Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

OpenVMS CIFS 1.1 problem

SOLVED
Go to solution

OpenVMS CIFS 1.1 problem

Everyone,

I installed CIFS for OpenVMS 1.1 on an AlphaServer ES40 runing OpenVMS V8.3 (with the latest OS Patches and CRTL Updates as of October 10, 2008) with TCP/IP Service for OpenVMS V5.6 ECO2. In an attempt to configure CIFS I performed the following steps:

1.) Using the AUTHORIZE Utility, copy the System Manager account to a new CIFS Administration
account, create the OpenvMS resource identifiers corresponding to the Windows predefined
Local and Domain groups (Administrators [L], Domain Admins, Domain Users, Domain Guests) and copy the SAMBA$TMPLT
account to a new machine account corresponding to the the domain controller:

$ SET DEFAULT SYS$SYSTEM:
$ RUN AUTHORIZE
UAF> COPY /FLAGS=(NODISUSER,PWDMIX)/DEVICE=SAMBA$ROOT:/DIRECTORY=[BIN]/LGICMD=SAMBA$DEFINE_COMMANDS.COM/UIC=[1,0]/PASSWORD="CIFSTest" SYSTEM CIFSADMIN
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$ADMINISTRATORS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$USERS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$GUESTS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$POWER_USERS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$ACCOUNT_OPERATORS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$SERVER_OPERATORS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$PRINT_OPERATORS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$BACKUP_OPERATORS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$DOMAIN_ADMINS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$DOMAIN_USERS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$DOMAIN_GUESTS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$DOMAIN_COMPUTERS
UAF> ADD/IDENTIFIER/ATTRIBUTE=RESOURCE CIFS$DOMAIN_CONTROLLERS
UAF> GRANT/IDENTIFIER CIFS$ADMINISTRATORS CIFSADMIN
UAF> COPY/FLAGS=DISUSER/UIC=[360,100]/PASSWORD=srvr1/nopwdlifetime SAMBA$TMPLT $
UAF> EXIT

2.) Add the following to the global section of the SAMBA$ROOT:[LIB]SMB.CONF file:

workgroup =
username map = /samba$root/lib/username.map
admin users = cifsadmin
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes

3.) Add the username mapping entry for the Windows Domain Administrator account name to the
SAMBA$ROOT:[LIB]username.map file:

CIFSADMIN= \Administrator

4.) Start CIFS:

$ @SYS$STARTUP:SAMBA$STARTUP.COM

5.) Define the local CIFS Administrator account to the CIFS user database:

$ @SAMBA$ROOT:[BIN]SAMBA$DEFINE_COMMANDS.COM
$!
$! Create the host's CIFS Administration account in the
$! CIFS Authentication database.
$!
$ PDBEDIT "-v" "-d0" "-a" CIFSADMIN "-U" 500
new password:CIFSAdmin
retype new password:CIFSAdmin
VMS username: cifsadmin
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3047386565-4175223335-2173056391-500
Primary Group SID: S-1-5-21-3047386565-4175223335-2173056391-513
Full Name:
Home Directory: \\srvr1\cifsadmin
HomeDir Drive:
Logon Script:
Profile Path: \\srvr1\cifsadmin\profile
Domain: ROBERTSON
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Sun, 07 Feb 2106 01:28:15 EST
Kickoff time: Sun, 07 Feb 2106 01:28:15 EST
Password last set: Wed, 09 Jul 2008 10:49:12 EDT
Password can change: Wed, 09 Jul 2008 10:49:12 EDT
Password must change: Sun, 07 Feb 2106 01:28:15 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6.) Add the Windows predefined Local and Domain groups corresponding to following
Well Known SID group mappings and add the CIFS administration account to the Local
Administrators group:

Group Type Windows Group Name Windows Well Known SID
---------- ------------------ -----------------------
Local Administrators S-1-5-32-544
Local Users S-1-5-32-545
Local Guests S-1-5-32-546
Local Power Users S-1-5-32-547
Local Account Operators S-1-5-32-548
Local Server Operators S-1-5-32-549
Local Print Operators S-1-5-32-550
Local Backup Operators S-1-5-32-551
Domain Domain Admins S-1-5--512
Domain Domain Users S-1-5--513
Domain Domain Guests S-1-5--514
Domain Domain Computers S-1-5--515
Domain Domain Controllers S-1-5--516

$ NET GROUPMAP ADD SID=S-1-5-32-544 TYPE=L NTGROUP="Administrators" UNIXGROUP=CIFS$ADMINISTRATORS
$ NET GROUPMAP ADD SID=S-1-5-32-545 TYPE=L NTGROUP="Users" UNIXGROUP=CIFS$USERS
$ NET GROUPMAP ADD SID=S-1-5-32-546 TYPE=L NTGROUP="Guests" UNIXGROUP=CIFS$GUESTS
$ NET GROUPMAP ADD SID=S-1-5-32-547 TYPE=L NTGROUP="Power Users" UNIXGROUP=CIFS$POWER_USERS
$ NET GROUPMAP ADD SID=S-1-5-32-548 TYPE=L NTGROUP="Account Operators" UNIXGROUP=CIFS$ACCOUNT_OPERATORS
$ NET GROUPMAP ADD SID=S-1-5-32-549 TYPE=L NTGROUP="Server Operators" UNIXGROUP=CIFS$SERVER_OPERATORS
$ NET GROUPMAP ADD SID=S-1-5-32-550 TYPE=L NTGROUP="Print Operators" UNIXGROUP=CIFS$PRINT_OPERATORS
$ NET GROUPMAP ADD SID=S-1-5-32-551 TYPE=L NTGROUP="Backup Operators" UNIXGROUP=CIFS$BACKUP_OPERATORS
$ NET GROUPMAP ADD RID=512 TYPE=D NTGROUP="Domain Admins" UNIXGROUP=CIFS$DOMAIN_ADMINS
$ NET RPC RIGHTS GRANT "\Domain Admins" "SeMachineAccountPrivilege" "SeTakeOwnershipPrivilege" "SeBackupPrivilege" "SeRestorePrivilege" "SeRemoteShutdownPrivilege" "SePrintOperatorPrivilege" "SeAddUsersPrivilege" "SeDiskOperatorPrivilege" "-U" "cifsadmin%CIFSAdmin"
$ NET RPC RIGHTS GRANT "Domain Admins" "SeMachineAccountPrivilege" "SeTakeOwnershipPrivilege" "SeBackupPrivilege" "SeRestorePrivilege" "SeRemoteShutdownPrivilege" "SePrintOperatorPrivilege" "SeAddUsersPrivilege" "SeDiskOperatorPrivilege" "-U" "cifsadmin%CIFSAdmin"
$ NET GROUPMAP ADD RID=513 TYPE=D NTGROUP="Domain Users" UNIXGROUP=CIFS$DOMAIN_USERS
$ NET GROUPMAP ADD RID=514 TYPE=D NTGROUP="Domain Guests" UNIXGROUP=CIFS$DOMAIN_GUESTS
$ NET GROUPMAP ADD RID=515 TYPE=D NTGROUP="Domain Computers" UNIXGROUP=CIFS$DOMAIN_COMPUTERS
$ NET GROUPMAP ADD RID=516 TYPE=D NTGROUP="Domain Controllers" UNIXGROUP=CIFS$DOMAIN_CONTROLLERS
$ NET RPC GROUP ADDMEM "Administrators" "cifsadmin" "-U" "cifsadmin%CIFSAdmin"

7.) Create the Domain controller's own machine trust account and Add
the Domain controller to its own domain and record the Domain SID:

$ PDBEDIT "-a" "-m" "-u"
$ NET RPC JOIN PDC "-S" "-U" "cifsadmin%CIFSAdmin"
$ DEFINE SYS$OUTPUT SAMBA$ROOT:[LIB]ROBERTSON_DOMAIN_SID.TXT
$ NET GETLOCALSID
$ DEASSIGN SYS$OUTPUT

8.) Initialize the required members for the well known groups:
$ net rpc group addmem "Administrators" "Domain Admins" "-U" "cifsadmin%CIFSTest"
$ net rpc group addmem "Users" "Domain Users" "-U" "cifsadmin%CIFSTest"
$ net rpc group addmem "Domain Users" "cifsadmin" "-U" "cifsadmin%CIFSTest"


All of this proceeded without incident until the very last item where I attempted to add the cifsadmin user to the Domain group "Domain Users" where the following message was returned:

Could not add cifsadmin to Domain Users: NT_STATUS_ACCESS_DENIED

After a little experimentation, it became apparent that attempting to modify the memberships of any of the created Domain groups resulted in this same message. Does anybody have any wisdom on what the problem might be? From the Documentation I read on the SAMBA web site this should work.

Thanks in advance for any assistance.

Eric
4 REPLIES
Ian Miller.
Honored Contributor

Re: OpenVMS CIFS 1.1 problem

Did you report this to HP?

____________________
Purely Personal Opinion
Mark Iline
Occasional Advisor

Re: OpenVMS CIFS 1.1 problem

> Did you report this to HP?

That's not an option for a number of people.

In spite of having update support, HP aren't interested in hearing about any problems we experience.

Whilst I'm not expecting my problems fixed for free, I find this disappointing.
Ian Miller.
Honored Contributor
Solution

Re: OpenVMS CIFS 1.1 problem

Fill in the form at

http://h71000.www7.hp.com/network/fb_cifs.html

____________________
Purely Personal Opinion
Robert Atkinson
Respected Contributor

Re: OpenVMS CIFS 1.1 problem

FYI :-

DELTA_ROB$$ @SAMBA$DEFINE_COMMANDS.COM
DELTA_ROB$$ addshare
%DCL-W-ACTIMAGE, error activating image SAMBA$ROOT:[BIN.ALPHA]SAMBA$ADDSHARE.EXE;
-CLI-E-IMAGEFNF, image file not found $1$DGA150:[SYS0.SYSCOMMON.SAMBA.][BIN.ALPHA]SAMBA$ADDSHARE.EXE;
DELTA_ROB$$