[Samba] Samba 3.6.0.0 w/AD Support on AIX 6.1 - Error w/Authentication

Ed.Pluskwa at cit.com Ed.Pluskwa at cit.com
Mon Feb 13 09:02:38 MST 2012


Hello,

I've installed the pware AIX 64bit version of Samba and support filesets but I am having an issue with authentication between the local server user and the equivalent AD user of our domain and it will not mount the respective Samba share on my Windows desktop. Here is how our environment is setup:

# oslevel -s
6100-05-05-1112

root at livaixdssit01 [ /opt/pware64 ]
# lslpp -L | grep -i pware
  pware61-64.base.rte        6.1.0.0    C     F    64-bit pWare base for 6.1
  pware61-64.bdb.rte        4.8.30.0    C     F    Berkeley DB 4.8.30 (64-bit)
  pware61-64.cyrus-sasl.rte
  pware61-64.gettext.rte    0.18.1.1    C     F    GNU gettext 0.18.1.1 (64-bit)
  pware61-64.krb5.rte        1.9.1.0    C     F    MIT Kerberos 1.9.1 (64-bit)
  pware61-64.libiconv.rte   1.13.1.0    C     F    GNU libiconv 1.13.1 (64-bit)
  pware61-64.libtool.rte     2.4.0.0    C     F    GNU libtool 2.4 (64-bit)
  pware61-64.ncurses.rte     5.9.0.0    C     F    ncurses 5.9 (64-bit)
  pware61-64.openldap.rte   2.4.23.0    C     F    OpenLDAP 2.4.23 (64-bit)
  pware61-64.openssl.rte    0.9.8.18    C     F    OpenSSL 0.9.8r (64-bit)
  pware61-64.popt.rte       1.16.0.0    C     F    popt 1.16 (64-bit)
  pware61-64.readline.rte    6.2.0.0    C     F    GNU readline 6.2 (64-bit)
  pware61-64.samba.rte       3.6.0.0    C     F    Samba 3.6.0 (64-bit)
  pware61-64.zlib.rte        1.2.5.0    C     F    zlib 1.2.5 (64-bit)

[global]
        workgroup = CITNET
        netbios name = livaixdssit01
        server string = livaixdssit01 Samba Server
        realm = CITNET.CIT.COM
        interfaces = en4
        bind interfaces only = yes
        security = ADS
        password server = *
        username map = /opt/pware64/etc/samba/smbusers
        log file = /opt/pware64/var/log/samba/log.%m
        max log size = 1000
        ldap ssl = no
        dns proxy = no
        preferred master = no
        encrypt passwords = yes
        log level = 2
        wins server = ip.of.wins.server (changed for this post)
        read only = no
        cups options = raw
        short preserve case = no
        dos filetime resolution = yes
        client use spnego = yes
        idmap config CITNET:default = yes
        idmap config CITNET:backend = ad
        idmap config CITNET:range = 0-50000
        idmap config *:range = 0-50000
        idmap config *:backend = ad
        idmap config LIVAIXDSSIT01:range = 0-50000
        idmap config LIVAIXDSSIT01:backend = ad
        idmap config CIT:range = 0-50000
        idmap config CIT:backend = ad

[RonTest]
        comment = restricted access
        path = /home/rschwart
        create mask = 0775
        valid users =  rschwart
        read only = no
[JMc]
        comment = restricted access
        path = /home/jmccuske
        create mask = 0775
        valid users = jmccuske,root
        read only = no
[ep]
        comment = restricted access
        path = /home/epluskwa
        create mask = 0775
        valid users = epluskwa,root
        read only = no

# cat /usr/lib/security/methods.cfg
WINBIND:
        program_64 = /usr/lib/security/WINBIND_64

root at livaixdssit01 [ /opt/pware64/etc/samba ]
# cat smbusers
epluskwa="CITNET\Ed Pluskwa"
epluskwa="CITNET\LIVXPD-6PZ9QC1"

--------------------------------------------------------------
smbd, nmbd, and winbindd run under the AIX Subsystem Resource Controller in a samba group. Kerberos is also setup. I was able to join to our domain/realm successfully using the the net ads join command. wbinfo -u/-g also show output of the domain users and groups. No errors here.

When I attempt to mount my samba share from my desktop I receive the following in my workstation log:
[...]
[2012/02/10 13:44:43.857741,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/10 13:44:43.861338,  1] auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username CITNET\LIVXPD-6PZ9QC1$ is invalid on this system
[2012/02/10 13:44:43.862199,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 159.3.61.107 read error = NT_STATUS_END_OF_FILE.
[2012/02/10 13:44:43.871163,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/10 13:44:43.877617,  1] auth/user_krb5.c:211(make_server_info_krb5)
  make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/02/10 13:44:43.877775,  1] smbd/sesssetup.c:379(reply_spnego_kerberos)
  make_server_info_krb5 failed!
[2012/02/10 13:44:43.878662,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 159.3.61.107 read error = NT_STATUS_END_OF_FILE.
[2012/02/10 13:44:46.869879,  1] auth/user_krb5.c:211(make_server_info_krb5)
  make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/02/10 13:44:46.870166,  1] smbd/sesssetup.c:379(reply_spnego_kerberos)
  make_server_info_krb5 failed!
[2012/02/10 13:44:46.870407,  2] smbd/process.c:2445(deadtime_fn)
  Closing idle connection
[2012/02/10 13:44:47.363008,  1] auth/user_krb5.c:211(make_server_info_krb5)
  make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/02/10 13:44:47.363355,  1] smbd/sesssetup.c:379(reply_spnego_kerberos)
  make_server_info_krb5 failed!
[2012/02/10 13:44:47.363659,  2] smbd/process.c:2445(deadtime_fn)
  Closing idle connection

I'm not sure why it's attempting to authenticate my workstation name (CITNET\LIVXPD-6PZ9QC1). I put this in my smbusers file but it doesn't seem to resolve the error.

When I attempt to mount my share on my workstation it returns prompting me for my username and password instead of mounting the respective share. What am I missing in configuration or what do I have configured wrong? I cannot find up-to-date documentation for pware/AIX that would help in this case.

Is there a later patch level of 3.6.0.0 I should be running?

Thank you,

Ed



--------------------------------------------------------------------------
This email message and any accompanying materials may contain proprietary, privileged and confidential information of CIT Group Inc. or its subsidiaries or affiliates (collectively, "CIT"), and are intended solely for the recipient(s) named above. If you are not the intended recipient of this communication, any use, disclosure, printing, copying or distribution, or reliance on the contents, of this communication is strictly prohibited. CIT disclaims any liability for the review, retransmission, dissemination or other use of, or the taking of any action in reliance upon, this communication by persons other than the intended recipient(s). If you have received this communication in error, please reply to the sender advising of the error in transmission, and immediately delete and destroy the communication and any accompanying materials. To the extent permitted by applicable law, CIT and others may inspect, review, monitor, analyze, copy, record and retain any communications sent from or received at this email address.
--------------------------------------------------------------------------


More information about the samba mailing list