Hello all,

Recently the Microsoft Security Updates to domain controllers had broken our installation of Samba version 4.16.8 from the AIX Toolbox, starting yesterday. I have replicated the problem on a lab server and attempted to update to Samba version 4.21.7, which is the latest one available in the AIX Toolbox, however it is experiencing the problem described here reported in 4.21.2:
https://community.ibm.com/community/user/discussion/samba-4212-1-update-broke-samba-authentication

The workaround described in this thread did not work for me. I have also looked into other workarounds, but the most promising one (use an nss backend instead of ad) does not work on AIX, as nss is Linux only.

Any assistance at all would be greatly appreciated!

Here is the error message, AD should be reporting a UID of 1431, which is what the server also has for my local user account. Before all of this updating it worked with no change in the configuration:
[2025/09/03 10:02:03.110920, 0] ../../source3/auth/auth_util.c:1954(check_account)
check_account: Failed to find local account with UID 300000 for SID S-1-5-21-1141342763-1778295836-3201674781-399852 (dom_user[DOMAIN\useraccount])

We will check on this., 
Btw, the workaround worked for some users. Can you re-check the usermap script with proper domain added in it ? 

Sure, I have added the line:

username map script = /etc/samba/usermap.ksh

to smb.conf. I have restarted winbindd, nmbd, and smbdd.  The log file now shows this (I tested with two accounts, the second entry is for the same account I tried in the initial post):

[2025/09/04 09:51:22.965978,  0] ../../source3/auth/token_util.c:586(add_local_groups)
  add_local_groups: SID S-1-5-21-1141342763-1778295836-3201674781-6715 -> getpwuid(300005) failed, is nsswitch configured?
[2025/09/04 09:53:07.950167,  0] ../../source3/auth/token_util.c:586(add_local_groups)
  add_local_groups: SID S-1-5-21-1141342763-1778295836-3201674781-399852 -> getpwuid(300000) failed, is nsswitch configured?

When I use debug level 5, I get this right before:

[2025/09/04 10:00:19.071564,  5] ../../source3/auth/auth_generic.c:131(generate_pac_session_info)
  check_ntlm_password:  PAM Account for user [useraccount] succeeded
[2025/09/04 10:00:19.071579,  3] ../../source3/auth/auth_generic.c:134(generate_pac_session_info)
  Kerberos ticket principal name is [useraccount@DOMAIN.FULL.NAME]
[2025/09/04 10:00:19.072667,  0] ../../source3/auth/token_util.c:586(add_local_groups)
  add_local_groups: SID S-1-5-21-1141342763-1778295836-3201674781-399852 -> getpwuid(300000) failed, is nsswitch configured?
[2025/09/04 10:00:19.072839,  3] ../../source3/smbd/smb2_server.c:4054(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:148

The contents of usermap.ksh are:

#!/bin/ksh
ACCOUNTNAME="$1"
DOMAINNAME="DOMAIN"

case "${ACCOUNTNAME}" in
    ${DOMAINNAME}\\root)
        # skip
        ;;
    ${DOMAINNAME}\\*)
        printf "%s\n" "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//'
        ;;
esac

exit 0

------------------------------
Henry Szablicki
------------------------------