Bob Wyatt
2019-Oct-29 22:47 UTC
[Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level
My apologies (again!) for asking about this old, venerable release. The client is upgrading to 4.10 or 4.11 in early December. The AIX server was joined to a functional Windows 2000 domain in 2015. The AD server has since been upgraded to functional Windows Server 2003 sometime since. They have 2 AD servers - primary is Joe, secondary is Jane. Joe has encountered severe Registry issues and needs to be taken offline. The /etc/resolv.conf and smb.conf were updated to point to Jane; inetd was refreshed. The AIX server will no longer allow Samba share access. Change everything back to Joe, we're good to go again. While everything is set for Joe: net ads leave -U administrator%password says ads is not built in. net rfc leave -U administrator%password says leave is unknown. If we were to delete the member from AD, we can't join it (as ads isn't built in this version). I think this pushes them into advancing the timetable on their Samba upgrade. Is there anything else to be tried if they can't push up the schedule?
Rowland penny
2019-Oct-30 08:05 UTC
[Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level
On 29/10/2019 22:47, Bob Wyatt via samba wrote:> My apologies (again!) for asking about this old, venerable release. > > The client is upgrading to 4.10 or 4.11 in early December. > > > > The AIX server was joined to a functional Windows 2000 domain in 2015. > > The AD server has since been upgraded to functional Windows Server 2003 > sometime since. > > > > They have 2 AD servers - primary is Joe, secondary is Jane. > > Joe has encountered severe Registry issues and needs to be taken offline. > > > > The /etc/resolv.conf and smb.conf were updated to point to Jane; inetd was > refreshed. > > The AIX server will no longer allow Samba share access. > > Change everything back to Joe, we're good to go again. > > > > While everything is set for Joe: > > net ads leave -U administrator%password says ads is not built in. > > net rfc leave -U administrator%password says leave is unknown. > > > > If we were to delete the member from AD, we can't join it (as ads isn't > built in this version). > > > > I think this pushes them into advancing the timetable on their Samba > upgrade. > > > > Is there anything else to be tried if they can't push up the schedule?Just about everything you mention is EOL, so you can expect problems. I personally would add a Samba DC, but before trying this, ensure that the AD DNS server is upgraded, see here: https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application As for what is wrong with the 3.6.23 clients, we are going to have to see the smb.conf at least. Rowland
Rowland penny
2019-Oct-30 18:54 UTC
[Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level
On 30/10/2019 17:49, Bob Wyatt wrote:> -----Original Message----- > From: Rowland penny <rpenny at samba.org> > Sent: Wednesday, October 30, 2019 4:06 AM > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level > > On 29/10/2019 22:47, Bob Wyatt via samba wrote: >> My apologies (again!) for asking about this old, venerable release. >> >> The client is upgrading to 4.10 or 4.11 in early December. >> >> >> >> The AIX server was joined to a functional Windows 2000 domain in 2015. >> >> The AD server has since been upgraded to functional Windows Server 2003 >> sometime since. >> >> >> Sorry, Rowland - I need to find a better E-mail client for this than Outlook (or change my settings)... >> >> Anyway, not knowing whether attachments are accepted, here is an anonymized and shortened (not showing all of the shares) smb.conf file... >> I added a comment for Joe and Jane... >> >> # Samba config file created using SWATThat is something else that is dead, it no longer exists in supported Samba versions.>> # from UNKNOWN (172.16.XXX.yy) >> # Date: 2015/02/05 11:39:52 >> >> [global] >> interfaces = eth0 172.21.xx.yy/255.255.0.0 >> workgroup = domainname >> security = domainYou really should be using 'security = ADS'>> encrypt passwords = yesThat is a default setting>> # Below changed to 172.16.aa.bb for Jane; is Joe's address >> password server = 172.16.xx.yyYou should remove that line and allow Samba to find the AD DC>> deadtime = 15 >> load printers = No >> local master = No >> remote announce = 172.16.255.255/domainname 172.20.255.255/domainname'remote announce' is really meant for an NT4-style domain>> case sensitive = Yes >> hide dot files = No >> >> [homes] >> path = /home/%u >> valid users = fjf,root >> admin users = fjf,root >> read only = No >> case sensitive = NoHave you only got two users (fjf & root) ? I ask this because they are the only users that will get a home dir>> >> [printers] >> comment = All Printers >> path = /tmp >> guest ok = Yes >> printable = Yes >> browseable = No >> >>Now we come to the main problem, you do not seem to have any authentication lines. Do you have your users in /etc/passwd and groups in /etc/group ? Rowland
Rowland penny
2019-Nov-02 08:24 UTC
[Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level
On 01/11/2019 23:32, Bob Wyatt wrote:>> -----Original Message----- >> From: Rowland penny <rpenny at samba.org> >> Sent: Wednesday, October 30, 2019 4:06 AM >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba 3.6.23 (IBM version), Windows AD at the functional 2003 level >> >> On 29/10/2019 22:47, Bob Wyatt via samba wrote: >>> My apologies (again!) for asking about this old, venerable release. >>> >>> The client is upgrading to 4.10 or 4.11 in early December. >>> >>> >>> >>> The AIX server was joined to a functional Windows 2000 domain in 2015. >>> >>> The AD server has since been upgraded to functional Windows Server 2003 >>> sometime since. >>> >>> >>> Sorry, Rowland - I need to find a better E-mail client for this than Outlook (or change my settings)... >>> >>> Anyway, not knowing whether attachments are accepted, here is an anonymized and shortened (not showing all of the shares) smb.conf file... >>> I added a comment for Joe and Jane... >>> >>> # Samba config file created using SWAT > That is something else that is dead, it no longer exists in supported > Samba versions. >>> # from UNKNOWN (172.16.XXX.yy) >>> # Date: 2015/02/05 11:39:52 >>> >>> [global] >>> interfaces = eth0 172.21.xx.yy/255.255.0.0 >>> workgroup = domainname >>> security = domain >> You really should be using 'security = ADS' > I can?t really use ADS, as the IBM implementation of 3.6.23 appears to not have been built with ADS supportActive Directory expects 'ADS', it will probably work with 'domain', but only over 'RPC'> As in it will use the nameserver in resolv.conf, or it goes hunting?The code in Samba will find the best DC to use.> >> >>> [homes] >>> path = /home/%u >>> valid users = fjf,root >>> admin users = fjf,root >>> read only = No >>> case sensitive = No >> Have you only got two users (fjf & root) ? I ask this because they are >> the only users that will get a home dir > I snipped the rest of the conf file, which was doing a bunch more shares for a bunch more usersYes, but you have 'valid users = fjf,root' which means the only users that can connect are fjf and root>> Now we come to the main problem, you do not seem to have any >> authentication lines. > Which doesn?t really make sense... > If I set password server to Joe's IP address, it works fine... no other edits. > If I set password server to Jane's IP address, it does not work... > With Joe, everything appears to be authenticated at the AD server. > >> Do you have your users in /etc/passwd and groups in /etc/group ? > The users as described in smb.conf are in the /etc/passwd file as regular > AIX system users... We are not using smb users or passwords, to my knowledge.Then you are not using Samba, you need to have your users & groups in AD (and this computer joined to the domain) and mapped to Samba users & groups by having the relevant 'idmap config' lines in smb.conf Rowland