[Samba] net ADS join MEMBER

Bob Wyatt bwyatt_sub at comcast.net
Mon Mar 30 20:31:04 UTC 2020 

Rowland,

Checking with the IBM website, they now offer 4.10.13 for AIX.
After viewing that installation file (without installing), still not seeing the nfs or jfs acl libraries/files.

Peeked at 4.11.7 on the website, also don’t see these files.
Per chance, are these delivered in some other (not the standard samba) installation file?

If that answer is no...
I still need to make it work as we have it.

Is there a document that is more informative about rid setup, ACL management on AIX, or other setup/configuration options I can leverage to make this work?

It doesn’t appear that the general samba files will help me in this quest, so reverting from IBM's samba version to the general samba version wouldn’t seem to be viable.

I have sent an inquiry to Samba+ about their solutions...

Are you aware of from whom I can solicit further counsel on this installation/configuration?
Or how about setting this up so anyone can access the data with authenticating - anonymous/nobody usage?
Do I still need rid and the other facets of user administration on AIX going with nobody?

I have seen others inquiring about AIX installations - is it improper for me to reach out to them privately?

I know AIX isn’t your forte` - is there another group or person (besides Samba+) that may have that expertise to whom you could refer me?

Thank you for everything, Rowland; I truly appreciate all of your help!

Regards,

Bob Wyatt  

-----Original Message-----
From: Rowland penny <rpenny at samba.org> 
Sent: Thursday, March 26, 2020 5:25 PM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] net ADS join MEMBER

On 26/03/2020 20:08, Bob Wyatt wrote:
> From: Rowland penny <rpenny at samba.org>
> Sent: Saturday, February 29, 2020 8:48 AM
> To: sambalist <samba at lists.samba.org>
> Subject: Re: [Samba] net ADS join MEMBER
>
> On 28/02/2020 23:22, Bob Wyatt wrote:
>> Hi, Rowland,
>>
>> Joined the domain successfully.
>> Winbindd and smbd started without error.
>>
>> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred.
> There are several problems with your shares.
>
> You have 'guest ok = yes' in a few of them, but guest access will still
> be denied because you do not have 'map to guest = bad user' in [global].
>
> In one share you have 'valid users' and 'guest ok = yes', but this can
> never work (even after you fix the 'map to guest' problem) because the
> user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid
> users'.
>
> ++++++
>
> Rowland, the above recommendations were implemented; shares no longer used have been deleted.
>
> ++++++
>
> If this was using an ext4 filesystem (or similar), I would suggest
> adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A
> bit of investigation turned up 'vfs_aixacl2' which I think will do the
> same thing, try running 'man vfs_aixacl2', if this doesn't work, see
> here:
> https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt
>
> If it does work similar to 'vfs_acl_xattr', you should be able to set
> the permissions from Windows (I am taking it that you do have Windows
> clients) and remove the 'valid users' etc.
>
> ++++++
> Roland,
>
> Unfortunately, man on vfs_aixacl2 is not fruitful.
>
> The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I’d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery.
>
> With Samba4 for AIX as distributed by IBM, these man pages are available:
>
> /opt/freeware/man/man8/vfs_acl_tdb.8
> /opt/freeware/man/man8/vfs_acl_xattr.8
> /opt/freeware/man/man8/vfs_nfs4acl_xattr.8
> /opt/freeware/man/man8/vfs_zfsacl.8
>
> These "file system" acl libraries are available:
>
> /opt/freeware/lib/samba/vfs/acl_tdb.so
> /opt/freeware/lib/samba/vfs/acl_xattr.so
>
> There are no *nfs*.so files on the system.
>
> I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba.
> Did see the Samba+ page, but am unsure if
> We are using IBM's version of OpenSSH, so that would have to be investigated as well...
>
> Unless, of course, you have more sage advice you're willing to share.
>
> After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive.
>
> The current config file:
>
> [global]
>          workgroup = workgroup
>          realm = WORKGROUP.COM
>          server string = Samba Server Version %v
>          interfaces = lo eth0 172.21.10.2/255.255.0.0
>          case sensitive = Yes
>          hide dot files = No
>      idmap config * : backend        = tdb
>      idmap config * : range          = 20000-20499
>      idmap config boost : backend     = rid
>      idmap config boost : range       = 10000 - 11999
>          username map = /etc/samba/user.map
>          map to guest = bad user
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          security = ADS
>          passdb backend = tdbsam
>          encrypt passwords = yes
>          deadtime = 15
>          local master = no
>          load printers = no
>          cups options = raw
>
> #============================ Share Definitions ==============================
> [homes]
>          comment = Home Directories
>          browseable = no
>          writable = yes
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          browseable = no
>          guest ok = no
>          writable = no
>          printable = yes
> # Un-comment the following and create the netlogon directory for Domain Logons:
> ;       [netlogon]
> ;       comment = Network Logon Service
> ;       path = /var/lib/samba/netlogon
> ;       guest ok = yes
> ;       writable = no
> ;       share modes = no
> [spool]
>          comment = Spooled Files
>          path = /spool
>          read only = No
>          create mask = 0666
>          guest ok = Yes
> [SEI.BP]
>          path = /UVDATA/SEI.II/SEI.BP
>      valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn
>          read only = No
> [MSBP]
>          comment = MS/MSBP file
>          path = /UVDATA/MSP/MS_MSBP/MS_MSBP
>          valid users = lac,alb,arp,jlk,p9n,apn
>          read only = No
> [TEST.BP]
>          path = /shumsky/SEI.II/SEI.II/TEST.BP
>          valid users = mh,arp,p9n,apn
>          read only = No
> [archives]
>          comment = archive directory
>          path = /common/archives
>          valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh
> ,stu,jlk,apn
>          admin users = arp,lac,p9n,apn
>          read only = No
>          create mask = 0776
>          directory mask = 0776
>          inherit permissions = Yes
> [mainlab]
>          path = /tmp
>          printable = Yes
> [HOW.TO]
>          path = /UVDATA/common/HOW.TO
>          valid users = arp
>          read only = No
> [root]
>          path = /
>          valid users = arp,p9n,apn
>          read only = No
>          create mask = 0774
> [UVspool]
>          path = /UVDATA/spool
>          guest ok = Yes
> [emailorders]
>          path = /UVDATA/common/ediin/nova_orders
> [SH.BP]
>          path = /UVDATA/common/SH.BP
>          valid users = arp,alb,lac,jlk,p9n,apn
>          read only = No
> ++++++
>
> Rowland
>
> Thanks for everything Rowland!
>
> Bob Wyatt
>
>
>
>
Sorry, but I wouldn't know an AIX machine, even if it jumped up and bit 
me ;-) (local saying)

If you can upgrade to something more recent, you stand a better chance 
of getting it to work.

Rowland

More information about the samba mailing list