samba - Oct 2014 - Aix 7.1 + Samba 3.60 + W2003 AD can not access shares

Hello,

 

I have installed and  configured Samba 3.6.0 joining a Windows 2003
server domain.

wbinfo -u works fine but when I try to access a share I get the
following error :

 

Failed to find authenticated user  via getpwnam(), denying access

 

Aix client is connecting the DC over a VPN.

 

This is my krb5.conf :

 

 

[libdefaults]

        default_realm = MYDOMAIN.COM

        default_keytab_name = FILE:/etc/krb5/krb5.keytab

        clockskew = 300

 

[realms]

        MYDOMAIN.COM = {

                kdc = dc.mydomain.com:88

                admin_server = dc.mydomain.com:749

                default_domain = MYDOMAIN.COM

        }

 

[domain_realm]

        .mydomain.com = MYDOMAIN.COM

        mydomain.com = MYDOMAIN.COM

 

[logging]

        kdc = FILE:/var/krb5/log/krb5kdc.log

        admin_server = FILE:/var/krb5/log/kadmin.log

        kadmin_local = FILE:/var/krb5/log/kadmin_local.log

        default = FILE:/var/krb5/log/krb5lib.log

 

And this is my smb.conf :

 

[global]

        workgroup = MYDOMAIN

        realm = MYDOMAIN.COM

        server string = AIXCLINT

        netbios name = aixclient

        encrypt passwords = yes

        security = ads

        log file = /var/log/samba/log.%m

        dos filetime resolution = yes

        debug level = 99

        max log size = 1000

        winbinduid = 30000-40000

        winbindgid = 30000-40000

        winbind enum users = Yes

        winbind enum groups = Yes

        winbind separator = +

        winbind use default domain = yes

        read only = No

        lock directory = /var/locks/samba

        password server = dc.mydomain.com

        panic action = "/usr/bin/sleep 90000"

       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

      bind interfaces only = Yes

      interfaces = en1

     use sendfile = Yes

     show add printer wizard = No

 

[TMP]

  comment = TMP

  path = /tmp/MYUSER

  valid users = "MYDOMAIN+MYUSER"

 

the same configuration on an AIX 5.3 client in the LAN works fine.

I have unjoined and joined to the domain with many changes in Kerberos
and smb.conf but no success.

On 23/10/14 12:33, ORTEGA DOMINGUEZ, GONZALO wrote:
> Hello,
>
>   
>
> I have installed and  configured Samba 3.6.0 joining a Windows 2003
> server domain.
>
> wbinfo -u works fine but when I try to access a share I get the
> following error :
>
>   
>
> Failed to find authenticated user  via getpwnam(), denying access
>
>   
>
> Aix client is connecting the DC over a VPN.
>
>   
>
> This is my krb5.conf :
>
>   
>
>   
>
> [libdefaults]
>
>          default_realm = MYDOMAIN.COM
>
>          default_keytab_name = FILE:/etc/krb5/krb5.keytab
>
>          clockskew = 300
>
>   
>
> [realms]
>
>          MYDOMAIN.COM = {
>
>                  kdc = dc.mydomain.com:88
>
>                  admin_server = dc.mydomain.com:749
>
>                  default_domain = MYDOMAIN.COM
>
>          }
>
>   
>
> [domain_realm]
>
>          .mydomain.com = MYDOMAIN.COM
>
>          mydomain.com = MYDOMAIN.COM
>
>   
>
> [logging]
>
>          kdc = FILE:/var/krb5/log/krb5kdc.log
>
>          admin_server = FILE:/var/krb5/log/kadmin.log
>
>          kadmin_local = FILE:/var/krb5/log/kadmin_local.log
>
>          default = FILE:/var/krb5/log/krb5lib.log
>
>   
>
> And this is my smb.conf :
>
>   
>
> [global]
>
>          workgroup = MYDOMAIN
>
>          realm = MYDOMAIN.COM
>
>          server string = AIXCLINT
>
>          netbios name = aixclient
>
>          encrypt passwords = yes
>
>          security = ads
>
>          log file = /var/log/samba/log.%m
>
>          dos filetime resolution = yes
>
>          debug level = 99
>
>          max log size = 1000
>
>          winbinduid = 30000-40000
>
>          winbindgid = 30000-40000
Just where did you get the above two lines from ?

you need something like this:

         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config EXAMPLE : backend  = ad
         idmap config EXAMPLE : range = 10000-999999
         idmap config EXAMPLE : schema_mode = rfc2307

Rowland
>
>          winbind enum users = Yes
>
>          winbind enum groups = Yes
>
>          winbind separator = +
>
>          winbind use default domain = yes
>
>          read only = No
>
>          lock directory = /var/locks/samba
>
>          password server = dc.mydomain.com
>
>          panic action = "/usr/bin/sleep 90000"
>
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>        bind interfaces only = Yes
>
>        interfaces = en1
>
>       use sendfile = Yes
>
>       show add printer wizard = No
>
>   
>
> [TMP]
>
>    comment = TMP
>
>    path = /tmp/MYUSER
>
>    valid users = "MYDOMAIN+MYUSER"
>
>   
>
> the same configuration on an AIX 5.3 client in the LAN works fine.
>
> I have unjoined and joined to the domain with many changes in Kerberos
> and smb.conf but no success.
>
>   
>
>   
>
>   
>
>   
>
>   
>
>   
>