[Samba] Aix 7.1 + Samba 3.60 + W2003 AD can not access shares
Rowland Penny
rowlandpenny at googlemail.com
Thu Oct 23 10:03:22 MDT 2014
On 23/10/14 16:54, ORTEGA DOMINGUEZ, GONZALO wrote:
> Hello,
>
> Thanks for your response !
>
>> Just where did you get the above two lines from ?
> I got them from an old samba configured machine that's working fine
> with AD users.
>
>> you need something like this:
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config EXAMPLE : backend = ad
>> idmap config EXAMPLE : range = 10000-999999
>> idmap config EXAMPLE : schema_mode = rfc2307
> I have modified smb.conf with this parameters and rejoined the domain,
> but still can not acess shares.
> Now I get this error :
>
> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2014/10/23 17:31:35.361200, 3] libads/authdata.c:304(decode_pac_data)
> Found account name from PAC: MYUSER [ORTEGA DOMINGUEZ, GONZALO]
> [2014/10/23 17:31:35.361268, 3]
> smbd/sesssetup.c:338(reply_spnego_kerberos)
> Ticket name is [MYUSER at MYDOMAIN.COM]
> [2014/10/23 17:31:35.361842, 1]
> smbd/sesssetup.c:454(reply_spnego_kerberos)
> Username MYDOMAIN+MYUSER is invalid on this system
>
> Looks like kerberos issue , I had this error before and I included this
> in krb5.conf but no success so I left krb5.conf as it is in the mail :
>
> default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5
> des-cbc-crc
> default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5
> des-cbc-crc
>
> Any clue ? Something that takes 10 minutes to configure in Aix 5.3 is
> taking me days in Aix 7.1 ....
> But I'm not sure if it's the OS.
> Do you think that the fact that is connecting through a VPN to the DC
> may affect (all IN-OUT ports are opened and we have not seen anything
> weird in the firewall)?
>
>
>
> Gonzalo Ortega
>
>
>
> -----Original Message-----
> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Sent: Thursday, October 23, 2014 2:08 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Aix 7.1 + Samba 3.60 + W2003 AD can not access
> shares
>
> On 23/10/14 12:33, ORTEGA DOMINGUEZ, GONZALO wrote:
>> Hello,
>>
>>
>>
>> I have installed and configured Samba 3.6.0 joining a Windows 2003
>> server domain.
>>
>> wbinfo -u works fine but when I try to access a share I get the
>> following error :
>>
>>
>>
>> Failed to find authenticated user via getpwnam(), denying access
>>
>>
>>
>> Aix client is connecting the DC over a VPN.
>>
>>
>>
>> This is my krb5.conf :
>>
>>
>>
>>
>>
>> [libdefaults]
>>
>> default_realm = MYDOMAIN.COM
>>
>> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>>
>> clockskew = 300
>>
>>
>>
>> [realms]
>>
>> MYDOMAIN.COM = {
>>
>> kdc = dc.mydomain.com:88
>>
>> admin_server = dc.mydomain.com:749
>>
>> default_domain = MYDOMAIN.COM
>>
>> }
>>
>>
>>
>> [domain_realm]
>>
>> .mydomain.com = MYDOMAIN.COM
>>
>> mydomain.com = MYDOMAIN.COM
>>
>>
>>
>> [logging]
>>
>> kdc = FILE:/var/krb5/log/krb5kdc.log
>>
>> admin_server = FILE:/var/krb5/log/kadmin.log
>>
>> kadmin_local = FILE:/var/krb5/log/kadmin_local.log
>>
>> default = FILE:/var/krb5/log/krb5lib.log
>>
>>
>>
>> And this is my smb.conf :
>>
>>
>>
>> [global]
>>
>> workgroup = MYDOMAIN
>>
>> realm = MYDOMAIN.COM
>>
>> server string = AIXCLINT
>>
>> netbios name = aixclient
>>
>> encrypt passwords = yes
>>
>> security = ads
>>
>> log file = /var/log/samba/log.%m
>>
>> dos filetime resolution = yes
>>
>> debug level = 99
>>
>> max log size = 1000
>>
>> winbinduid = 30000-40000
>>
>> winbindgid = 30000-40000
> Just where did you get the above two lines from ?
>
> you need something like this:
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : range = 10000-999999
> idmap config EXAMPLE : schema_mode = rfc2307
>
> Rowland
>
>> winbind enum users = Yes
>>
>> winbind enum groups = Yes
>>
>> winbind separator = +
>>
>> winbind use default domain = yes
>>
>> read only = No
>>
>> lock directory = /var/locks/samba
>>
>> password server = dc.mydomain.com
>>
>> panic action = "/usr/bin/sleep 90000"
>>
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>> bind interfaces only = Yes
>>
>> interfaces = en1
>>
>> use sendfile = Yes
>>
>> show add printer wizard = No
>>
>>
>>
>> [TMP]
>>
>> comment = TMP
>>
>> path = /tmp/MYUSER
>>
>> valid users = "MYDOMAIN+MYUSER"
>>
>>
>>
>> the same configuration on an AIX 5.3 client in the LAN works fine.
>>
>> I have unjoined and joined to the domain with many changes in Kerberos
>> and smb.conf but no success.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
Did you delete the keytab (usually /etc/krb5.keytab, well usually on
Linux) before re-joining the machine ?
After that, I cannot think of anything more at this moment in time.
Rowland
More information about the samba
mailing list