samba - Dec 2022 - [EXTERNAL] Re: SAMBA 4.14.4 now prompts for userid and password after AIX 7.1 to 7.2 Upgrade

I apologize for the miscommunication and incomplete information.
This is the situation.

AIX system #1 was running AIX 7.1 with SAMBA 14.10.6. The AIX O/S of that
system was upgraded to AIX 7.2. The SAMBA version has not changed
(14.10.6). SAMBA continued to function as expected.
AIX system #2 was running AIX 7.1 with SAMBA 14.14.4. The AIX O/S of that
system was upgraded to AIX 7.2. The SAMBA version has not changed
(14.14.4). SAMBA now requests credentials when an attempt is made to map a
drive. The following error in the log for the device requesting the drive
mapping:

 [2022/11/28 16:48:30.181656,
1]../../source3/librpc/crypto/gse.c:666(gse_get_server_auth_token)gss_accept_sec_context
failed with [ Miscellaneous failure (see text):Failed to find cifs/
xxxx at YYYYY.COM(kvno 4) in keytab
 MEMORY:cifs_srv_keytab(aes256-cts-hmac-sha1-96)]

The version of SAMBA is not changed when upgrading the AIX O/S.

Both systems are stand alone SAMBA servers functioning to provide the
ability for Windows Client devices to map drives to the AIX system.

I will review the links provided in the other posts to see if they apply to
my situation.


Complete smb.conf for System #1 and #2
[global]
        workgroup = ZZZ
        realm = YYYYY.COM
        interfaces = 10.150.129.6
        netbios name = xxxx
        security = ADS
        log file = /var/samba/log/log.%m
        log level = 3  passdb:5  auth:5
        wins server = corp-zzz-dc2.yyyyy.com
<http://corp-inm-dc2.inmar.com>
        password server = corp-zzz-dc2.yyyyy.com
<http://corp-inm-dc2.inmar.com>
        socket address = 10.150.129.6
        server min protocol = SMB2
        server signing = mandatory
        create mask = 0666
        follow symlinks = yes
        unix extensions = no


[files]
        comment = flat files
        path = /data/unload/flat_files
        read only = No
        wide links = Yes

[upload]
        comment = Informix group upload
        path = /data/unload/infmx_grp
        read only = No


On Mon, Dec 5, 2022 at 1:56 PM Vaughan, Robert J via samba <
samba at lists.samba.org> wrote:
> > I knew you were going to say that, but I am running a Solaris 11
domain
> member from OS package Samba that reports version 4.13.8 without winbind
> with several hundred users right now
> >
> > And same experience on Red Hat 7 and 8 (reported versions a bit
> different but newer than 4.8)
> >
> > It complains about no winbind in the logs but yet it works
> >
>
> >> If you read here (under the heading 'Samba 4.8.0'):
>
> >>
>
https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$
>
<https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$>
>
> >> It states:
>
> >> Domain member setups require winbindd
>
> >> Setups with "security = domain" or "security =
ads" require a running
> >> 'winbindd' now. The fallback that smbd directly contacts
domain
> >> controllers is gone.
>
> >> So, unless I have understood it wrong, if you are running Samba as
a
> >> Unix domain member, from version 4.8.0 you must run winbind.
>
> >> The only way around this that I can think of, is that Samba has
been
> >> patched to allow smbd to work in the old way, where it could
contact
> the
> >> domain controller directly.
>
> >> The other possibility is that you are not actually running a Unix
> domain
> >> member, you are running a standalone server.
>
> I can only imagine that the OS vendors did the patch you suggest. In fact
> when I had a ticket open with Oracle about it they did seem to suggest they
> had done something to keep the fallback working for a while, but could no
> longer do that
>
> Thanks,
>
> Robert Vaughan
>
> ----------------------------------------------------------------------
> This is an e-mail from General Dynamics Land Systems. It is for the
> intended recipient only and may contain confidential and privileged
> information. No one else may read, print, store, copy, forward or act in
> reliance on it or its attachments. If you are not the intended recipient,
> please return this message to the sender and delete the message and any
> attachments from your computer. Your cooperation is appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
>
-- 


********************************************



?

*Inmar Confidentiality 
Note*:? This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.? If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.? If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.? Thank you for 
your cooperation.



?

*Notice of Protected Rights*:? The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.? Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.

?

********************************************

Corrections to version.

On Tue, Dec 6, 2022 at 5:46 PM Philip Cunio <phil.cunio at inmar.com>
wrote:
> I apologize for the miscommunication and incomplete information.
> This is the situation.
>
> AIX system #1 was running AIX 7.1 with SAMBA 4.10.6. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed (4.10.6).
> SAMBA continued to function as expected.
> AIX system #2 was running AIX 7.1 with SAMBA 4.14.4. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed (4.14.4).
> SAMBA now requests credentials when an attempt is made to map a drive. The
> following error in the log for the device requesting the drive mapping:
>
>  [2022/11/28 16:48:30.181656,
>
1]../../source3/librpc/crypto/gse.c:666(gse_get_server_auth_token)gss_accept_sec_context
> failed with [ Miscellaneous failure (see text):Failed to find cifs/
> xxxx at YYYYY.COM(kvno 4) in keytab
>  MEMORY:cifs_srv_keytab(aes256-cts-hmac-sha1-96)]
>
> The version of SAMBA is not changed when upgrading the AIX O/S.
>
> Both systems are stand alone SAMBA servers functioning to provide the
> ability for Windows Client devices to map drives to the AIX system.
>
> I will review the links provided in the other posts to see if they apply
> to my situation.
>
>
> Complete smb.conf for System #1 and #2
> [global]
>         workgroup = ZZZ
>         realm = YYYYY.COM
>         interfaces = 10.150.129.6
>         netbios name = xxxx
>         security = ADS
>         log file = /var/samba/log/log.%m
>         log level = 3  passdb:5  auth:5
>         wins server = corp-zzz-dc2.yyyyy.com
> <http://corp-inm-dc2.inmar.com>
>         password server = corp-zzz-dc2.yyyyy.com
> <http://corp-inm-dc2.inmar.com>
>         socket address = 10.150.129.6
>         server min protocol = SMB2
>         server signing = mandatory
>         create mask = 0666
>         follow symlinks = yes
>         unix extensions = no
>
>
> [files]
>         comment = flat files
>         path = /data/unload/flat_files
>         read only = No
>         wide links = Yes
>
> [upload]
>         comment = Informix group upload
>         path = /data/unload/infmx_grp
>         read only = No
>
>
> On Mon, Dec 5, 2022 at 1:56 PM Vaughan, Robert J via samba <
> samba at lists.samba.org> wrote:
>
>> > I knew you were going to say that, but I am running a Solaris 11
domain
>> member from OS package Samba that reports version 4.13.8 without
winbind
>> with several hundred users right now
>> >
>> > And same experience on Red Hat 7 and 8 (reported versions a bit
>> different but newer than 4.8)
>> >
>> > It complains about no winbind in the logs but yet it works
>> >
>>
>> >> If you read here (under the heading 'Samba 4.8.0'):
>>
>> >>
>>
https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$
>>
<https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$>
>>
>> >> It states:
>>
>> >> Domain member setups require winbindd
>>
>> >> Setups with "security = domain" or "security =
ads" require a running
>> >> 'winbindd' now. The fallback that smbd directly
contacts domain
>> >> controllers is gone.
>>
>> >> So, unless I have understood it wrong, if you are running
Samba as a
>> >> Unix domain member, from version 4.8.0 you must run winbind.
>>
>> >> The only way around this that I can think of, is that Samba
has been
>> >> patched to allow smbd to work in the old way, where it could
contact
>> the
>> >> domain controller directly.
>>
>> >> The other possibility is that you are not actually running a
Unix
>> domain
>> >> member, you are running a standalone server.
>>
>> I can only imagine that the OS vendors did the patch you suggest. In
fact
>> when I had a ticket open with Oracle about it they did seem to suggest
they
>> had done something to keep the fallback working for a while, but could
no
>> longer do that
>>
>> Thanks,
>>
>> Robert Vaughan
>>
>> ----------------------------------------------------------------------
>> This is an e-mail from General Dynamics Land Systems. It is for the
>> intended recipient only and may contain confidential and privileged
>> information. No one else may read, print, store, copy, forward or act
in
>> reliance on it or its attachments. If you are not the intended
recipient,
>> please return this message to the sender and delete the message and any
>> attachments from your computer. Your cooperation is appreciated.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> <https://lists.samba.org/mailman/options/samba>
>>
>
-- 


********************************************



?

*Inmar Confidentiality 
Note*:? This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.? If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.? If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.? Thank you for 
your cooperation.



?

*Notice of Protected Rights*:? The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.? Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.

?

********************************************

On 06/12/2022 22:46, Philip Cunio via samba wrote:
> I apologize for the miscommunication and incomplete information.
> This is the situation.
> 
> AIX system #1 was running AIX 7.1 with SAMBA 14.10.6. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed
> (14.10.6). SAMBA continued to function as expected.
> AIX system #2 was running AIX 7.1 with SAMBA 14.14.4. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed
> (14.14.4). SAMBA now requests credentials when an attempt is made to map a
> drive. The following error in the log for the device requesting the drive
> mapping:
> 
>   [2022/11/28 16:48:30.181656,
>
1]../../source3/librpc/crypto/gse.c:666(gse_get_server_auth_token)gss_accept_sec_context
> failed with [ Miscellaneous failure (see text):Failed to find cifs/
> xxxx at YYYYY.COM(kvno 4) in keytab
>   MEMORY:cifs_srv_keytab(aes256-cts-hmac-sha1-96)]
That appears to be fairly obvious, a kerberos key cannot be found, 
perhaps the AIX crypto isn't new enough (cannot create AES keys).
> 
> The version of SAMBA is not changed when upgrading the AIX O/S.
> 
> Both systems are stand alone SAMBA servers functioning to provide the
> ability for Windows Client devices to map drives to the AIX system.
> 
> I will review the links provided in the other posts to see if they apply to
> my situation.
> 
> 
> Complete smb.conf for System #1 and #2
> [global]
>          workgroup = ZZZ
>          realm = YYYYY.COM
>          interfaces = 10.150.129.6
>          netbios name = xxxx
>          security = ADS
>          log file = /var/samba/log/log.%m
>          log level = 3  passdb:5  auth:5
>          wins server = corp-zzz-dc2.yyyyy.com
You do not use 'wins' with AD
>          password server = corp-zzz-dc2.yyyyy.com
You should allow winbind to decide the best DC to use.
>          socket address = 10.150.129.6
>          server min protocol = SMB2
>          server signing = mandatory
>          create mask = 0666
>          follow symlinks = yes
>          unix extensions = no
The problem is that on Linux I would expect 'idmap config' lines.
At a minimum something like these:

     idmap config * : backend = autorid
     idmap config * : range = 10000-9999999

Without them, how is winbind mapping users ?

Rowland