In some spare time, been trying to get Samba 4.10.6-1 working on AIX. Several earlier posts handled by Louis and Rowland. Which were much appreciated and beneficial. Using this stripped (leaving comments out of it) GLOBALS section of smb.conf: [global] workgroup = boost realm = BOOST.COM server string = Samba Server Version %v interfaces = lo eth0 172.21.10.2/255.255.0.0 case sensitive = Yes hide dot files = No idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config boost : backend = rid idmap config boost : range = 10000 - 49999 log file = /var/log/samba/log.%m max log size = 50 security = ADS passdb backend = tdbsam encrypt passwords = yes deadtime = 15 local master = no load printers = no cups options = raw The testparm command reports no issues. Can't start Samba, as it wants winbindd. Not unexpected. Can't start winbindd, as it wants to be joined to the domain first. Not unexpected. Net ADS join MEMBER doesn't ask for an Administrator ID or password; instead, it asks for root's password. Which I don't think it should do, since the net command was run as the root user, and I'm trying to join a Windows domain, not adding this server to a Samba domain. Am I being "paranoid"? Does it usually ask for the root password? I haven't supplied it and tried to continue - figured it would make more of a mess if I did. Have I not set something correctly in the Globals above? (The shares were stripped out, as I'm not trying to get that far yet) Any other Samba advice? Anything and everything appreciated! Regards, Bob Wyatt
On 27/02/2020 00:51, Bob Wyatt via samba wrote:> In some spare time, been trying to get Samba 4.10.6-1 working on AIX. > > Can't start Samba, as it wants winbindd. Not unexpected. > Can't start winbindd, as it wants to be joined to the domain first. Not > unexpected.You shouldn't start Samba until it has joined the domain.> Net ADS join MEMBER doesn't ask for an Administrator ID or password; > instead, it asks for root's password. > > Which I don't think it should do, since the net command was run as the root > user, and I'm trying to join a Windows domain, not adding this server to a > Samba domain.Well, whose password do you think that you should be asked for ? You are running it as root, so that is the password you will be asked for, unless you use the correct command ;-)> Am I being "paranoid"? Does it usually ask for the root password?Possibly and yes, in that order ;-)> I haven't supplied it and tried to continue - figured it would make more of > a mess if I did.No, it probably just wouldn't have worked. Try the join command like this: net ads join -U Administrator You can replace 'Administrator' with another domain user with permissions to join machines to the domain.> Have I not set something correctly in the Globals above?I would have written it differently, you have default lines and you given the default domain '999999' IDs, something where '1000' would be too many. You also do not a 'vfs objects' line, now I do not know what filesystem AIX uses, but on an ext4 filesystem, you would use ' vfs objects = acl_xattr'. I would also add this line: username map = /etc/samba/user.map Then create /etc/samba/user.map containing this: !root = BOOST\Administrator This would then map 'Administrator' to 'root' and allow administration from Windows.> Any other Samba advice?Probably, but lets get your computer joined to the domain first ;-) Rowland
On 28/02/2020 23:22, Bob Wyatt wrote:> Hi, Rowland, > > Joined the domain successfully. > Winbindd and smbd started without error. > > Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred.There are several problems with your shares. You have 'guest ok = yes' in a few of them, but guest access will still be denied because you do not have 'map to guest = bad user' in [global]. In one share you have 'valid users' and 'guest ok = yes', but this can never work (even after you fix the 'map to guest' problem) because the user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid users'. If this was using an ext4 filesystem (or similar), I would suggest adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A bit of investigation turned up 'vfs_aixacl2' which I think will do the same thing, try running 'man vfs_aixacl2', if this doesn't work, see here: https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt If it does work similar to 'vfs_acl_xattr', you should be able to set the permissions from Windows (I am taking it that you do have Windows clients) and remove the 'valid users' etc. Rowland
From: Rowland penny <rpenny at samba.org> Sent: Saturday, February 29, 2020 8:48 AM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] net ADS join MEMBER On 28/02/2020 23:22, Bob Wyatt wrote:> Hi, Rowland, > > Joined the domain successfully. > Winbindd and smbd started without error. > > Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred.There are several problems with your shares. You have 'guest ok = yes' in a few of them, but guest access will still be denied because you do not have 'map to guest = bad user' in [global]. In one share you have 'valid users' and 'guest ok = yes', but this can never work (even after you fix the 'map to guest' problem) because the user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid users'. ++++++ Rowland, the above recommendations were implemented; shares no longer used have been deleted. ++++++ If this was using an ext4 filesystem (or similar), I would suggest adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A bit of investigation turned up 'vfs_aixacl2' which I think will do the same thing, try running 'man vfs_aixacl2', if this doesn't work, see here: https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt If it does work similar to 'vfs_acl_xattr', you should be able to set the permissions from Windows (I am taking it that you do have Windows clients) and remove the 'valid users' etc. ++++++ Roland, Unfortunately, man on vfs_aixacl2 is not fruitful. The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I?d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery. With Samba4 for AIX as distributed by IBM, these man pages are available: /opt/freeware/man/man8/vfs_acl_tdb.8 /opt/freeware/man/man8/vfs_acl_xattr.8 /opt/freeware/man/man8/vfs_nfs4acl_xattr.8 /opt/freeware/man/man8/vfs_zfsacl.8 These "file system" acl libraries are available: /opt/freeware/lib/samba/vfs/acl_tdb.so /opt/freeware/lib/samba/vfs/acl_xattr.so There are no *nfs*.so files on the system. I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba. Did see the Samba+ page, but am unsure if We are using IBM's version of OpenSSH, so that would have to be investigated as well... Unless, of course, you have more sage advice you're willing to share. After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive. The current config file: [global] workgroup = workgroup realm = WORKGROUP.COM server string = Samba Server Version %v interfaces = lo eth0 172.21.10.2/255.255.0.0 case sensitive = Yes hide dot files = No idmap config * : backend = tdb idmap config * : range = 20000-20499 idmap config boost : backend = rid idmap config boost : range = 10000 - 11999 username map = /etc/samba/user.map map to guest = bad user log file = /var/log/samba/log.%m max log size = 50 security = ADS passdb backend = tdbsam encrypt passwords = yes deadtime = 15 local master = no load printers = no cups options = raw #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes # Un-comment the following and create the netlogon directory for Domain Logons: ; [netlogon] ; comment = Network Logon Service ; path = /var/lib/samba/netlogon ; guest ok = yes ; writable = no ; share modes = no [spool] comment = Spooled Files path = /spool read only = No create mask = 0666 guest ok = Yes [SEI.BP] path = /UVDATA/SEI.II/SEI.BP valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn read only = No [MSBP] comment = MS/MSBP file path = /UVDATA/MSP/MS_MSBP/MS_MSBP valid users = lac,alb,arp,jlk,p9n,apn read only = No [TEST.BP] path = /shumsky/SEI.II/SEI.II/TEST.BP valid users = mh,arp,p9n,apn read only = No [archives] comment = archive directory path = /common/archives valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh ,stu,jlk,apn admin users = arp,lac,p9n,apn read only = No create mask = 0776 directory mask = 0776 inherit permissions = Yes [mainlab] path = /tmp printable = Yes [HOW.TO] path = /UVDATA/common/HOW.TO valid users = arp read only = No [root] path = / valid users = arp,p9n,apn read only = No create mask = 0774 [UVspool] path = /UVDATA/spool guest ok = Yes [emailorders] path = /UVDATA/common/ediin/nova_orders [SH.BP] path = /UVDATA/common/SH.BP valid users = arp,alb,lac,jlk,p9n,apn read only = No ++++++ Rowland Thanks for everything Rowland! Bob Wyatt
On 26/03/2020 20:08, Bob Wyatt wrote:> From: Rowland penny <rpenny at samba.org> > Sent: Saturday, February 29, 2020 8:48 AM > To: sambalist <samba at lists.samba.org> > Subject: Re: [Samba] net ADS join MEMBER > > On 28/02/2020 23:22, Bob Wyatt wrote: >> Hi, Rowland, >> >> Joined the domain successfully. >> Winbindd and smbd started without error. >> >> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred. > There are several problems with your shares. > > You have 'guest ok = yes' in a few of them, but guest access will still > be denied because you do not have 'map to guest = bad user' in [global]. > > In one share you have 'valid users' and 'guest ok = yes', but this can > never work (even after you fix the 'map to guest' problem) because the > user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid > users'. > > ++++++ > > Rowland, the above recommendations were implemented; shares no longer used have been deleted. > > ++++++ > > If this was using an ext4 filesystem (or similar), I would suggest > adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A > bit of investigation turned up 'vfs_aixacl2' which I think will do the > same thing, try running 'man vfs_aixacl2', if this doesn't work, see > here: > https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt > > If it does work similar to 'vfs_acl_xattr', you should be able to set > the permissions from Windows (I am taking it that you do have Windows > clients) and remove the 'valid users' etc. > > ++++++ > Roland, > > Unfortunately, man on vfs_aixacl2 is not fruitful. > > The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I?d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery. > > With Samba4 for AIX as distributed by IBM, these man pages are available: > > /opt/freeware/man/man8/vfs_acl_tdb.8 > /opt/freeware/man/man8/vfs_acl_xattr.8 > /opt/freeware/man/man8/vfs_nfs4acl_xattr.8 > /opt/freeware/man/man8/vfs_zfsacl.8 > > These "file system" acl libraries are available: > > /opt/freeware/lib/samba/vfs/acl_tdb.so > /opt/freeware/lib/samba/vfs/acl_xattr.so > > There are no *nfs*.so files on the system. > > I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba. > Did see the Samba+ page, but am unsure if > We are using IBM's version of OpenSSH, so that would have to be investigated as well... > > Unless, of course, you have more sage advice you're willing to share. > > After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive. > > The current config file: > > [global] > workgroup = workgroup > realm = WORKGROUP.COM > server string = Samba Server Version %v > interfaces = lo eth0 172.21.10.2/255.255.0.0 > case sensitive = Yes > hide dot files = No > idmap config * : backend = tdb > idmap config * : range = 20000-20499 > idmap config boost : backend = rid > idmap config boost : range = 10000 - 11999 > username map = /etc/samba/user.map > map to guest = bad user > log file = /var/log/samba/log.%m > max log size = 50 > security = ADS > passdb backend = tdbsam > encrypt passwords = yes > deadtime = 15 > local master = no > load printers = no > cups options = raw > > #============================ Share Definitions =============================> [homes] > comment = Home Directories > browseable = no > writable = yes > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes > # Un-comment the following and create the netlogon directory for Domain Logons: > ; [netlogon] > ; comment = Network Logon Service > ; path = /var/lib/samba/netlogon > ; guest ok = yes > ; writable = no > ; share modes = no > [spool] > comment = Spooled Files > path = /spool > read only = No > create mask = 0666 > guest ok = Yes > [SEI.BP] > path = /UVDATA/SEI.II/SEI.BP > valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn > read only = No > [MSBP] > comment = MS/MSBP file > path = /UVDATA/MSP/MS_MSBP/MS_MSBP > valid users = lac,alb,arp,jlk,p9n,apn > read only = No > [TEST.BP] > path = /shumsky/SEI.II/SEI.II/TEST.BP > valid users = mh,arp,p9n,apn > read only = No > [archives] > comment = archive directory > path = /common/archives > valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh > ,stu,jlk,apn > admin users = arp,lac,p9n,apn > read only = No > create mask = 0776 > directory mask = 0776 > inherit permissions = Yes > [mainlab] > path = /tmp > printable = Yes > [HOW.TO] > path = /UVDATA/common/HOW.TO > valid users = arp > read only = No > [root] > path = / > valid users = arp,p9n,apn > read only = No > create mask = 0774 > [UVspool] > path = /UVDATA/spool > guest ok = Yes > [emailorders] > path = /UVDATA/common/ediin/nova_orders > [SH.BP] > path = /UVDATA/common/SH.BP > valid users = arp,alb,lac,jlk,p9n,apn > read only = No > ++++++ > > Rowland > > Thanks for everything Rowland! > > Bob Wyatt > > > >Sorry, but I wouldn't know an AIX machine, even if it jumped up and bit me ;-) (local saying) If you can upgrade to something more recent, you stand a better chance of getting it to work. Rowland
Rowland, Checking with the IBM website, they now offer 4.10.13 for AIX. After viewing that installation file (without installing), still not seeing the nfs or jfs acl libraries/files. Peeked at 4.11.7 on the website, also don?t see these files. Per chance, are these delivered in some other (not the standard samba) installation file? If that answer is no... I still need to make it work as we have it. Is there a document that is more informative about rid setup, ACL management on AIX, or other setup/configuration options I can leverage to make this work? It doesn?t appear that the general samba files will help me in this quest, so reverting from IBM's samba version to the general samba version wouldn?t seem to be viable. I have sent an inquiry to Samba+ about their solutions... Are you aware of from whom I can solicit further counsel on this installation/configuration? Or how about setting this up so anyone can access the data with authenticating - anonymous/nobody usage? Do I still need rid and the other facets of user administration on AIX going with nobody? I have seen others inquiring about AIX installations - is it improper for me to reach out to them privately? I know AIX isn?t your forte` - is there another group or person (besides Samba+) that may have that expertise to whom you could refer me? Thank you for everything, Rowland; I truly appreciate all of your help! Regards, Bob Wyatt -----Original Message----- From: Rowland penny <rpenny at samba.org> Sent: Thursday, March 26, 2020 5:25 PM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] net ADS join MEMBER On 26/03/2020 20:08, Bob Wyatt wrote:> From: Rowland penny <rpenny at samba.org> > Sent: Saturday, February 29, 2020 8:48 AM > To: sambalist <samba at lists.samba.org> > Subject: Re: [Samba] net ADS join MEMBER > > On 28/02/2020 23:22, Bob Wyatt wrote: >> Hi, Rowland, >> >> Joined the domain successfully. >> Winbindd and smbd started without error. >> >> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred. > There are several problems with your shares. > > You have 'guest ok = yes' in a few of them, but guest access will still > be denied because you do not have 'map to guest = bad user' in [global]. > > In one share you have 'valid users' and 'guest ok = yes', but this can > never work (even after you fix the 'map to guest' problem) because the > user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid > users'. > > ++++++ > > Rowland, the above recommendations were implemented; shares no longer used have been deleted. > > ++++++ > > If this was using an ext4 filesystem (or similar), I would suggest > adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A > bit of investigation turned up 'vfs_aixacl2' which I think will do the > same thing, try running 'man vfs_aixacl2', if this doesn't work, see > here: > https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt > > If it does work similar to 'vfs_acl_xattr', you should be able to set > the permissions from Windows (I am taking it that you do have Windows > clients) and remove the 'valid users' etc. > > ++++++ > Roland, > > Unfortunately, man on vfs_aixacl2 is not fruitful. > > The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I?d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery. > > With Samba4 for AIX as distributed by IBM, these man pages are available: > > /opt/freeware/man/man8/vfs_acl_tdb.8 > /opt/freeware/man/man8/vfs_acl_xattr.8 > /opt/freeware/man/man8/vfs_nfs4acl_xattr.8 > /opt/freeware/man/man8/vfs_zfsacl.8 > > These "file system" acl libraries are available: > > /opt/freeware/lib/samba/vfs/acl_tdb.so > /opt/freeware/lib/samba/vfs/acl_xattr.so > > There are no *nfs*.so files on the system. > > I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba. > Did see the Samba+ page, but am unsure if > We are using IBM's version of OpenSSH, so that would have to be investigated as well... > > Unless, of course, you have more sage advice you're willing to share. > > After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive. > > The current config file: > > [global] > workgroup = workgroup > realm = WORKGROUP.COM > server string = Samba Server Version %v > interfaces = lo eth0 172.21.10.2/255.255.0.0 > case sensitive = Yes > hide dot files = No > idmap config * : backend = tdb > idmap config * : range = 20000-20499 > idmap config boost : backend = rid > idmap config boost : range = 10000 - 11999 > username map = /etc/samba/user.map > map to guest = bad user > log file = /var/log/samba/log.%m > max log size = 50 > security = ADS > passdb backend = tdbsam > encrypt passwords = yes > deadtime = 15 > local master = no > load printers = no > cups options = raw > > #============================ Share Definitions =============================> [homes] > comment = Home Directories > browseable = no > writable = yes > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes > # Un-comment the following and create the netlogon directory for Domain Logons: > ; [netlogon] > ; comment = Network Logon Service > ; path = /var/lib/samba/netlogon > ; guest ok = yes > ; writable = no > ; share modes = no > [spool] > comment = Spooled Files > path = /spool > read only = No > create mask = 0666 > guest ok = Yes > [SEI.BP] > path = /UVDATA/SEI.II/SEI.BP > valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn > read only = No > [MSBP] > comment = MS/MSBP file > path = /UVDATA/MSP/MS_MSBP/MS_MSBP > valid users = lac,alb,arp,jlk,p9n,apn > read only = No > [TEST.BP] > path = /shumsky/SEI.II/SEI.II/TEST.BP > valid users = mh,arp,p9n,apn > read only = No > [archives] > comment = archive directory > path = /common/archives > valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh > ,stu,jlk,apn > admin users = arp,lac,p9n,apn > read only = No > create mask = 0776 > directory mask = 0776 > inherit permissions = Yes > [mainlab] > path = /tmp > printable = Yes > [HOW.TO] > path = /UVDATA/common/HOW.TO > valid users = arp > read only = No > [root] > path = / > valid users = arp,p9n,apn > read only = No > create mask = 0774 > [UVspool] > path = /UVDATA/spool > guest ok = Yes > [emailorders] > path = /UVDATA/common/ediin/nova_orders > [SH.BP] > path = /UVDATA/common/SH.BP > valid users = arp,alb,lac,jlk,p9n,apn > read only = No > ++++++ > > Rowland > > Thanks for everything Rowland! > > Bob Wyatt > > > >Sorry, but I wouldn't know an AIX machine, even if it jumped up and bit me ;-) (local saying) If you can upgrade to something more recent, you stand a better chance of getting it to work. Rowland
Rowland, The wiki suggested doing "smbd -b | grep HAVE_LIBACL" and expecting to get back "HAVE_LIBACL". This is not the case on our IBM system with 4.10.6. The current version from IBM is 4.10.13 - considering upgrading in the hopes "HAVE_LIBACL" is present if I really need it. On the other hand, "smbd -b" does report that smbd was built with vfs_aixacl and vfs_aixacl2. Builtin modules: vfs_default vfs_not_implemented auth_builtin auth_sam auth_winbind vfs_aixacl vfs_aixacl2 nss_info_template idmap_tdb idmap_passd b idmap_nss idmap_ldap However, man does not return man page information for either. Before I add that to the config file and test that out... Do my valid users need to be in the form of bob.wyatt at boost.com instead of what you see below? Would it be simpler to do that, or it won?t work? Users testing shares still can?t access them - device not ready... The wbinfo --ping-dc command was successful. I'm feeling like we're a lot closer - maybe not having to back off... Your thoughts, sir (I am keeping in mind that AIX is a foreign entity)... but hopefully I'm back to Samba config issues? Regards, Bob Wyatt -----Original Message----- From: Rowland penny <rpenny at samba.org> Sent: Thursday, March 26, 2020 5:25 PM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] net ADS join MEMBER On 26/03/2020 20:08, Bob Wyatt wrote:> From: Rowland penny <rpenny at samba.org> > Sent: Saturday, February 29, 2020 8:48 AM > To: sambalist <samba at lists.samba.org> > Subject: Re: [Samba] net ADS join MEMBER > > On 28/02/2020 23:22, Bob Wyatt wrote: >> Hi, Rowland, >> >> Joined the domain successfully. >> Winbindd and smbd started without error. >> >> Cannot access a share - reports "The mapped network drive could not be created because the following error has occurred: A device attached to the system is not functioning." Attached if preferred. > There are several problems with your shares. > > You have 'guest ok = yes' in a few of them, but guest access will still > be denied because you do not have 'map to guest = bad user' in [global]. > > In one share you have 'valid users' and 'guest ok = yes', but this can > never work (even after you fix the 'map to guest' problem) because the > user 'nobody' (or whoever the guest user is on AIX) is not in the 'valid > users'. > > ++++++ > > Rowland, the above recommendations were implemented; shares no longer used have been deleted. > > ++++++ > > If this was using an ext4 filesystem (or similar), I would suggest > adding 'vfs_objects = acl_xattr' to [global], but this is jfs2 on AIX. A > bit of investigation turned up 'vfs_aixacl2' which I think will do the > same thing, try running 'man vfs_aixacl2', if this doesn't work, see > here: > https://fossies.org/linux/misc/samba-4.11.6.tar.gz/samba-4.11.6/source3/modules/README.nfs4acls.txt > > If it does work similar to 'vfs_acl_xattr', you should be able to set > the permissions from Windows (I am taking it that you do have Windows > clients) and remove the 'valid users' etc. > > ++++++ > Roland, > > Unfortunately, man on vfs_aixacl2 is not fruitful. > > The fossies reference dates back to 2013, so not sure which portions of it, if any, remain valid today. This (documentation) has been somewhat of a struggle on my part, as most of the documentation still says Samba3. As you once suggested, I?d be better off forgetting everything I knew (which wasn't much) about Samba3. Knowing which part of the "older" documentation still applies is, well, a mystery. > > With Samba4 for AIX as distributed by IBM, these man pages are available: > > /opt/freeware/man/man8/vfs_acl_tdb.8 > /opt/freeware/man/man8/vfs_acl_xattr.8 > /opt/freeware/man/man8/vfs_nfs4acl_xattr.8 > /opt/freeware/man/man8/vfs_zfsacl.8 > > These "file system" acl libraries are available: > > /opt/freeware/lib/samba/vfs/acl_tdb.so > /opt/freeware/lib/samba/vfs/acl_xattr.so > > There are no *nfs*.so files on the system. > > I'm starting to "fear" it is time to uninstall the Samba from IBM and go with Samba from Samba. > Did see the Samba+ page, but am unsure if > We are using IBM's version of OpenSSH, so that would have to be investigated as well... > > Unless, of course, you have more sage advice you're willing to share. > > After the adjustments to the smb.conf file, whether guest or as a user, access to Samba shares remains elusive. > > The current config file: > > [global] > workgroup = workgroup > realm = WORKGROUP.COM > server string = Samba Server Version %v > interfaces = lo eth0 172.21.10.2/255.255.0.0 > case sensitive = Yes > hide dot files = No > idmap config * : backend = tdb > idmap config * : range = 20000-20499 > idmap config boost : backend = rid > idmap config boost : range = 10000 - 11999 > username map = /etc/samba/user.map > map to guest = bad user > log file = /var/log/samba/log.%m > max log size = 50 > security = ADS > passdb backend = tdbsam > encrypt passwords = yes > deadtime = 15 > local master = no > load printers = no > cups options = raw > > #============================ Share Definitions =============================> [homes] > comment = Home Directories > browseable = no > writable = yes > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes > # Un-comment the following and create the netlogon directory for Domain Logons: > ; [netlogon] > ; comment = Network Logon Service > ; path = /var/lib/samba/netlogon > ; guest ok = yes > ; writable = no > ; share modes = no > [spool] > comment = Spooled Files > path = /spool > read only = No > create mask = 0666 > guest ok = Yes > [SEI.BP] > path = /UVDATA/SEI.II/SEI.BP > valid users = kth,4kth,p9n,alb,arp,bobwyatt,lac,jlk,apn > read only = No > [MSBP] > comment = MS/MSBP file > path = /UVDATA/MSP/MS_MSBP/MS_MSBP > valid users = lac,alb,arp,jlk,p9n,apn > read only = No > [TEST.BP] > path = /shumsky/SEI.II/SEI.II/TEST.BP > valid users = mh,arp,p9n,apn > read only = No > [archives] > comment = archive directory > path = /common/archives > valid users = kth,4kth,bobwyatt,lac,arp,snc,bam,ksd,ftp,sap,administrator,smbshum,edr,cmr,jlh > ,stu,jlk,apn > admin users = arp,lac,p9n,apn > read only = No > create mask = 0776 > directory mask = 0776 > inherit permissions = Yes > [mainlab] > path = /tmp > printable = Yes > [HOW.TO] > path = /UVDATA/common/HOW.TO > valid users = arp > read only = No > [root] > path = / > valid users = arp,p9n,apn > read only = No > create mask = 0774 > [UVspool] > path = /UVDATA/spool > guest ok = Yes > [emailorders] > path = /UVDATA/common/ediin/nova_orders > [SH.BP] > path = /UVDATA/common/SH.BP > valid users = arp,alb,lac,jlk,p9n,apn > read only = No > ++++++ > > Rowland > > Thanks for everything Rowland! > > Bob Wyatt > > > >Sorry, but I wouldn't know an AIX machine, even if it jumped up and bit me ;-) (local saying) If you can upgrade to something more recent, you stand a better chance of getting it to work. Rowland