[gpfsug-discuss] Supported samba options

Wed Sep 21 11:26:21 BST 2022

Thank you Christof,

We are on 5.1.1. 
When our system was setup our IBM setup engineer spoke with dev, and he setup the 'net use' features we are currently using.
Very glad to hear not only are 'force user' and 'force group' now in mmsmb, but so are 'host allow' and 'host deny'.
Looks like a further delay while we upgrade to 5.1.3...

Thank you very much for this info.

Btw, with the exportacl command it mentions 'user, group and system'
I can't see it mention anywhere the acceptable uses of 'system'.
Is it just the AD name of a server, or can it be IP address? 

Kindest regards,
Paul

Paul Ward
TS Infrastructure Architect
Natural History Museum
T: 02079426450
E: p.ward at nhm.ac.uk

-----Original Message-----
From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> On Behalf Of Christof Schmitt
Sent: 16 September 2022 17:16
To: gpfsug-discuss at gpfsug.org
Subject: Re: [gpfsug-discuss] Supported samba options

On Fri, 2022-09-16 at 10:02 +0000, Paul Ward wrote:
> But we are already using 'hosts deny', 'hosts allow' and 'valid users' 
> which appear to have been implemented.
> Is there a document showing what is implemented, rather than just 
> supported.

Samba has a vast list of config options, that can be seen in the smb.conf manpage (man smb.conf). Testing all possible combinations for Scale is not feasible, and some features also do not interact well with the clustered SMB server usecase on the CES nodes. So for Scale the answer is: Only the SMB options exposed through mmsmb and the GUI are tested and supported.

You can try others, but do not expect support. The official way to get more options supported (through mmsmb) is to request this through an RFE.

> If there are supported commands, that replace the three I have 
> mentioned (and force user/ force group) please let me know.

"force user" and "force group" have been added in 5.1.3:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fdocs%2Fen%2Fspectrum-scale%2F5.1.3%3Ftopic%3Dreference-mmsmb-command&data=05%7C01%7Cp.ward%40nhm.ac.uk%7C1438ba12c059478e1af808da97ff60a8%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637989420333181309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=11zzcZ4J7q1MYHjNZkzxB91%2BXR1OXsfXDnQt4PZ%2FoZ8%3D&reserved=0
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fdocs%2Fen%2Fspectrum-scale%2F5.1.3%3Ftopic%3Dsummary-changes&data=05%7C01%7Cp.ward%40nhm.ac.uk%7C1438ba12c059478e1af808da97ff60a8%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637989420333181309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1fS1uYsI3Q2BqY72RRPrKGSOJvzn9IeoAhVcfgifqvw%3D&reserved=0

> We have shares where we want to restrict access to one of more 
> servers, no password required.
> And shares where we want to restrict access to multiple AD users, 
> currently not specified in AD groups, although that is an option.

Restricting access to a SMB share can be done with SMB share ACLs. That is essentially a second layer of ACLs, specific to SMB:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fdocs%2Fen%2Fspectrum-scale%2F5.1.3%3Ftopic%3Dshares-creating-smb-share-acls&data=05%7C01%7Cp.ward%40nhm.ac.uk%7C1438ba12c059478e1af808da97ff60a8%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637989420333181309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=C040Ar8cvc%2BOWLZ12jHNedczxrzmYsAPdW%2FbXWq60No%3D&reserved=0

Regards,

Christof
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss_gpfsug.org&data=05%7C01%7Cp.ward%40nhm.ac.uk%7C1438ba12c059478e1af808da97ff60a8%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637989420333181309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CwbjVuElOqctr8beWl28UxkrfhHttX9jyJjQOmB2qnQ%3D&reserved=0