Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

  • 1.  Test Thread

    Posted Mon August 18, 2025 05:07 PM
    Edited by Oscar Batista Mon August 18, 2025 05:07 PM

    Apologies for the subject I was having issues with the permissions:

    Hello All,

     

    We have been struggling for many days now trying to make samba work with AIX and AD. Logins to AIX with AD work and wbinfo,lsuser -R LDAP work as well below is the output of the winbindd log

     

     

    [2025/08/19 08:36:44.747777,  5] ../../source3/winbindd/winbindd.c:677(new_connection)
      Accepted client socket 23
    [2025/08/19 08:36:44.747892,  3] ../../source3/winbindd/winbindd_misc.c:358(winbindd_interface_version)
      winbindd_interface_version: [smbd (9044404)]: request interface version (version = 32)
    [2025/08/19 08:36:44.748017,  3] ../../source3/winbindd/winbindd_misc.c:401(winbindd_priv_pipe_dir)
      winbindd_priv_pipe_dir: [smbd (9044404)]: request location of privileged pipe
    [2025/08/19 08:36:44.748091,  3] ../../source3/winbindd/winbindd_misc.c:414(winbindd_priv_pipe_dir)
      winbindd_priv_pipe_dir: [smbd (9044404)]: response location of privileged pipe: (NULL)
    [2025/08/19 08:36:44.748264,  5] ../../source3/winbindd/winbindd.c:677(new_connection)
      Accepted client socket 23
    [2025/08/19 08:36:44.748357,  3] ../../source3/winbindd/winbindd.c:500(process_request_send)
      process_request_send: [smbd (9044404)] Handling async request: PAM_AUTH_CRAP
    [2025/08/19 08:36:44.750015,  1] ../../source3/lib/util.c:1569(name_to_fqdn)
      WARNING: your /etc/hosts file may be broken!
          Full qualified domain names (FQDNs) should not be specified
          as an alias in /etc/hosts. FQDN should be the first name
          prior to any aliases.
    [2025/08/19 08:36:44.752038,  3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
      Found account name from PAC: batisto [Oscar Batista - Spectrum]
    [2025/08/19 08:36:44.752390,  5] ../../source3/winbindd/winbindd_cache.c:195(winbindd_domain_init_backend)
      winbindd_domain_init_backend: Setting ADS methods for domain KNUCKLES
    [2025/08/19 08:36:44.752509,  5] ../../source3/winbindd/winbindd_pam.c:3515(winbindd_pam_auth_pac_verify)
      winbindd_pam_auth_pac_verify: PAC for user KNUCKLES\batisto SID S-1-5-21-1048401584-786120916-2033415169-37159 primed cache
    [2025/08/19 08:36:44.752812,  3] ../../source3/winbindd/winbindd.c:568(process_request_done)
      process_request_done: [smbd(9044404):PAM_AUTH_CRAP]: NT_STATUS_OK

     

    However the smbclient fails
    bash-5.2# smbclient //mp01old/igp -U batisto
    Password for [KNUCKLES\batisto]:
    session setup failed: NT_STATUS_LOGON_FAILURE
    bash-5.2#

     

    The above connection is to localhost and it generates below log:
      WARNING: your /etc/hosts file may be broken!
          Full qualified domain names (FQDNs) should not be specified
          as an alias in /etc/hosts. FQDN should be the first name
          prior to any aliases.
    [2025/08/19 08:36:44.756336,  0] ../../source3/auth/auth_util.c:1936(check_account)
      check_account: Failed to find local account with UID 60001 for SID S-1-5-21-1048401584-786120916-2033415169-37159 (dom_user[KNUCKLES\batisto])
    [2025/08/19 08:36:44.756507,  3] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
      smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:147
    [2025/08/19 08:36:44.757472,  3] ../../source3/smbd/server_exit.c:230(exit_server_common)
      Server exit (NT_STATUS_END_OF_FILE)

     

    From the smb.conf it would seem that its not understanding the UID conversion as the range is off but I can't figure out why

     

    Below is the full smb.conf
    bash-5.2# grep -v ^# /etc/samba/smb.conf
    [global]
       # UNKNOWN modules dir = /opt/freeware/lib/samba
       # Identity / domain join
       # username map script  = /etc/samba/usermap.sh
       netbios name = MP01OLD
       workgroup    = KNUCKLES
       realm        = KNUCKLES.NET.NZ
       security     = ADS
       interfaces = 127.0.0.1/8 10.91.129.131/255.255.254.0
       bind interfaces only = yes
       log file = /data/logs/samba/log.%m
       log level = 3 auth:5 gensec:5 idmap:10 winbind:5
       kerberos method       = secrets and keytab
       dedicated keytab file = /etc/krb5/krb5.keytab
       #  sync machine password to keytab = yes
       # Winbind + RFC2307 (idmap_ad)
       winbind nss info = rfc2307
       idmap config * : backend = tdb
       idmap config * : range   = 60000-70000
       idmap config KNUCKLES : backend            = ad
       idmap config KNUCKLES : schema_mode        = rfc2307
       idmap config KNUCKLES : unix_primary_group = yes
       idmap config KNUCKLES : range = 200-49999
       idmap config KNUCKLES : unix_nss_info = yes
       ### winbind enum users  = yes
       ###winbind enum groups = yes

     

       # Fallbacks if RFC2307 attrs are missing on a user
       # template homedir = /home/%U
       # template shell   = /usr/bin/ksh

     

       # Protocols / auth
       client min protocol = SMB2
       map to guest = Never
       ntlm auth    = no

     

    [igp]
       path                = /home/MPTEST
       browseable          = yes
       read only           = no
       inherit permissions = yes
       inherit acls        = yes
       valid users         = @KNUCKLES\sb, KNUCKLES\batisto
       force group         = KNUCKLES\sb
       create mask         = 0660
       directory mask      = 02770


    #AIXOpenSource


Related Content