[Samba] Aix 7.1 + Samba 3.60 + W2003 AD can not access shares

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 23 10:03:22 MDT 2014 

On 23/10/14 16:54, ORTEGA DOMINGUEZ, GONZALO wrote:
> Hello,
>
> Thanks for your response !
>
>> Just where did you get the above two lines from ?
> I got them from an old samba configured  machine that's working fine
> with AD users.
>
>> you need something like this:
>>          idmap config * : backend = tdb
>>          idmap config * : range = 2000-9999
>>          idmap config EXAMPLE : backend  = ad
>>          idmap config EXAMPLE : range = 10000-999999
>>          idmap config EXAMPLE : schema_mode = rfc2307
> I have modified smb.conf with this parameters and rejoined the domain,
> but still can not acess shares.
> Now I get this error :
>
>    ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2014/10/23 17:31:35.361200,  3] libads/authdata.c:304(decode_pac_data)
>    Found account name from PAC: MYUSER [ORTEGA DOMINGUEZ, GONZALO]
> [2014/10/23 17:31:35.361268,  3]
> smbd/sesssetup.c:338(reply_spnego_kerberos)
>    Ticket name is [MYUSER at MYDOMAIN.COM]
> [2014/10/23 17:31:35.361842,  1]
> smbd/sesssetup.c:454(reply_spnego_kerberos)
>    Username MYDOMAIN+MYUSER is invalid on this system
>
> Looks like kerberos issue , I had this error before and I included this
> in krb5.conf but no success so I left krb5.conf as it is in the mail :
>
> default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5
> des-cbc-crc
> default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5
> des-cbc-crc
>
> Any clue ? Something that takes 10 minutes to configure in Aix 5.3 is
> taking me days in Aix 7.1 ....
> But I'm not sure if it's the OS.
> Do you think that the fact that is connecting through a VPN to the DC
> may affect (all IN-OUT ports are opened and we have not seen anything
> weird in the firewall)?
>
>
>
> Gonzalo Ortega
>
>
>
> -----Original Message-----
> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Sent: Thursday, October 23, 2014 2:08 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Aix 7.1 + Samba 3.60 + W2003 AD can not access
> shares
>
> On 23/10/14 12:33, ORTEGA DOMINGUEZ, GONZALO wrote:
>> Hello,
>>
>>    
>>
>> I have installed and  configured Samba 3.6.0 joining a Windows 2003
>> server domain.
>>
>> wbinfo -u works fine but when I try to access a share I get the
>> following error :
>>
>>    
>>
>> Failed to find authenticated user  via getpwnam(), denying access
>>
>>    
>>
>> Aix client is connecting the DC over a VPN.
>>
>>    
>>
>> This is my krb5.conf :
>>
>>    
>>
>>    
>>
>> [libdefaults]
>>
>>           default_realm = MYDOMAIN.COM
>>
>>           default_keytab_name = FILE:/etc/krb5/krb5.keytab
>>
>>           clockskew = 300
>>
>>    
>>
>> [realms]
>>
>>           MYDOMAIN.COM = {
>>
>>                   kdc = dc.mydomain.com:88
>>
>>                   admin_server = dc.mydomain.com:749
>>
>>                   default_domain = MYDOMAIN.COM
>>
>>           }
>>
>>    
>>
>> [domain_realm]
>>
>>           .mydomain.com = MYDOMAIN.COM
>>
>>           mydomain.com = MYDOMAIN.COM
>>
>>    
>>
>> [logging]
>>
>>           kdc = FILE:/var/krb5/log/krb5kdc.log
>>
>>           admin_server = FILE:/var/krb5/log/kadmin.log
>>
>>           kadmin_local = FILE:/var/krb5/log/kadmin_local.log
>>
>>           default = FILE:/var/krb5/log/krb5lib.log
>>
>>    
>>
>> And this is my smb.conf :
>>
>>    
>>
>> [global]
>>
>>           workgroup = MYDOMAIN
>>
>>           realm = MYDOMAIN.COM
>>
>>           server string = AIXCLINT
>>
>>           netbios name = aixclient
>>
>>           encrypt passwords = yes
>>
>>           security = ads
>>
>>           log file = /var/log/samba/log.%m
>>
>>           dos filetime resolution = yes
>>
>>           debug level = 99
>>
>>           max log size = 1000
>>
>>           winbinduid = 30000-40000
>>
>>           winbindgid = 30000-40000
> Just where did you get the above two lines from ?
>
> you need something like this:
>
>           idmap config * : backend = tdb
>           idmap config * : range = 2000-9999
>           idmap config EXAMPLE : backend  = ad
>           idmap config EXAMPLE : range = 10000-999999
>           idmap config EXAMPLE : schema_mode = rfc2307
>
> Rowland
>
>>           winbind enum users = Yes
>>
>>           winbind enum groups = Yes
>>
>>           winbind separator = +
>>
>>           winbind use default domain = yes
>>
>>           read only = No
>>
>>           lock directory = /var/locks/samba
>>
>>           password server = dc.mydomain.com
>>
>>           panic action = "/usr/bin/sleep 90000"
>>
>>          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>>         bind interfaces only = Yes
>>
>>         interfaces = en1
>>
>>        use sendfile = Yes
>>
>>        show add printer wizard = No
>>
>>    
>>
>> [TMP]
>>
>>     comment = TMP
>>
>>     path = /tmp/MYUSER
>>
>>     valid users = "MYDOMAIN+MYUSER"
>>
>>    
>>
>> the same configuration on an AIX 5.3 client in the LAN works fine.
>>
>> I have unjoined and joined to the domain with many changes in Kerberos
>> and smb.conf but no success.
>>
>>    
>>
>>    
>>
>>    
>>
>>    
>>
>>    
>>
>>    
>>
>
Did you delete the keytab (usually /etc/krb5.keytab, well usually on 
Linux) before re-joining the machine ?

After that, I cannot think of anything more at this moment in time.

Rowland

More information about the samba mailing list