[Samba] Authentication problem with samba 3.3.4 on AIX 5.3

Arendt, Volker Arendt at wiwi.uni-wuppertal.de
Tue Jun 9 15:35:33 GMT 2009 

Hello all,

we currently do have a problem with samba 3.3.4 on AIX 5.3.
We have set up the samba system to integrate in our AD Domain. 
Integration was successfull (net ads join), wbinfo executes with parameters
-ugt without any problems. 
Our smb.conf content follows at the end of this mail.

We have defined just one share as follows:
[smbtest]
writeable = yes
path = /gpfs/fbb/ls/cip
valid users = 

When we connect from a Windows XP System we get the following error
message:
---
C:\Programme\Support Tools>net use p: \\frigg\smbtest
Systemfehler 2239 aufgetreten.

Dieses Benutzerkonto ist abgelaufen.
---
translated: user account has expired

In the system log file we get:
---------------------------------------------------------------------------
------
[2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402)
  Mapped to [FB6] (using PAC)
[2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_alloc(133)
  Finding user FB6+AdmMJ
[2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_internals(77)
  Trying _Get_Pwnam(), username as lowercase is fb6+admmj
[2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_internals(110)
  Get_Pwnam_internals did find user [FB6+AdmMJ]!
[2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(472)
  smb_pam_start: PAM: Init user: admmj
[2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(489)
  smb_pam_start: PAM: setting rhost to: 132.195.123.104
[2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(498)
  smb_pam_start: PAM: setting tty
[2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(506)
  smb_pam_start: PAM: Init passed for user: admmj
[2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_account(564)
  smb_pam_account: PAM: Account Management for User: admmj
[2009/06/09 17:21:16,  2] auth/pampass.c:smb_pam_account(571)
  smb_pam_account: PAM: User admmj no longer permitted to access system
[2009/06/09 17:21:16,  2] auth/pampass.c:smb_pam_error_handler(77)
  smb_pam_error_handler: PAM: Account Check Failed : User account has
expired
[2009/06/09 17:21:16,  0] auth/pampass.c:smb_pam_accountcheck(794)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
admmj!
[2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_end(450)
  smb_pam_end: PAM: PAM_END OK.
---------------------------------------------------------------------------
------

An error log, debug level 10 is available on request.

Kind regards

Volker


SMB.CONF
---------------------------------------------------------------------------
---
[global]

# --------------------------------------------------------
# setting base configuration parameters
#
# --------------------------------------------------------
workgroup = FB6
netbios name = FRIGG
server string = AFS-2
security = ADS
realm = FB6.UNI-WUPPERTAL.DE
auth methods = winbind
# password server = AD logon server
password server = 132.195.120.9 132.195.120.12
wins server = 132.195.120.12
client use spnego = yes
client signing = yes
# added wg. ticket #5344
#client lanman auth = no
#client ntlmv2 auth = yes
encrypt passwords = yes
host msdfs = no
#domain logons = yes

# fuer Samba 3.3.0
# damit keine verschluesselte Verbindung zum Domain Controller
# aufgebaut wird
ldap ssl = no

# ---------------------------------------------------------
# printer settings
# ??? better disable these settings ???
# ---------------------------------------------------------
# printcap name = cups
# disable spoolss = Yes
# show add printer wizard = No

# ---------------------------------------------------------
# ID mapping parameters
# mapping windows users to unix users
# this is performed on the basis of sid on windows and
# unix with uid for users and gid for groups
# the backend parameter rid allows to get the same mapping
# form sid to uid because it is determined algorithmically
# that way we get the same mapping even if we use samba on
# several disparate systems
# CHANGE NOTIFICATIO: with v3.3.0 there are changes
# to idmap; idmap domains is no longer supported
# ---------------------------------------------------------
#idmap domains = FB6
#idmap backend = rid
idmap backend = tdb
idmap config FB6:backend   = rid
#idmap config FB6:base_rid  = 0
idmap config FB6:range     = 10000 - 49999
idmap uid = 10000-49999
idmap gid = 10000-49999

winbind separator =+
winbind use default domain = Yes
winbind enum users = no
winbind enum groups = no
winbind cache time = 60
winbind gid = 10000-49999
winbind uid = 10000-49999

template homedir = /gpfs/fbb/user/%U
template shell = /opt/pware/bin/bash
#use sendfile = Yes
#printing = cups
#ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE"

#-------------------------------------------------------
# Logging options
#
#-------------------------------------------------------
#
# higher log levels have a negative impact on performance
log level = 10
log file = /opt/pware/var/log/samba.log.%m
max log size = 5000000
debug timestamp = yes
obey pam restrictions = yes
#utmp = yes

#-------------------------------------------------------
# ACL Support
#
#-------------------------------------------------------
map acl inherit = yes
nt acl support = yes
inherit acls = yes
inherit permissions = yes
inherit owner = yes
admin users = @"FB6+domain admins"

#-------------------------------------------------------
# Performance options
#
#-------------------------------------------------------
socket options = TCP_NODELAY IPTOS_LOWDELAY
include = /opt/pware/lib/fbb-projekte.conf

More information about the samba mailing list