[Samba] [EXTERNAL] Re: SAMBA 4.14.4 now prompts for userid and password after AIX 7.1 to 7.2 Upgrade

Rowland Penny rpenny at samba.org
Wed Dec 7 08:10:14 UTC 2022 


On 06/12/2022 22:46, Philip Cunio via samba wrote:
> I apologize for the miscommunication and incomplete information.
> This is the situation.
> 
> AIX system #1 was running AIX 7.1 with SAMBA 14.10.6. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed
> (14.10.6). SAMBA continued to function as expected.
> AIX system #2 was running AIX 7.1 with SAMBA 14.14.4. The AIX O/S of that
> system was upgraded to AIX 7.2. The SAMBA version has not changed
> (14.14.4). SAMBA now requests credentials when an attempt is made to map a
> drive. The following error in the log for the device requesting the drive
> mapping:
> 
>   [2022/11/28 16:48:30.181656,
> 1]../../source3/librpc/crypto/gse.c:666(gse_get_server_auth_token)gss_accept_sec_context
> failed with [ Miscellaneous failure (see text):Failed to find cifs/
> xxxx at YYYYY.COM(kvno 4) in keytab
>   MEMORY:cifs_srv_keytab(aes256-cts-hmac-sha1-96)]

That appears to be fairly obvious, a kerberos key cannot be found, 
perhaps the AIX crypto isn't new enough (cannot create AES keys).

> 
> The version of SAMBA is not changed when upgrading the AIX O/S.
> 
> Both systems are stand alone SAMBA servers functioning to provide the
> ability for Windows Client devices to map drives to the AIX system.
> 
> I will review the links provided in the other posts to see if they apply to
> my situation.
> 
> 
> Complete smb.conf for System #1 and #2
> [global]
>          workgroup = ZZZ
>          realm = YYYYY.COM
>          interfaces = 10.150.129.6
>          netbios name = xxxx
>          security = ADS
>          log file = /var/samba/log/log.%m
>          log level = 3  passdb:5  auth:5
>          wins server = corp-zzz-dc2.yyyyy.com

You do not use 'wins' with AD

>          password server = corp-zzz-dc2.yyyyy.com

You should allow winbind to decide the best DC to use.

>          socket address = 10.150.129.6
>          server min protocol = SMB2
>          server signing = mandatory
>          create mask = 0666
>          follow symlinks = yes
>          unix extensions = no

The problem is that on Linux I would expect 'idmap config' lines.
At a minimum something like these:

     idmap config * : backend = autorid
     idmap config * : range = 10000-9999999

Without them, how is winbind mapping users ?

Rowland

More information about the samba mailing list