Arendt, Volker
2009-Jun-09 15:50 UTC
[Samba] Authentication problem with samba 3.3.4 on AIX 5.3
Hello all, we currently do have a problem with samba 3.3.4 on AIX 5.3. We have set up the samba system to integrate in our AD Domain. Integration was successfull (net ads join), wbinfo executes with parameters -ugt without any problems. Our smb.conf content follows at the end of this mail. We have defined just one share as follows: [smbtest] writeable = yes path = /gpfs/fbb/ls/cip valid users = When we connect from a Windows XP System we get the following error message: --- C:\Programme\Support Tools>net use p: \\frigg\smbtest Systemfehler 2239 aufgetreten. Dieses Benutzerkonto ist abgelaufen. --- translated: user account has expired In the system log file we get: --------------------------------------------------------------------------- ------ [2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402) Mapped to [FB6] (using PAC) [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_alloc(133) Finding user FB6+AdmMJ [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(77) Trying _Get_Pwnam(), username as lowercase is fb6+admmj [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(110) Get_Pwnam_internals did find user [FB6+AdmMJ]! [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(472) smb_pam_start: PAM: Init user: admmj [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(489) smb_pam_start: PAM: setting rhost to: 132.195.123.104 [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(498) smb_pam_start: PAM: setting tty [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(506) smb_pam_start: PAM: Init passed for user: admmj [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_account(564) smb_pam_account: PAM: Account Management for User: admmj [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_account(571) smb_pam_account: PAM: User admmj no longer permitted to access system [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_error_handler(77) smb_pam_error_handler: PAM: Account Check Failed : User account has expired [2009/06/09 17:21:16, 0] auth/pampass.c:smb_pam_accountcheck(794) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User admmj! [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_end(450) smb_pam_end: PAM: PAM_END OK. --------------------------------------------------------------------------- ------ An error log, debug level 10 is available on request. Kind regards Volker SMB.CONF --------------------------------------------------------------------------- --- [global] # -------------------------------------------------------- # setting base configuration parameters # # -------------------------------------------------------- workgroup = FB6 netbios name = FRIGG server string = AFS-2 security = ADS realm = FB6.UNI-WUPPERTAL.DE auth methods = winbind # password server = AD logon server password server = 132.195.120.9 132.195.120.12 wins server = 132.195.120.12 client use spnego = yes client signing = yes # added wg. ticket #5344 #client lanman auth = no #client ntlmv2 auth = yes encrypt passwords = yes host msdfs = no #domain logons = yes # fuer Samba 3.3.0 # damit keine verschluesselte Verbindung zum Domain Controller # aufgebaut wird ldap ssl = no # --------------------------------------------------------- # printer settings # ??? better disable these settings ??? # --------------------------------------------------------- # printcap name = cups # disable spoolss = Yes # show add printer wizard = No # --------------------------------------------------------- # ID mapping parameters # mapping windows users to unix users # this is performed on the basis of sid on windows and # unix with uid for users and gid for groups # the backend parameter rid allows to get the same mapping # form sid to uid because it is determined algorithmically # that way we get the same mapping even if we use samba on # several disparate systems # CHANGE NOTIFICATIO: with v3.3.0 there are changes # to idmap; idmap domains is no longer supported # --------------------------------------------------------- #idmap domains = FB6 #idmap backend = rid idmap backend = tdb idmap config FB6:backend = rid #idmap config FB6:base_rid = 0 idmap config FB6:range = 10000 - 49999 idmap uid = 10000-49999 idmap gid = 10000-49999 winbind separator =+ winbind use default domain = Yes winbind enum users = no winbind enum groups = no winbind cache time = 60 winbind gid = 10000-49999 winbind uid = 10000-49999 template homedir = /gpfs/fbb/user/%U template shell = /opt/pware/bin/bash #use sendfile = Yes #printing = cups #ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE" #------------------------------------------------------- # Logging options # #------------------------------------------------------- # # higher log levels have a negative impact on performance log level = 10 log file = /opt/pware/var/log/samba.log.%m max log size = 5000000 debug timestamp = yes obey pam restrictions = yes #utmp = yes #------------------------------------------------------- # ACL Support # #------------------------------------------------------- map acl inherit = yes nt acl support = yes inherit acls = yes inherit permissions = yes inherit owner = yes admin users = @"FB6+domain admins" #------------------------------------------------------- # Performance options # #------------------------------------------------------- socket options = TCP_NODELAY IPTOS_LOWDELAY include = /opt/pware/lib/fbb-projekte.conf
William Jojo
2009-Jun-09 17:16 UTC
[Samba] Authentication problem with samba 3.3.4 on AIX 5.3
Arendt, Volker wrote:> Hello all, > > we currently do have a problem with samba 3.3.4 on AIX 5.3. > We have set up the samba system to integrate in our AD Domain. > Integration was successfull (net ads join), wbinfo executes with parameters > -ugt without any problems. > Our smb.conf content follows at the end of this mail. > > We have defined just one share as follows: > [smbtest] > writeable = yes > path = /gpfs/fbb/ls/cip > valid users = > > When we connect from a Windows XP System we get the following error > message: > --- > C:\Programme\Support Tools>net use p: \\frigg\smbtest > Systemfehler 2239 aufgetreten. > > Dieses Benutzerkonto ist abgelaufen. > --- > translated: user account has expired > > In the system log file we get: > --------------------------------------------------------------------------- > ------ > [2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402) > Mapped to [FB6] (using PAC) > [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_alloc(133) > Finding user FB6+AdmMJ > [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(77) > Trying _Get_Pwnam(), username as lowercase is fb6+admmj > [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(110) > Get_Pwnam_internals did find user [FB6+AdmMJ]! > [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(472) > smb_pam_start: PAM: Init user: admmj > [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(489) > smb_pam_start: PAM: setting rhost to: 132.195.123.104 > [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(498) > smb_pam_start: PAM: setting tty > [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(506) > smb_pam_start: PAM: Init passed for user: admmj > [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_account(564) > smb_pam_account: PAM: Account Management for User: admmj > [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_account(571) > smb_pam_account: PAM: User admmj no longer permitted to access system > [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_error_handler(77) > smb_pam_error_handler: PAM: Account Check Failed : User account has > expired > [2009/06/09 17:21:16, 0] auth/pampass.c:smb_pam_accountcheck(794) > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User > admmj! > [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_end(450) > smb_pam_end: PAM: PAM_END OK. > --------------------------------------------------------------------------- > ------ >Hey, Volker. It's been awhile. Couple of questions: 1) What does /etc/pam.conf look like and 2) What does /opt/pware/lib/fbb-projekte.conf look like? Glad to see you are still using the pWare stuff. :-) :-) How is your cluster testing going? I need to contact Miguel again to see how he is making out. Cheers, Bill> An error log, debug level 10 is available on request. > > Kind regards > > Volker > > > SMB.CONF > --------------------------------------------------------------------------- > --- > [global] > > # -------------------------------------------------------- > # setting base configuration parameters > # > # -------------------------------------------------------- > workgroup = FB6 > netbios name = FRIGG > server string = AFS-2 > security = ADS > realm = FB6.UNI-WUPPERTAL.DE > auth methods = winbind > # password server = AD logon server > password server = 132.195.120.9 132.195.120.12 > wins server = 132.195.120.12 > client use spnego = yes > client signing = yes > # added wg. ticket #5344 > #client lanman auth = no > #client ntlmv2 auth = yes > encrypt passwords = yes > host msdfs = no > #domain logons = yes > > # fuer Samba 3.3.0 > # damit keine verschluesselte Verbindung zum Domain Controller > # aufgebaut wird > ldap ssl = no > > # --------------------------------------------------------- > # printer settings > # ??? better disable these settings ??? > # --------------------------------------------------------- > # printcap name = cups > # disable spoolss = Yes > # show add printer wizard = No > > # --------------------------------------------------------- > # ID mapping parameters > # mapping windows users to unix users > # this is performed on the basis of sid on windows and > # unix with uid for users and gid for groups > # the backend parameter rid allows to get the same mapping > # form sid to uid because it is determined algorithmically > # that way we get the same mapping even if we use samba on > # several disparate systems > # CHANGE NOTIFICATIO: with v3.3.0 there are changes > # to idmap; idmap domains is no longer supported > # --------------------------------------------------------- > #idmap domains = FB6 > #idmap backend = rid > idmap backend = tdb > idmap config FB6:backend = rid > #idmap config FB6:base_rid = 0 > idmap config FB6:range = 10000 - 49999 > idmap uid = 10000-49999 > idmap gid = 10000-49999 > > winbind separator =+ > winbind use default domain = Yes > winbind enum users = no > winbind enum groups = no > winbind cache time = 60 > winbind gid = 10000-49999 > winbind uid = 10000-49999 > > template homedir = /gpfs/fbb/user/%U > template shell = /opt/pware/bin/bash > #use sendfile = Yes > #printing = cups > #ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE" > > #------------------------------------------------------- > # Logging options > # > #------------------------------------------------------- > # > # higher log levels have a negative impact on performance > log level = 10 > log file = /opt/pware/var/log/samba.log.%m > max log size = 5000000 > debug timestamp = yes > obey pam restrictions = yes > #utmp = yes > > #------------------------------------------------------- > # ACL Support > # > #------------------------------------------------------- > map acl inherit = yes > nt acl support = yes > inherit acls = yes > inherit permissions = yes > inherit owner = yes > admin users = @"FB6+domain admins" > > #------------------------------------------------------- > # Performance options > # > #------------------------------------------------------- > socket options = TCP_NODELAY IPTOS_LOWDELAY > include = /opt/pware/lib/fbb-projekte.conf >