Originally posted by: blt

Hello I have a problem accessing shares on a AIX 7.1 server which is configured as a domain member. I installed samba version 4.9.6 via yum.

config files:

/etc/netsvc.conf

passwd: files compat winbind
group: files compat winbind

in /usr/lib/security i have a symbolic link:

WINBIND -> /opt/freeware/lib/WINBIND.so

methods.cfg:

WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly

/etc/krb5.conf

[libdefaults]
        default_realm = DOMAIN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

/etc/security/user:

default section:

SYSTEM = "WINBIND OR compat"

registry = WINBIND

Originally posted by: blt

smb.conf

Attachment(s)

smb.con.txt   1 KB 1 version

Originally posted by: blt

then start

/opt/freeware/sbin/smbd -D

/opt/freeware/sbin/nmbd -D

/opt/freeware/sbin/winbindd

Originally posted by: blt

wbinfo -u gives all users of the domain

wbinfo -g gives all groups of the domain

smbclient -L localhost -U username -d10 fails with:

SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE

Originally posted by: AyappanP

lsuser -R WINBIND ALL | grep "username" shows the user presence ?

Originally posted by: blt

lsuser -R WINBIND ALL | grep "username"

ends with no result

Originally posted by: AyappanP

If "lsuser -R WINBIND ALL" is also not showing anything, then check whether winbindd deamon is running or not. 

Please attach the samba log as well.

Originally posted by: blt

the strange thing is that lsgroup -R WINBIND "ALL" shows all the groups..

Attachment(s)

samba.log   3.12 MB 1 version

Originally posted by: blt

it looks like there is no translation to unix ids or something with the range:

[2019/07/18 13:13:23.247642, 10, pid=12255484, effective(0, 3), real(0, 3), class=idmap] ../source3/winbindd/idmap.c:520(idmap_find_domain)  idmap_find_domain called for domain 'DOMAIN'
[2019/07/18 13:13:23.247817, 10, pid=12255484, effective(0, 3), real(0, 3), class=winbind] ../source3/winbindd/idmap_ad.c:825(idmap_ad_sids_to_unixids)  idmap_ad_sids_to_unixids: Filter: [(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\1C\FB\C9\E5\DF\C2#\94J\01\13\0D\9C\1F\00\00)))]
[2019/07/18 13:13:23.250104, 10, pid=12255484, effective(0, 3), real(0, 3)] ../source3/lib/tldap_util.c:395(tldap_pull_uint64)Could not find attribute uidNumber
[2019/07/18 13:13:23.250173, 10, pid=12255484, effective(0, 3), real(0, 3), class=winbind] ../source3/winbindd/idmap_ad.c:904(idmap_ad_sids_to_unixids)  idmap_ad_sids_to_unixids: No xid in CN=xxx 013,OU=(XXX) CUSTOMER X,OU=DOMAIN BV,DC=DOMAIN,DC=local
[2019/07/18 13:13:23.250261, 10, pid=12255484, effective(0, 3), real(0, 3), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:222(_wbint_Sids2UnixIDs)  _wbint_Sids2UnixIDs: id 0 is out of range 10000-999999 for domain DOMAIN
[2019/07/18 13:13:23.250348,  1, pid=12255484, effective(0, 3), real(0, 3), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)

Originally posted by: AyappanP

Not sure what is the issue. Can you try restarting smbd and winbindd daemons.

After that , try executing the wbinfo --sids-to-unix-ids=<sid_from_log_file> to see whether winbindd is able to resolve it to Unix ids. 

# wbinfo --sids-to-unix-ids=S-1-5-21-1878027269-3674594776-380744556-1104
S-1-5-21-1878027269-3674594776-380744556-1104 -> uid 10001
 

Originally posted by: blt

no that is also not working, i got a unmapped..