samba - Feb 2017 - Samba 4.5.3 on HP UX IA64 : smbclient - tree connect failed: NT_STATUS_CONNECTION_DISCONNECTED

Hi Rowland,

Thanks for your response.

In the below command , Could you please tell let us what is the
functionality of *"-U%" *,
since when i am using the below command only i am facing issue

smbclient -L localhost *-U% *


I have tested with other local users(created using pdbedit) as well and
getting expected result with below smb.conf

# Global parameters
[global]
        netbios name = <HostName>
        realm = <DomainName>
        workgroup = IN
        dns forwarder = 8.8.8.8
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        xattr_tdb:file = /var/opt/samba/locks/xattr.tdb

[netlogon]
        path = /var/opt/samba/locks/sysvol/<DomainName>/scripts
        read only = No

[sysvol]
        path = /var/opt/samba/locks/sysvol
        read only = No




For eg : I have created the user "silam" using pdbedit

[/opt/samba/bin]# ./smbclient -L localhost -Usilam
Enter silam's password:
Domain=[IN] OS=[Windows 6.1] Server=[Samba 4.5.3-HPE CIFS SERVER 4.5.3.0]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.5.3-HPE CIFS SERVER
4.5.3.0)
Domain=[IN] OS=[Windows 6.1] Server=[Samba 4.5.3-HPE CIFS SERVER 4.5.3.0]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
[/opt/samba/bin]#

[/opt/samba/bin]# ./smbclient //localhost/netlogon -Usilam -c 'ls'
Enter silam's password:
Domain=[IN] OS=[Windows 6.1] Server=[Samba 4.5.3-HPE CIFS SERVER 4.5.3.0]
  .                                   D        0  Tue Jan 31 17:53:48 2017
  ..                                  D        0  Tue Jan 31 17:54:30 2017

                26836992 blocks of size 1024. 14803416 blocks available
[/opt/samba/bin]#

Thanks,
Silambarasan M

On Fri, Feb 3, 2017 at 1:47 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 3 Feb 2017 10:17:14 +0530
> Silambarasan Madhappan <silambarasan19 at gmail.com> wrote:
>
> > Hi  Rowland,
> >
> > Thanks for your response . I will check on this.
> > Even i have tried with commenting xattr_tdb:file > >
/var/opt/samba/locks/xattr.tdb in smb.conf and am getting same issue .
>
> By doing that, you have nowhere to store ACLS.
>
> >
> > To be more specific whether you're referring ACL as Windows ACL or
> > POSIX ACL or Extended ACL
>
> The way I look at it, you have Unix permissions (ugo) and everything
> else. On Linux you would install the 'acl' package and would then
be
> able to use setfacl to set ACLs on a dir or file. It is these ACLs that
> are being stored (or not) in 'xattr.tdb'. The line in your smb.conf
> file was added by the provision because it couldn't find anywhere else
> to store the ACLs. Unless your OS as a variant of the 'acl'
package, I
> cannot recommend using the OS for a Samba AD DC.
>
> >
> > In the below command "-U%" refers to nouser and no group ? .
> > smbclient -L localhost -U%
> >
> > I am able to get expected output if i specify with User like below .
> > smbclient -L localhost -UAdministrator
>
> This is probably because 'Administrator' is mapped to
'root' on a Samba
> AD DC.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 3 Feb 2017 15:17:33 +0530
Silambarasan Madhappan <silambarasan19 at gmail.com> wrote:
> Hi Rowland,
> 
> Thanks for your response.
> 
> In the below command , Could you please tell let us what is the
> functionality of *"-U%" *,
> since when i am using the below command only i am facing issue
> 
> smbclient -L localhost *-U% *
> 
> 
It allows you to logon anonymously.

Whilst you might think everything is working okay, I feel further down
the line you are going to have major problems and as such I cannot
recommend using your OS for running a Samba AD DC on, testing yes,
putting it into production, a very big NO.

Rowland

Hi Rowland,

On HP-UX, only ‘Posix ACL’ is supported. We don’t support “windows/Extended
ACLs” on HP-UX



It seems that Samba’s ADDC works only with Windows ACL’s. I found the
following note



https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

this has clearly mentioned that file sharing on ADDC works only with
Windows ACL’s



*You can check with Rowland below:*

On HP-UX , only ‘Posix ACL’s’ are supported. So, file sharing doesn’t seem
to be working on ADDC as it supports only Windows ACL’s as per
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

Also, as per below link, it is not recommended to use ADDC as file sharing
service

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server



So, we will not be using ADDC as file server.



Can you please let us know if there is any other impact due to not
supporting Windows/Extended ACL’s.


Thanks,

Silambarasan M

On Fri, Feb 3, 2017 at 3:28 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 3 Feb 2017 15:17:33 +0530
> Silambarasan Madhappan <silambarasan19 at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thanks for your response.
> >
> > In the below command , Could you please tell let us what is the
> > functionality of *"-U%" *,
> > since when i am using the below command only i am facing issue
> >
> > smbclient -L localhost *-U% *
> >
> >
>
> It allows you to logon anonymously.
>
> Whilst you might think everything is working okay, I feel further down
> the line you are going to have major problems and as such I cannot
> recommend using your OS for running a Samba AD DC on, testing yes,
> putting it into production, a very big NO.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Rowland,

On HP-UX , only ‘Posix ACL’s’ are supported. So, file sharing doesn’t seem
to be working on ADDC as it supports only Windows ACL’s as per
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

Also, as per below link, it is not recommended to use ADDC as file sharing
service

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server



So, we will not be using ADDC as file server.



Can you please let us know if there is any other impact due to not
supporting Windows/Extended ACL’s.

Thanks,
Silambarasan M

On Fri, Feb 3, 2017 at 3:28 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 3 Feb 2017 15:17:33 +0530
> Silambarasan Madhappan <silambarasan19 at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thanks for your response.
> >
> > In the below command , Could you please tell let us what is the
> > functionality of *"-U%" *,
> > since when i am using the below command only i am facing issue
> >
> > smbclient -L localhost *-U% *
> >
> >
>
> It allows you to logon anonymously.
>
> Whilst you might think everything is working okay, I feel further down
> the line you are going to have major problems and as such I cannot
> recommend using your OS for running a Samba AD DC on, testing yes,
> putting it into production, a very big NO.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>