Ed.Pluskwa at cit.com
2012-Feb-13 16:02 UTC
[Samba] Samba 3.6.0.0 w/AD Support on AIX 6.1 - Error w/Authentication
Hello,
I've installed the pware AIX 64bit version of Samba and support filesets but
I am having an issue with authentication between the local server user and the
equivalent AD user of our domain and it will not mount the respective Samba
share on my Windows desktop. Here is how our environment is setup:
# oslevel -s
6100-05-05-1112
root at livaixdssit01 [ /opt/pware64 ]
# lslpp -L | grep -i pware
pware61-64.base.rte 6.1.0.0 C F 64-bit pWare base for 6.1
pware61-64.bdb.rte 4.8.30.0 C F Berkeley DB 4.8.30 (64-bit)
pware61-64.cyrus-sasl.rte
pware61-64.gettext.rte 0.18.1.1 C F GNU gettext 0.18.1.1 (64-bit)
pware61-64.krb5.rte 1.9.1.0 C F MIT Kerberos 1.9.1 (64-bit)
pware61-64.libiconv.rte 1.13.1.0 C F GNU libiconv 1.13.1 (64-bit)
pware61-64.libtool.rte 2.4.0.0 C F GNU libtool 2.4 (64-bit)
pware61-64.ncurses.rte 5.9.0.0 C F ncurses 5.9 (64-bit)
pware61-64.openldap.rte 2.4.23.0 C F OpenLDAP 2.4.23 (64-bit)
pware61-64.openssl.rte 0.9.8.18 C F OpenSSL 0.9.8r (64-bit)
pware61-64.popt.rte 1.16.0.0 C F popt 1.16 (64-bit)
pware61-64.readline.rte 6.2.0.0 C F GNU readline 6.2 (64-bit)
pware61-64.samba.rte 3.6.0.0 C F Samba 3.6.0 (64-bit)
pware61-64.zlib.rte 1.2.5.0 C F zlib 1.2.5 (64-bit)
[global]
workgroup = CITNET
netbios name = livaixdssit01
server string = livaixdssit01 Samba Server
realm = CITNET.CIT.COM
interfaces = en4
bind interfaces only = yes
security = ADS
password server = *
username map = /opt/pware64/etc/samba/smbusers
log file = /opt/pware64/var/log/samba/log.%m
max log size = 1000
ldap ssl = no
dns proxy = no
preferred master = no
encrypt passwords = yes
log level = 2
wins server = ip.of.wins.server (changed for this post)
read only = no
cups options = raw
short preserve case = no
dos filetime resolution = yes
client use spnego = yes
idmap config CITNET:default = yes
idmap config CITNET:backend = ad
idmap config CITNET:range = 0-50000
idmap config *:range = 0-50000
idmap config *:backend = ad
idmap config LIVAIXDSSIT01:range = 0-50000
idmap config LIVAIXDSSIT01:backend = ad
idmap config CIT:range = 0-50000
idmap config CIT:backend = ad
[RonTest]
comment = restricted access
path = /home/rschwart
create mask = 0775
valid users = rschwart
read only = no
[JMc]
comment = restricted access
path = /home/jmccuske
create mask = 0775
valid users = jmccuske,root
read only = no
[ep]
comment = restricted access
path = /home/epluskwa
create mask = 0775
valid users = epluskwa,root
read only = no
# cat /usr/lib/security/methods.cfg
WINBIND:
program_64 = /usr/lib/security/WINBIND_64
root at livaixdssit01 [ /opt/pware64/etc/samba ]
# cat smbusers
epluskwa="CITNET\Ed Pluskwa"
epluskwa="CITNET\LIVXPD-6PZ9QC1"
--------------------------------------------------------------
smbd, nmbd, and winbindd run under the AIX Subsystem Resource Controller in a
samba group. Kerberos is also setup. I was able to join to our domain/realm
successfully using the the net ads join command. wbinfo -u/-g also show output
of the domain users and groups. No errors here.
When I attempt to mount my samba share from my desktop I receive the following
in my workstation log:
[...]
[2012/02/10 13:44:43.857741, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2012/02/10 13:44:43.861338, 1]
auth/user_krb5.c:162(get_user_from_kerberos_info)
Username CITNET\LIVXPD-6PZ9QC1$ is invalid on this system
[2012/02/10 13:44:43.862199, 1] smbd/process.c:456(receive_smb_talloc)
read_smb_length_return_keepalive failed for client 159.3.61.107 read error =
NT_STATUS_END_OF_FILE.
[2012/02/10 13:44:43.871163, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2012/02/10 13:44:43.877617, 1] auth/user_krb5.c:211(make_server_info_krb5)
make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/02/10 13:44:43.877775, 1] smbd/sesssetup.c:379(reply_spnego_kerberos)
make_server_info_krb5 failed!
[2012/02/10 13:44:43.878662, 1] smbd/process.c:456(receive_smb_talloc)
read_smb_length_return_keepalive failed for client 159.3.61.107 read error =
NT_STATUS_END_OF_FILE.
[2012/02/10 13:44:46.869879, 1] auth/user_krb5.c:211(make_server_info_krb5)
make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/02/10 13:44:46.870166, 1] smbd/sesssetup.c:379(reply_spnego_kerberos)
make_server_info_krb5 failed!
[2012/02/10 13:44:46.870407, 2] smbd/process.c:2445(deadtime_fn)
Closing idle connection
[2012/02/10 13:44:47.363008, 1] auth/user_krb5.c:211(make_server_info_krb5)
make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/02/10 13:44:47.363355, 1] smbd/sesssetup.c:379(reply_spnego_kerberos)
make_server_info_krb5 failed!
[2012/02/10 13:44:47.363659, 2] smbd/process.c:2445(deadtime_fn)
Closing idle connection
I'm not sure why it's attempting to authenticate my workstation name
(CITNET\LIVXPD-6PZ9QC1). I put this in my smbusers file but it doesn't seem
to resolve the error.
When I attempt to mount my share on my workstation it returns prompting me for
my username and password instead of mounting the respective share. What am I
missing in configuration or what do I have configured wrong? I cannot find
up-to-date documentation for pware/AIX that would help in this case.
Is there a later patch level of 3.6.0.0 I should be running?
Thank you,
Ed
--------------------------------------------------------------------------
This email message and any accompanying materials may contain proprietary,
privileged and confidential information of CIT Group Inc. or its subsidiaries or
affiliates (collectively, "CIT"), and are intended solely for
the?recipient(s) named above.?If you are not the intended recipient of this
communication, any use, disclosure,?printing,?copying or distribution, or
reliance on the contents, of this communication is strictly prohibited.?CIT
disclaims any liability for the review, retransmission, dissemination or other
use of, or the taking of any action in reliance upon, this communication by
persons other than the intended recipient(s).?If you have received this
communication in error, please reply to the sender advising of the error in
transmission, and immediately delete and destroy the communication and any
accompanying materials.?To the extent?permitted by applicable law,?CIT and
others may inspect, review, monitor, analyze, copy, record and retain any
communications sent from or received at this email address.
--------------------------------------------------------------------------
Christian Ambach
2012-Feb-13 16:31 UTC
[Samba] Samba 3.6.0.0 w/AD Support on AIX 6.1 - Error w/Authentication
> idmap config CITNET:default = yes > idmap config CITNET:backend = ad > idmap config CITNET:range = 0-50000 > idmap config *:range = 0-50000 > idmap config *:backend = ad > idmap config LIVAIXDSSIT01:range = 0-50000 > idmap config LIVAIXDSSIT01:backend = ad > idmap config CIT:range = 0-50000 > idmap config CIT:backend = adThe ranges have to be distinct for every domain and when using backend = ad, you also need to have SFU attributes set in AD. If you do not need NFS client interop (by reading the uid/gid values to be used from AD), you could use the idmap_tdb or idmap_autorid modules that autogenerate the IDs on the box. e.g. reduce the above lines to just: idmap config *:range = 50000-99999 idmap config *:backend = tdb Cheers, Christian