samba - Nov 2015 - Samba4 DC is not visible in network neighborhood

Greetings, Viktor Trojanovic!
>> Is there at last a solution? I've only found questions, in the
list, and on
>> the network.
>>
>> The issue is that DC built on Samba4 does not report to network
browsers
>> neither it is participating in election to become browser itself.
>> Consequently, it is not visible in the neighborhood neither on Windows,
nor on
>> Linux.
>>
>> I've managed to force a second Linux host (member server) become a
local
>> browser. At least, I can see it and other hosts now. But not the DC
itself.
>>
>>
> Hi Andrey,
> In that case you did exactly what you were supposed to do. :)
> Browsing is turned off for the DC by design, and this will not change. 
> Use member servers to implement browsing.
And how am I supposed to address the DC then?
For all my attempts, I've had to conclude that member servers can't be
configured to manage shares with native ACL's. No matter what I do, I always
get "access denied" on a member server when trying to setup share
permissions
on a member server using Windows tools.
So far, the only solution was to move ACL-sensitive services to the DC.
But this is really not a solution. Only a workaround.


-- 
With best regards,
Andrey Repin
Saturday, November 21, 2015 21:30:23

Sorry for my terrible english...

On 21/11/15 18:33, Andrey Repin wrote:
> Greetings, Viktor Trojanovic!
>
>>> Is there at last a solution? I've only found questions, in the
list, and on
>>> the network.
>>>
>>> The issue is that DC built on Samba4 does not report to network
browsers
>>> neither it is participating in election to become browser itself.
>>> Consequently, it is not visible in the neighborhood neither on
Windows, nor on
>>> Linux.
>>>
>>> I've managed to force a second Linux host (member server)
become a local
>>> browser. At least, I can see it and other hosts now. But not the DC
itself.
>>>
>>>
>> Hi Andrey,
>> In that case you did exactly what you were supposed to do. :)
>> Browsing is turned off for the DC by design, and this will not change.
>> Use member servers to implement browsing.
> And how am I supposed to address the DC then?
> For all my attempts, I've had to conclude that member servers can't
be
> configured to manage shares with native ACL's. No matter what I do, I
always
> get "access denied" on a member server when trying to setup share
permissions
> on a member server using Windows tools.
> So far, the only solution was to move ACL-sensitive services to the DC.
> But this is really not a solution. Only a workaround.
>
>
What do you mean 'native ACLs' ?
you should be able to manage access to a share on a domain member from a 
windows machine, see this page on the wiki: 
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

If you follow the various pages on the wiki, you should be able make it 
work, if you cannot, you are doing something wrong.

Rowland

Greetings, Rowland Penny!
>>>> Is there at last a solution? I've only found questions, in
the list, and on
>>>> the network.
>>>>
>>>> The issue is that DC built on Samba4 does not report to network
browsers
>>>> neither it is participating in election to become browser
itself.
>>>> Consequently, it is not visible in the neighborhood neither on
Windows, nor on
>>>> Linux.
>>>>
>>>> I've managed to force a second Linux host (member server)
become a local
>>>> browser. At least, I can see it and other hosts now. But not
the DC itself.
>>>>
>>>>
>>> Hi Andrey,
>>> In that case you did exactly what you were supposed to do. :)
>>> Browsing is turned off for the DC by design, and this will not
change.
>>> Use member servers to implement browsing.
>> And how am I supposed to address the DC then?
>> For all my attempts, I've had to conclude that member servers
can't be
>> configured to manage shares with native ACL's. No matter what I do,
I always
>> get "access denied" on a member server when trying to setup
share permissions
>> on a member server using Windows tools.
>> So far, the only solution was to move ACL-sensitive services to the DC.
>> But this is really not a solution. Only a workaround.
>>
>>
> What do you mean 'native ACLs' ?
Err, okay, "windows ACL's", not "native (POSIX)". Was
writing in a
less-than-sane state of mind.
> you should be able to manage access to a share on a domain member from a 
> windows machine,
Should be, that much I've gathered from wiki. But it is already nine months
that I'm unable to implement it.
> see this page on the wiki:
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> If you follow the various pages on the wiki, you should be able make it 
> work, if you cannot, you are doing something wrong.
So, what I'm doing wrong? I've followed the wiki multiple times to the
point.
If you have any diagnostics in mind, please suggest, because this is tiring.

The smb.conf is attached, the member server do see the users correctly.

# wbinfo -i domainuser
domainuser:*:10000:513::/home/domainuser:/bin/bash

# getent passwd domainuser
domainuser:*:10000:513::/home/domainuser:/bin/bash


-- 
With best regards,
Andrey Repin
Sunday, November 22, 2015 12:01:09

Sorry for my terrible english...
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: smb.conf.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20151122/e2c54367/smb.conf.txt>