: Re: [Samba] net ADS join MEMBER
>
> On 28/02/2020 23:22, Bob Wyatt wrote:
>> Hi, Rowland,
>>
>> Joined the domain successfully.
>> Winbindd and smbd started without error.
>>
>> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred.
> There are several problems with your shares.
>
> You have 'guest ok = yes' in a few of them, but guest access will still
> be denied because you do not have 'map to guest = bad user' in [global].
>
> In one share you have 'valid users' and 'guest ok = yes', but this can
> never work (even after you fix the 'map to guest' problem) because the
> user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid
> users'.
>
> ++++++
>
> Rowland, the above recommendations were implemented; shares no longer used have been deleted.
>
> ++++++
>
> If this was using an ext4 filesystem (or similar), I would suggest
> adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A
> bit of investigation turned up 'vfs_aixacl2' which I think will do the
> same thing, try running 'man vfs_aixacl2', if this doesn't work, see
> here:
> https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt
>
> If it does work similar to 'vfs_acl_xattr', you should be able to set
> the permissions from Windows (I am taking it that you do have Windows
> clients) and remove the 'valid users' etc.
>
> ++++++
> Roland,
>
> Unfortunately, man on vfs_aixacl2 is not fruitful.
>
> The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I’d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery.
>
> With Samba4 for AIX as distributed by IBM, these man pages are available:
>
> /opt/freeware/man/man8/vfs_acl_tdb.8
> /opt/freeware/man/man8/vfs_acl_xattr.8
> /opt/freeware/man/man8/vfs_nfs4acl_xattr.8
> /opt/freeware/man/man8/vfs_zfsacl.8
>
> These "file system" acl libraries are available:
>
> /opt/freeware/lib/samba/vfs/acl_tdb.so
> /opt/freeware/lib/samba/vfs/acl_xattr.so
>
> There are no *nfs*.so files on the system.
>
> I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba.
> Did see the Samba+ page, but am unsure if
> We are using IBM's version of OpenSSH, so that would have to be investigated as well...
>
> Unless, of course, you have more sage advice you're willing to share.
>
> After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive.
>
> The current config file:
>
> [global]
> workgroup = workgroup
> realm = WORKGROUP.COM
> server string = Samba Server Version %v
> interfaces = lo eth0 172.21.10.2/255.255.0.0
> case sensitive = Yes
> hide dot files = No
> idmap config * : backend = tdb
> idmap config * : range = 20000-20499
> idmap config boost : backend = rid
> idmap config boost : range = 10000 - 11999
> username map = /etc/samba/user.map
> map to guest = bad user
> log file = /var/log/samba/log.%m
> max log size = 50
> security = ADS
> passdb backend = tdbsam
> encrypt passwords = yes
> deadtime = 15
> local master = no
> load printers = no
> cups options = raw
>
> #============================ Share Definitions ==============================
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
> # Un-comment the following and create the netlogon directory for Domain Logons:
> ; [netlogon]
> ; comment = Network Logon Service
> ; path = /var/lib/samba/netlogon
> ; guest ok = yes
> ; writable = no
> ; share modes = no
> [spool]
> comment = Spooled Files
> path = /spool
> read only = No
> create mask = 0666
> guest ok = Yes
> [SEI.BP]
> path = /UVDATA/SEI.II/SEI.BP
> valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn
> read only = No
> [MSBP]
> comment = MS/MSBP file
> path = /UVDATA/MSP/MS_MSBP/MS_MSBP
> valid users = lac,alb,arp,jlk,p9n,apn
> read only = No
> [TEST.BP]
> path = /shumsky/SEI.II/SEI.II/TEST.BP
> valid users = mh,arp,p9n,apn
> read only = No
> [archives]
> comment = archive directory
> path = /common/archives
> valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh
> ,stu,jlk,apn
> admin users = arp,lac,p9n,apn
> read only = No
> create mask = 0776
> directory mask = 0776
> inherit permissions = Yes
> [mainlab]
> path = /tmp
> printable = Yes
> [HOW.TO]
> path = /UVDATA/common/HOW.TO
> valid users = arp
> read only = No
> [root]
> path = /
> valid users = arp,p9n,apn
> read only = No
> create mask = 0774
> [UVspool]
> path = /UVDATA/spool
> guest ok = Yes
> [emailorders]
> path = /UVDATA/common/ediin/nova_orders
> [SH.BP]
> path = /UVDATA/common/SH.BP
> valid users = arp,alb,lac,jlk,p9n,apn
> read only = No
> ++++++
>
> Rowland
>
> Thanks for everything Rowland!
>
> Bob Wyatt
>
>
>
>
Sorry, but I wouldn't know an AIX machine, even if it jumped up and bit
me ;-) (local saying)
If you can upgrade to something more recent, you stand a better chance
of getting it to work.
Rowland
More information about the samba
mailing list