Vaughan, Robert J
2022-Dec-05 18:55 UTC
[Samba] SAMBA 4.14.4 now prompts for userid and password after AIX 7.1 to 7.2 Upgrade
> I knew you were going to say that, but I am running a Solaris 11 domain member from OS package Samba that reports version 4.13.8 without winbind with several hundred users right now > > And same experience on Red Hat 7 and 8 (reported versions a bit different but newer than 4.8) > > It complains about no winbind in the logs but yet it works >>> If you read here (under the heading 'Samba 4.8.0'):>> https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$>> It states:>> Domain member setups require winbindd>> Setups with "security = domain" or "security = ads" require a running >> 'winbindd' now. The fallback that smbd directly contacts domain >> controllers is gone.>> So, unless I have understood it wrong, if you are running Samba as a >> Unix domain member, from version 4.8.0 you must run winbind.>> The only way around this that I can think of, is that Samba has been >> patched to allow smbd to work in the old way, where it could contact the >> domain controller directly.>> The other possibility is that you are not actually running a Unix domain >> member, you are running a standalone server.I can only imagine that the OS vendors did the patch you suggest. In fact when I had a ticket open with Oracle about it they did seem to suggest they had done something to keep the fallback working for a while, but could no longer do that Thanks, Robert Vaughan ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
Philip Cunio
2022-Dec-06 22:46 UTC
[Samba] [EXTERNAL] Re: SAMBA 4.14.4 now prompts for userid and password after AIX 7.1 to 7.2 Upgrade
I apologize for the miscommunication and incomplete information. This is the situation. AIX system #1 was running AIX 7.1 with SAMBA 14.10.6. The AIX O/S of that system was upgraded to AIX 7.2. The SAMBA version has not changed (14.10.6). SAMBA continued to function as expected. AIX system #2 was running AIX 7.1 with SAMBA 14.14.4. The AIX O/S of that system was upgraded to AIX 7.2. The SAMBA version has not changed (14.14.4). SAMBA now requests credentials when an attempt is made to map a drive. The following error in the log for the device requesting the drive mapping: [2022/11/28 16:48:30.181656, 1]../../source3/librpc/crypto/gse.c:666(gse_get_server_auth_token)gss_accept_sec_context failed with [ Miscellaneous failure (see text):Failed to find cifs/ xxxx at YYYYY.COM(kvno 4) in keytab MEMORY:cifs_srv_keytab(aes256-cts-hmac-sha1-96)] The version of SAMBA is not changed when upgrading the AIX O/S. Both systems are stand alone SAMBA servers functioning to provide the ability for Windows Client devices to map drives to the AIX system. I will review the links provided in the other posts to see if they apply to my situation. Complete smb.conf for System #1 and #2 [global] workgroup = ZZZ realm = YYYYY.COM interfaces = 10.150.129.6 netbios name = xxxx security = ADS log file = /var/samba/log/log.%m log level = 3 passdb:5 auth:5 wins server = corp-zzz-dc2.yyyyy.com <http://corp-inm-dc2.inmar.com> password server = corp-zzz-dc2.yyyyy.com <http://corp-inm-dc2.inmar.com> socket address = 10.150.129.6 server min protocol = SMB2 server signing = mandatory create mask = 0666 follow symlinks = yes unix extensions = no [files] comment = flat files path = /data/unload/flat_files read only = No wide links = Yes [upload] comment = Informix group upload path = /data/unload/infmx_grp read only = No On Mon, Dec 5, 2022 at 1:56 PM Vaughan, Robert J via samba < samba at lists.samba.org> wrote:> > I knew you were going to say that, but I am running a Solaris 11 domain > member from OS package Samba that reports version 4.13.8 without winbind > with several hundred users right now > > > > And same experience on Red Hat 7 and 8 (reported versions a bit > different but newer than 4.8) > > > > It complains about no winbind in the logs but yet it works > > > > >> If you read here (under the heading 'Samba 4.8.0'): > > >> > https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$ > <https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$> > > >> It states: > > >> Domain member setups require winbindd > > >> Setups with "security = domain" or "security = ads" require a running > >> 'winbindd' now. The fallback that smbd directly contacts domain > >> controllers is gone. > > >> So, unless I have understood it wrong, if you are running Samba as a > >> Unix domain member, from version 4.8.0 you must run winbind. > > >> The only way around this that I can think of, is that Samba has been > >> patched to allow smbd to work in the old way, where it could contact > the > >> domain controller directly. > > >> The other possibility is that you are not actually running a Unix > domain > >> member, you are running a standalone server. > > I can only imagine that the OS vendors did the patch you suggest. In fact > when I had a ticket open with Oracle about it they did seem to suggest they > had done something to keep the fallback working for a while, but could no > longer do that > > Thanks, > > Robert Vaughan > > ---------------------------------------------------------------------- > This is an e-mail from General Dynamics Land Systems. It is for the > intended recipient only and may contain confidential and privileged > information. No one else may read, print, store, copy, forward or act in > reliance on it or its attachments. If you are not the intended recipient, > please return this message to the sender and delete the message and any > attachments from your computer. Your cooperation is appreciated. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > <https://lists.samba.org/mailman/options/samba> >-- ******************************************** ? *Inmar Confidentiality Note*:? This e-mail and any attachments are confidential and intended to be viewed and used solely by the intended recipient.? If you are not the intended recipient, be aware that any disclosure, dissemination, distribution, copying or use of this e-mail or any attachment is prohibited.? If you received this e-mail in error, please notify us immediately by returning it to the sender and delete this copy and all attachments from your system and destroy any printed copies.? Thank you for your cooperation. ? *Notice of Protected Rights*:? The removal of any copyright, trademark, or proprietary legend contained in this e-mail or any attachment is prohibited without the express, written permission of Inmar, Inc.? Furthermore, the intended recipient must maintain all copyright notices, trademarks, and proprietary legends within this e-mail and any attachments in their original form and location if the e-mail or any attachments are reproduced, printed or distributed. ? ********************************************