Hi, I have installed Samba 4.12.10 via yum in a AIX 7.2. I have also installed kerberos packages to authenticate samba with kerberos.
My objective is to allow users access folders/files in AIX from their windows machines.
# yum list installed | grep samba
samba.ppc 4.12.10-2 @AIX_Toolbox_72
samba-client.ppc 4.12.10-2 @AIX_Toolbox_72
samba-common.ppc 4.12.10-2 @AIX_Toolbox_72
samba-devel.ppc 4.12.10-2 @AIX_Toolbox_72
samba-libs.ppc 4.12.10-2 @AIX_Toolbox_72
samba-winbind.ppc 4.12.10-2 @AIX_Toolbox_72
samba-winbind-clients.ppc 4.12.10-2 @AIX_Toolbox_72
# yum list installed | grep winbin
samba-winbind.ppc 4.12.10-2 @AIX_Toolbox_72
samba-winbind-clients.ppc 4.12.10-2 @AIX_Toolbox_72
# yum list installed | grep krb5
krb5-devel.ppc 1.18.3-1 @AIX_Toolbox
krb5-libs.ppc 1.18.3-1 @AIX_Toolbox
krb5-server.ppc 1.18.3-1 @AIX_Toolbox
krb5-server-ldap.ppc 1.18.3-1 @AIX_Toolbox
krb5-workstation.ppc 1.18.3-1 @AIX_Toolbox
However, when I try to access the AIX server in windows file explorer: \\pc96p9 (pc96p9 is my AIX machine name)
It is showing access is denied even through a correct domain username and password is provided.
Then I checked the samba log from /var/log/samba/log.10.161.139.74 (10.161.139.74 is the windows machine accessing AIX), I get the following error:
[2021/03/26 12:07:51.353238, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-2693943023-2014060074-1703039353-34220 -> getpwuid(100000) failed, is nsswitch configured?
[2021/03/26 12:07:51.353328, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/26 12:07:51.353351, 1] ../../source3/auth/auth_generic.c:174(auth3_generate_session_info_pac)
Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)
[2021/03/26 12:07:51.353424, 3] ../../source3/smbd/smb2_server.c:3280(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/26 12:07:51.354653, 3] ../../source3/smbd/server_exit.c:250(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Here is my /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY-OA.MY.ORG.HK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MY-OA.MY.ORG.HK = {
kdc = MYIFS28.MY-OA.MY.ORG.HK
admin_server = MYIFS28.MY-OA.ORG.HK
}
[domain_realm]
.my.org.hk = MY.ORG.HK
my.org.hk = MY.ORG.HK
Here is my /etc/samba/smb.conf:
[global]
realm = my-oa.my.org.hk
netbios name = pc96p9
workgroup = MY-OA
realm = MY-OA.MY.ORG.HK
password server = 10.67.1.92
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
security = ads
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /usr/bin/bash
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
os level = 0
wins server = 10.67.1.92
encrypt passwords = yes
server signing = auto
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
[data]
comment = Public Data Share
path = /data1/winshare
public = yes
writable = yes
inherit acls = yes
inherit permissions = yes
printable = no
And here is my /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
Actually, we have samba 3.6 running fine in a AIX 7.1 production environment, the above 3 configuration files are directly copied from the AIX 7.1 (samba 3.6) to the new AIX 7.2 (samba 4.12).
Can anyone please let me know if there is anything wrong in my samba configurations? Thanks in advance.
------------------------------
kin shing lee
------------------------------
