[Samba] Authentication problem with samba 3.3.4 on AIX 5.3
Arendt, Volker
Arendt at wiwi.uni-wuppertal.de
Tue Jun 9 15:35:33 GMT 2009
Hello all,
we currently do have a problem with samba 3.3.4 on AIX 5.3.
We have set up the samba system to integrate in our AD Domain.
Integration was successfull (net ads join), wbinfo executes with parameters
-ugt without any problems.
Our smb.conf content follows at the end of this mail.
We have defined just one share as follows:
[smbtest]
writeable = yes
path = /gpfs/fbb/ls/cip
valid users =
When we connect from a Windows XP System we get the following error
message:
---
C:\Programme\Support Tools>net use p: \\frigg\smbtest
Systemfehler 2239 aufgetreten.
Dieses Benutzerkonto ist abgelaufen.
---
translated: user account has expired
In the system log file we get:
---------------------------------------------------------------------------
------
[2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402)
Mapped to [FB6] (using PAC)
[2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_alloc(133)
Finding user FB6+AdmMJ
[2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(77)
Trying _Get_Pwnam(), username as lowercase is fb6+admmj
[2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(110)
Get_Pwnam_internals did find user [FB6+AdmMJ]!
[2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(472)
smb_pam_start: PAM: Init user: admmj
[2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(489)
smb_pam_start: PAM: setting rhost to: 132.195.123.104
[2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(498)
smb_pam_start: PAM: setting tty
[2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(506)
smb_pam_start: PAM: Init passed for user: admmj
[2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_account(564)
smb_pam_account: PAM: Account Management for User: admmj
[2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_account(571)
smb_pam_account: PAM: User admmj no longer permitted to access system
[2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_error_handler(77)
smb_pam_error_handler: PAM: Account Check Failed : User account has
expired
[2009/06/09 17:21:16, 0] auth/pampass.c:smb_pam_accountcheck(794)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
admmj!
[2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_end(450)
smb_pam_end: PAM: PAM_END OK.
---------------------------------------------------------------------------
------
An error log, debug level 10 is available on request.
Kind regards
Volker
SMB.CONF
---------------------------------------------------------------------------
---
[global]
# --------------------------------------------------------
# setting base configuration parameters
#
# --------------------------------------------------------
workgroup = FB6
netbios name = FRIGG
server string = AFS-2
security = ADS
realm = FB6.UNI-WUPPERTAL.DE
auth methods = winbind
# password server = AD logon server
password server = 132.195.120.9 132.195.120.12
wins server = 132.195.120.12
client use spnego = yes
client signing = yes
# added wg. ticket #5344
#client lanman auth = no
#client ntlmv2 auth = yes
encrypt passwords = yes
host msdfs = no
#domain logons = yes
# fuer Samba 3.3.0
# damit keine verschluesselte Verbindung zum Domain Controller
# aufgebaut wird
ldap ssl = no
# ---------------------------------------------------------
# printer settings
# ??? better disable these settings ???
# ---------------------------------------------------------
# printcap name = cups
# disable spoolss = Yes
# show add printer wizard = No
# ---------------------------------------------------------
# ID mapping parameters
# mapping windows users to unix users
# this is performed on the basis of sid on windows and
# unix with uid for users and gid for groups
# the backend parameter rid allows to get the same mapping
# form sid to uid because it is determined algorithmically
# that way we get the same mapping even if we use samba on
# several disparate systems
# CHANGE NOTIFICATIO: with v3.3.0 there are changes
# to idmap; idmap domains is no longer supported
# ---------------------------------------------------------
#idmap domains = FB6
#idmap backend = rid
idmap backend = tdb
idmap config FB6:backend = rid
#idmap config FB6:base_rid = 0
idmap config FB6:range = 10000 - 49999
idmap uid = 10000-49999
idmap gid = 10000-49999
winbind separator =+
winbind use default domain = Yes
winbind enum users = no
winbind enum groups = no
winbind cache time = 60
winbind gid = 10000-49999
winbind uid = 10000-49999
template homedir = /gpfs/fbb/user/%U
template shell = /opt/pware/bin/bash
#use sendfile = Yes
#printing = cups
#ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE"
#-------------------------------------------------------
# Logging options
#
#-------------------------------------------------------
#
# higher log levels have a negative impact on performance
log level = 10
log file = /opt/pware/var/log/samba.log.%m
max log size = 5000000
debug timestamp = yes
obey pam restrictions = yes
#utmp = yes
#-------------------------------------------------------
# ACL Support
#
#-------------------------------------------------------
map acl inherit = yes
nt acl support = yes
inherit acls = yes
inherit permissions = yes
inherit owner = yes
admin users = @"FB6+domain admins"
#-------------------------------------------------------
# Performance options
#
#-------------------------------------------------------
socket options = TCP_NODELAY IPTOS_LOWDELAY
include = /opt/pware/lib/fbb-projekte.conf
More information about the samba
mailing list