SOLVED: [Samba] Authentication problem with samba 3.3.4 on AIX
5.3:
William Jojo
w.jojo at hvcc.edu
Tue Jun 9 20:12:32 GMT 2009
Arendt, Volker wrote:
>
> Hi David,
>
> Thats it! Thanks a lot!!!
>
But, of course, you can always ignore PAM. ;-)
Cheers,
Bill
> Volker
>
> -----Ursprüngliche Nachricht-----
> Von: David Markey [mailto:dmarkey at dodds.dmarkey.com]
> Gesendet: Di 09.06.2009 20:13
> An: William Jojo
> Cc: Arendt, Volker; samba at lists.samba.org
> Betreff: Re: [Samba] Authentication problem with samba 3.3.4 on AIX 5.3
>
> AIX doesnt have a pam.conf. it uses LAM.
>
> change
> obey pam restrictions = yes
> to
> obey pam restrictions = no
>
>
>
>
> William Jojo wrote:
> > Arendt, Volker wrote:
> >> Hello all,
> >>
> >> we currently do have a problem with samba 3.3.4 on AIX 5.3.
> >> We have set up the samba system to integrate in our AD Domain.
> >> Integration was successfull (net ads join), wbinfo executes with
> >> parameters
> >> -ugt without any problems. Our smb.conf content follows at the end of
> >> this mail.
> >>
> >> We have defined just one share as follows:
> >> [smbtest]
> >> writeable = yes
> >> path = /gpfs/fbb/ls/cip
> >> valid users =
> >> When we connect from a Windows XP System we get the following error
> >> message:
> >> ---
> >> C:\Programme\Support Tools>net use p: \\frigg\smbtest
> >> Systemfehler 2239 aufgetreten.
> >>
> >> Dieses Benutzerkonto ist abgelaufen.
> >> ---
> >> translated: user account has expired
> >>
> >> In the system log file we get:
> >>
> ---------------------------------------------------------------------------
> >>
> >> ------
> >> [2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402)
> >> Mapped to [FB6] (using PAC)
> >> [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_alloc(133)
> >> Finding user FB6+AdmMJ
> >> [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(77)
> >> Trying _Get_Pwnam(), username as lowercase is fb6+admmj
> >> [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(110)
> >> Get_Pwnam_internals did find user [FB6+AdmMJ]!
> >> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(472)
> >> smb_pam_start: PAM: Init user: admmj
> >> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(489)
> >> smb_pam_start: PAM: setting rhost to: 132.195.123.104
> >> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(498)
> >> smb_pam_start: PAM: setting tty
> >> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(506)
> >> smb_pam_start: PAM: Init passed for user: admmj
> >> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_account(564)
> >> smb_pam_account: PAM: Account Management for User: admmj
> >> [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_account(571)
> >> smb_pam_account: PAM: User admmj no longer permitted to access system
> >> [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_error_handler(77)
> >> smb_pam_error_handler: PAM: Account Check Failed : User account has
> >> expired
> >> [2009/06/09 17:21:16, 0] auth/pampass.c:smb_pam_accountcheck(794)
> >> smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
> >> admmj!
> >> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_end(450)
> >> smb_pam_end: PAM: PAM_END OK.
> >>
> ---------------------------------------------------------------------------
> >>
> >> ------
> >>
> >
> > Hey, Volker. It's been awhile. Couple of questions:
> >
> > 1) What does /etc/pam.conf look like and
> >
> > 2) What does /opt/pware/lib/fbb-projekte.conf look like?
> >
> >
> > Glad to see you are still using the pWare stuff. :-) :-) How is your
> > cluster testing going? I need to contact Miguel again to see how he is
> > making out.
> >
> > Cheers,
> > Bill
> >
> >> An error log, debug level 10 is available on request.
> >>
> >> Kind regards
> >>
> >> Volker
> >>
> >>
> >> SMB.CONF
> >>
> ---------------------------------------------------------------------------
> >>
> >> ---
> >> [global]
> >>
> >> # --------------------------------------------------------
> >> # setting base configuration parameters
> >> #
> >> # --------------------------------------------------------
> >> workgroup = FB6
> >> netbios name = FRIGG
> >> server string = AFS-2
> >> security = ADS
> >> realm = FB6.UNI-WUPPERTAL.DE
> >> auth methods = winbind
> >> # password server = AD logon server
> >> password server = 132.195.120.9 132.195.120.12
> >> wins server = 132.195.120.12
> >> client use spnego = yes
> >> client signing = yes
> >> # added wg. ticket #5344
> >> #client lanman auth = no
> >> #client ntlmv2 auth = yes
> >> encrypt passwords = yes
> >> host msdfs = no
> >> #domain logons = yes
> >>
> >> # fuer Samba 3.3.0
> >> # damit keine verschluesselte Verbindung zum Domain Controller
> >> # aufgebaut wird
> >> ldap ssl = no
> >>
> >> # ---------------------------------------------------------
> >> # printer settings
> >> # ??? better disable these settings ???
> >> # ---------------------------------------------------------
> >> # printcap name = cups
> >> # disable spoolss = Yes
> >> # show add printer wizard = No
> >>
> >> # ---------------------------------------------------------
> >> # ID mapping parameters
> >> # mapping windows users to unix users
> >> # this is performed on the basis of sid on windows and
> >> # unix with uid for users and gid for groups
> >> # the backend parameter rid allows to get the same mapping
> >> # form sid to uid because it is determined algorithmically
> >> # that way we get the same mapping even if we use samba on
> >> # several disparate systems
> >> # CHANGE NOTIFICATIO: with v3.3.0 there are changes
> >> # to idmap; idmap domains is no longer supported
> >> # ---------------------------------------------------------
> >> #idmap domains = FB6
> >> #idmap backend = rid
> >> idmap backend = tdb
> >> idmap config FB6:backend = rid
> >> #idmap config FB6:base_rid = 0
> >> idmap config FB6:range = 10000 - 49999
> >> idmap uid = 10000-49999
> >> idmap gid = 10000-49999
> >>
> >> winbind separator =+
> >> winbind use default domain = Yes
> >> winbind enum users = no
> >> winbind enum groups = no
> >> winbind cache time = 60
> >> winbind gid = 10000-49999
> >> winbind uid = 10000-49999
> >>
> >> template homedir = /gpfs/fbb/user/%U
> >> template shell = /opt/pware/bin/bash
> >> #use sendfile = Yes
> >> #printing = cups
> >> #ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE"
> >>
> >> #-------------------------------------------------------
> >> # Logging options
> >> #
> >> #-------------------------------------------------------
> >> #
> >> # higher log levels have a negative impact on performance
> >> log level = 10
> >> log file = /opt/pware/var/log/samba.log.%m
> >> max log size = 5000000
> >> debug timestamp = yes
> >> obey pam restrictions = yes
> >> #utmp = yes
> >>
> >> #-------------------------------------------------------
> >> # ACL Support
> >> #
> >> #-------------------------------------------------------
> >> map acl inherit = yes
> >> nt acl support = yes
> >> inherit acls = yes
> >> inherit permissions = yes
> >> inherit owner = yes
> >> admin users = @"FB6+domain admins"
> >>
> >> #-------------------------------------------------------
> >> # Performance options
> >> #
> >> #-------------------------------------------------------
> >> socket options = TCP_NODELAY IPTOS_LOWDELAY
> >> include = /opt/pware/lib/fbb-projekte.conf
> >>
> >
>
>
More information about the samba
mailing list