[Samba] Authentication problem with samba 3.3.4 on AIX 5.3

Tue Jun 9 17:13:53 GMT 2009

Arendt, Volker wrote:
> Hello all,
>
> we currently do have a problem with samba 3.3.4 on AIX 5.3.
> We have set up the samba system to integrate in our AD Domain. 
> Integration was successfull (net ads join), wbinfo executes with parameters
> -ugt without any problems. 
> Our smb.conf content follows at the end of this mail.
>
> We have defined just one share as follows:
> [smbtest]
> writeable = yes
> path = /gpfs/fbb/ls/cip
> valid users = 
>
> When we connect from a Windows XP System we get the following error
> message:
> ---
> C:\Programme\Support Tools>net use p: \\frigg\smbtest
> Systemfehler 2239 aufgetreten.
>
> Dieses Benutzerkonto ist abgelaufen.
> ---
> translated: user account has expired
>
> In the system log file we get:
> ---------------------------------------------------------------------------
> ------
> [2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402)
>   Mapped to [FB6] (using PAC)
> [2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_alloc(133)
>   Finding user FB6+AdmMJ
> [2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_internals(77)
>   Trying _Get_Pwnam(), username as lowercase is fb6+admmj
> [2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_internals(110)
>   Get_Pwnam_internals did find user [FB6+AdmMJ]!
> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(472)
>   smb_pam_start: PAM: Init user: admmj
> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(489)
>   smb_pam_start: PAM: setting rhost to: 132.195.123.104
> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(498)
>   smb_pam_start: PAM: setting tty
> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(506)
>   smb_pam_start: PAM: Init passed for user: admmj
> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_account(564)
>   smb_pam_account: PAM: Account Management for User: admmj
> [2009/06/09 17:21:16,  2] auth/pampass.c:smb_pam_account(571)
>   smb_pam_account: PAM: User admmj no longer permitted to access system
> [2009/06/09 17:21:16,  2] auth/pampass.c:smb_pam_error_handler(77)
>   smb_pam_error_handler: PAM: Account Check Failed : User account has
> expired
> [2009/06/09 17:21:16,  0] auth/pampass.c:smb_pam_accountcheck(794)
>   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
> admmj!
> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_end(450)
>   smb_pam_end: PAM: PAM_END OK.
> ---------------------------------------------------------------------------
> ------
>   

Hey, Volker. It's been awhile. Couple of questions:

1) What does /etc/pam.conf look like and

2) What does /opt/pware/lib/fbb-projekte.conf look like?

Glad to see you are still using the pWare stuff. :-) :-) How is your 
cluster testing going? I need to contact Miguel again to see how he is 
making out.

Cheers,
Bill

> An error log, debug level 10 is available on request.
>
> Kind regards
>
> Volker
>
>
> SMB.CONF
> ---------------------------------------------------------------------------
> ---
> [global]
>
> # --------------------------------------------------------
> # setting base configuration parameters
> #
> # --------------------------------------------------------
> workgroup = FB6
> netbios name = FRIGG
> server string = AFS-2
> security = ADS
> realm = FB6.UNI-WUPPERTAL.DE
> auth methods = winbind
> # password server = AD logon server
> password server = 132.195.120.9 132.195.120.12
> wins server = 132.195.120.12
> client use spnego = yes
> client signing = yes
> # added wg. ticket #5344
> #client lanman auth = no
> #client ntlmv2 auth = yes
> encrypt passwords = yes
> host msdfs = no
> #domain logons = yes
>
> # fuer Samba 3.3.0
> # damit keine verschluesselte Verbindung zum Domain Controller
> # aufgebaut wird
> ldap ssl = no
>
> # ---------------------------------------------------------
> # printer settings
> # ??? better disable these settings ???
> # ---------------------------------------------------------
> # printcap name = cups
> # disable spoolss = Yes
> # show add printer wizard = No
>
> # ---------------------------------------------------------
> # ID mapping parameters
> # mapping windows users to unix users
> # this is performed on the basis of sid on windows and
> # unix with uid for users and gid for groups
> # the backend parameter rid allows to get the same mapping
> # form sid to uid because it is determined algorithmically
> # that way we get the same mapping even if we use samba on
> # several disparate systems
> # CHANGE NOTIFICATIO: with v3.3.0 there are changes
> # to idmap; idmap domains is no longer supported
> # ---------------------------------------------------------
> #idmap domains = FB6
> #idmap backend = rid
> idmap backend = tdb
> idmap config FB6:backend   = rid
> #idmap config FB6:base_rid  = 0
> idmap config FB6:range     = 10000 - 49999
> idmap uid = 10000-49999
> idmap gid = 10000-49999
>
> winbind separator =+
> winbind use default domain = Yes
> winbind enum users = no
> winbind enum groups = no
> winbind cache time = 60
> winbind gid = 10000-49999
> winbind uid = 10000-49999
>
> template homedir = /gpfs/fbb/user/%U
> template shell = /opt/pware/bin/bash
> #use sendfile = Yes
> #printing = cups
> #ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE"
>
> #-------------------------------------------------------
> # Logging options
> #
> #-------------------------------------------------------
> #
> # higher log levels have a negative impact on performance
> log level = 10
> log file = /opt/pware/var/log/samba.log.%m
> max log size = 5000000
> debug timestamp = yes
> obey pam restrictions = yes
> #utmp = yes
>
> #-------------------------------------------------------
> # ACL Support
> #
> #-------------------------------------------------------
> map acl inherit = yes
> nt acl support = yes
> inherit acls = yes
> inherit permissions = yes
> inherit owner = yes
> admin users = @"FB6+domain admins"
>
> #-------------------------------------------------------
> # Performance options
> #
> #-------------------------------------------------------
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> include = /opt/pware/lib/fbb-projekte.conf
>   