[Samba] [EXTERNAL] Re: SAMBA 4.14.4 now prompts for userid and password after AIX 7.1 to 7.2 Upgrade

Philip Cunio phil.cunio at inmar.com
Tue Dec 13 22:25:58 UTC 2022


Issue has been resolved by performing the net ads command on the affected
system. The net ads command had been previously done when SAMBA 4.14 was
initially installed/configured on the system last year. but for an
undetermined reason it had to be done again after the O/S upgrade.

Thanks,
Phil

On Tue, Dec 6, 2022 at 5:51 PM Philip Cunio <phil.cunio at inmar.com> wrote:

> Corrections to version.
>
> On Tue, Dec 6, 2022 at 5:46 PM Philip Cunio <phil.cunio at inmar.com> wrote:
>
>> I apologize for the miscommunication and incomplete information.
>> This is the situation.
>>
>> AIX system #1 was running AIX 7.1 with SAMBA 4.10.6. The AIX O/S of that
>> system was upgraded to AIX 7.2. The SAMBA version has not changed (4.10.6).
>> SAMBA continued to function as expected.
>> AIX system #2 was running AIX 7.1 with SAMBA 4.14.4. The AIX O/S of that
>> system was upgraded to AIX 7.2. The SAMBA version has not changed (4.14.4).
>> SAMBA now requests credentials when an attempt is made to map a drive. The
>> following error in the log for the device requesting the drive mapping:
>>
>>  [2022/11/28 16:48:30.181656,
>> 1]../../source3/librpc/crypto/gse.c:666(gse_get_server_auth_token)gss_accept_sec_context
>> failed with [ Miscellaneous failure (see text):Failed to find cifs/
>> xxxx at YYYYY.COM(kvno 4) in keytab
>>  MEMORY:cifs_srv_keytab(aes256-cts-hmac-sha1-96)]
>>
>> The version of SAMBA is not changed when upgrading the AIX O/S.
>>
>> Both systems are stand alone SAMBA servers functioning to provide the
>> ability for Windows Client devices to map drives to the AIX system.
>>
>> I will review the links provided in the other posts to see if they apply
>> to my situation.
>>
>>
>> Complete smb.conf for System #1 and #2
>> [global]
>>         workgroup = ZZZ
>>         realm = YYYYY.COM
>>         interfaces = 10.150.129.6
>>         netbios name = xxxx
>>         security = ADS
>>         log file = /var/samba/log/log.%m
>>         log level = 3  passdb:5  auth:5
>>         wins server = corp-zzz-dc2.yyyyy.com
>> <http://corp-inm-dc2.inmar.com>
>>         password server = corp-zzz-dc2.yyyyy.com
>> <http://corp-inm-dc2.inmar.com>
>>         socket address = 10.150.129.6
>>         server min protocol = SMB2
>>         server signing = mandatory
>>         create mask = 0666
>>         follow symlinks = yes
>>         unix extensions = no
>>
>>
>> [files]
>>         comment = flat files
>>         path = /data/unload/flat_files
>>         read only = No
>>         wide links = Yes
>>
>> [upload]
>>         comment = Informix group upload
>>         path = /data/unload/infmx_grp
>>         read only = No
>>
>>
>> On Mon, Dec 5, 2022 at 1:56 PM Vaughan, Robert J via samba <
>> samba at lists.samba.org> wrote:
>>
>>> > I knew you were going to say that, but I am running a Solaris 11
>>> domain member from OS package Samba that reports version 4.13.8 without
>>> winbind with several hundred users right now
>>> >
>>> > And same experience on Red Hat 7 and 8 (reported versions a bit
>>> different but newer than 4.8)
>>> >
>>> > It complains about no winbind in the logs but yet it works
>>> >
>>>
>>> >> If you read here (under the heading 'Samba 4.8.0'):
>>>
>>> >>
>>> https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$
>>> <https://urldefense.com/v3/__https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed__;!!BlOwZnr7TA!mkqAC6zlQT_E3OrhCnUwT30X3XjIAN3rbBFCSsu2pq0rzs5I28WxWMn8wL1xrYqwekJfQHCMPRzNgDCb$>
>>>
>>> >> It states:
>>>
>>> >> Domain member setups require winbindd
>>>
>>> >> Setups with "security = domain" or "security = ads" require a running
>>> >> 'winbindd' now. The fallback that smbd directly contacts domain
>>> >> controllers is gone.
>>>
>>> >> So, unless I have understood it wrong, if you are running Samba as a
>>> >> Unix domain member, from version 4.8.0 you must run winbind.
>>>
>>> >> The only way around this that I can think of, is that Samba has been
>>> >> patched to allow smbd to work in the old way, where it could contact
>>> the
>>> >> domain controller directly.
>>>
>>> >> The other possibility is that you are not actually running a Unix
>>> domain
>>> >> member, you are running a standalone server.
>>>
>>> I can only imagine that the OS vendors did the patch you suggest. In
>>> fact when I had a ticket open with Oracle about it they did seem to suggest
>>> they had done something to keep the fallback working for a while, but could
>>> no longer do that
>>>
>>> Thanks,
>>>
>>> Robert Vaughan
>>>
>>> ----------------------------------------------------------------------
>>> This is an e-mail from General Dynamics Land Systems. It is for the
>>> intended recipient only and may contain confidential and privileged
>>> information. No one else may read, print, store, copy, forward or act in
>>> reliance on it or its attachments. If you are not the intended recipient,
>>> please return this message to the sender and delete the message and any
>>> attachments from your computer. Your cooperation is appreciated.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>> <https://lists.samba.org/mailman/options/samba>
>>>
>>

-- 


********************************************



 

*Inmar Confidentiality 
Note*:  This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.  If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.  If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.  Thank you for 
your cooperation.



 

*Notice of Protected Rights*:  The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.  Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.

 

********************************************


More information about the samba mailing list