[Samba] [EXTERNAL] Re: SAMBA 4.14.4 now prompts for userid and password after AIX 7.1 to 7.2 Upgrade
Rowland Penny
rpenny at samba.org
Wed Dec 7 08:10:14 UTC 2022
On 06/12/2022 22:46, Philip Cunio via samba wrote:
> I apologize for the miscommunication and incomplete information.
> This is the situation.
>
> AIX system #1 was running AIX 7.1 with SAMBA 14.10.6. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed
> (14.10.6). SAMBA continued to function as expected.
> AIX system #2 was running AIX 7.1 with SAMBA 14.14.4. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed
> (14.14.4). SAMBA now requests credentials when an attempt is made to map a
> drive. The following error in the log for the device requesting the drive
> mapping:
>
> [2022/11/28 16:48:30.181656,
> 1]../../source3/librpc/crypto/gse.c:666(gse_get_server_auth_token)gss_accept_sec_context
> failed with [ Miscellaneous failure (see text):Failed to find cifs/
> xxxx at YYYYY.COM(kvno 4) in keytab
> MEMORY:cifs_srv_keytab(aes256-cts-hmac-sha1-96)]
That appears to be fairly obvious, a kerberos key cannot be found,
perhaps the AIX crypto isn't new enough (cannot create AES keys).
>
> The version of SAMBA is not changed when upgrading the AIX O/S.
>
> Both systems are stand alone SAMBA servers functioning to provide the
> ability for Windows Client devices to map drives to the AIX system.
>
> I will review the links provided in the other posts to see if they apply to
> my situation.
>
>
> Complete smb.conf for System #1 and #2
> [global]
> workgroup = ZZZ
> realm = YYYYY.COM
> interfaces = 10.150.129.6
> netbios name = xxxx
> security = ADS
> log file = /var/samba/log/log.%m
> log level = 3 passdb:5 auth:5
> wins server = corp-zzz-dc2.yyyyy.com
You do not use 'wins' with AD
> password server = corp-zzz-dc2.yyyyy.com
You should allow winbind to decide the best DC to use.
> socket address = 10.150.129.6
> server min protocol = SMB2
> server signing = mandatory
> create mask = 0666
> follow symlinks = yes
> unix extensions = no
The problem is that on Linux I would expect 'idmap config' lines.
At a minimum something like these:
idmap config * : backend = autorid
idmap config * : range = 10000-9999999
Without them, how is winbind mapping users ?
Rowland
More information about the samba
mailing list