Power Global

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Still getting below error in samba.log..
Looks like something is missing with winbindd.
Any idea?



[2022/07/08 19:04:41.629939, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/08 19:04:41.629966, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/08 19:04:41.631027, 3] ../../source3/smbd/negprot.c:777(reply_negprot)
Selected protocol SMB 2.???
[2022/07/08 19:04:41.671102, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/08 19:04:41.995676, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (15728960)]: request interface version (version = 31)
[2022/07/08 19:04:41.995814, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (15728960)]: request location of privileged pipe
[2022/07/08 19:04:41.995870, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (15728960)]: response location of privileged pipe: (NULL)
[2022/07/08 19:04:41.996335, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/08 19:04:41.998710, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (15728960)] getpwnam hdmc\rahmanm
[2022/07/08 19:04:42.003430, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (15728960)] getpwnam HDMC\rahmanm
[2022/07/08 19:04:42.004118, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (15728960)] getpwnam HDMC\RAHMANM
[2022/07/08 19:04:42.004626, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/08 19:04:42.004755, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/08 19:04:42.048467, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/08 19:04:45.470626, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/08 19:04:45.470763, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/08 19:04:48.476331, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/08 19:04:48.476494, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
testlpm2:/ #

------------------------------
Harley AIX
------------------------------

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Any idea? Please let me know.

------------------------------
Harley AIX
------------------------------

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek
------------------------------

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX
------------------------------

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Im not fully sure but based on the above seems that from your samba host your are not able to establish communication with KDC servers

```
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)
```
Anyway you may use following commands to check authentication with using kerberos

kinit Administrator   
or kinit <KDC_USER>

To verify the keytab was acquired correctly you can try use

klist

"klist" must show an active ticket from "kinit".

then

net ads testjoin

Regards,


------------------------------
Slawomir Ksiazek
------------------------------

Original Message:
Sent: Mon July 11, 2022 01:18 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Hi,
My test server joined AD fine.
When I tried to run some smb or samba related command it gives below errors..

/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

:/opt/freeware/bin # ./smbstatus
Could not load program ./smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/opt/freeware/bin # export PATH=/opt/freeware/bin:/opt/freeware/sbin:$PATH

:/opt/freeware/bin # smbstatus
Could not load program smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/ # rpm -qa |grep samba
samba-common-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc


How to fixed the issue. 

Thanks,
HD Team

------------------------------
Harley AIX
------------------------------

Original Message:
Sent: Tue July 12, 2022 09:34 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working



Im not fully sure but based on the above seems that from your samba host your are not able to establish communication with KDC servers

```
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)
```
Anyway you may use following commands to check authentication with using kerberos

kinit Administrator   
or kinit <KDC_USER>

To verify the keytab was acquired correctly you can try use

klist

"klist" must show an active ticket from "kinit".

then

net ads testjoin

Regards,


------------------------------
Slawomir Ksiazek

Original Message:
Sent: Mon July 11, 2022 01:18 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Hi there,

Seems that Please follow according below steps to check if libiconv.a contain libiconv.so.2 module.
here are steps from my test env (samba 4.10.13 libiconv 1.16-1)

/opt/freeware/bin# ldd ./smbstatus|grep libiconv
..
/opt/freeware/lib/libiconv.a(libiconv.so.2)
..

then go to /opt/freeware/lib/ directory and check if libiconf.a contain module libiconv.so.2
/opt/freeware/bin# cd ../lib
/opt/freeware/lib# ls -l libiconv*
-rw-r--r-- 1 root system 3047656 Oct 6 2020 libiconv.a
/opt/freeware/lib# ar -t -v libiconv.a
rwxr-xr-x 3262/1 1115895 May 21 09:04 2020 libiconv.so.2
r--r--r-- 0/0 237515 Oct 6 22:13 2020 shr4.o
r--r--r-- 0/0 237637 Oct 6 22:13 2020 shr.o


If you do happen to have the rpm/Gnu version of libiconv installed,
then perhaps it is an issues with the users LIBPATH, and that may need updated to include /opt/freeware/lib
The GNU libiconv package can be obtained from AIX Toolbox for Linux Applications Downloads:
https://www.ibm.com/support/pages/node/883796


Good luck

Slawek

------------------------------
Slawomir Ksiazek
------------------------------

Original Message:
Sent: Wed July 20, 2022 01:50 AM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
My test server joined AD fine.
When I tried to run some smb or samba related command it gives below errors..

/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

:/opt/freeware/bin # ./smbstatus
Could not load program ./smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/opt/freeware/bin # export PATH=/opt/freeware/bin:/opt/freeware/sbin:$PATH

:/opt/freeware/bin # smbstatus
Could not load program smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/ # rpm -qa |grep samba
samba-common-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc


How to fixed the issue. 

Thanks,
HD Team

------------------------------
Harley AIX

Original Message:
Sent: Tue July 12, 2022 09:34 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working



Im not fully sure but based on the above seems that from your samba host your are not able to establish communication with KDC servers

```
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)
```
Anyway you may use following commands to check authentication with using kerberos

kinit Administrator   
or kinit <KDC_USER>

To verify the keytab was acquired correctly you can try use

klist

"klist" must show an active ticket from "kinit".

then

net ads testjoin

Regards,


------------------------------
Slawomir Ksiazek

Original Message:
Sent: Mon July 11, 2022 01:18 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Hi, 

:/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it
:/ # cd /opt/freeware/bin

:/opt/freeware/bin # ldd ./smbstatus|grep libiconv
/usr/lib/libiconv.a(libiconv.so.2)
ar: 0707-109 Member name libiconv.so.2 does not exist.
dump: /tmp/tmpdir40960278/extract/libiconv.so.2: 0654-106 Cannot open the specified file.
/usr/lib/libiconv.a(shr4.o)
/opt/freeware/lib/libiconv.a(libiconv.so.2)

:/opt/freeware/bin # cd /opt/freeware/lib
:/opt/freeware/lib # ls -l libiconv*
-rw-r--r-- 1 root system 3205011 Jul 19 15:41 libiconv.a

:/opt/freeware/lib #
:/opt/freeware/lib # ar -t -v libiconv.a
rwxr-xr-x 203/1 1195058 Jun 2 04:18 2022 libiconv.so.2
rwxr-x--- 0/0 234296 Jul 19 15:41 2022 shr4.o
rwxr-x--- 0/0 234546 Jul 19 15:41 2022 shr.o

:/opt/freeware/lib # echo $LIBPATH
/usr/lib
:/opt/freeware/lib # cd /opt/freeware/bin

:/opt/freeware/bin # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

Thanks,
HD Team

------------------------------
Harley AIX
------------------------------

Original Message:
Sent: Wed July 20, 2022 11:06 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Hi there,

Seems that Please follow according below steps to check if libiconv.a contain libiconv.so.2 module.
here are steps from my test env (samba 4.10.13 libiconv 1.16-1)

/opt/freeware/bin# ldd ./smbstatus|grep libiconv
..
/opt/freeware/lib/libiconv.a(libiconv.so.2)
..

then go to /opt/freeware/lib/ directory and check if libiconf.a contain module libiconv.so.2
/opt/freeware/bin# cd ../lib
/opt/freeware/lib# ls -l libiconv*
-rw-r--r-- 1 root system 3047656 Oct 6 2020 libiconv.a
/opt/freeware/lib# ar -t -v libiconv.a
rwxr-xr-x 3262/1 1115895 May 21 09:04 2020 libiconv.so.2
r--r--r-- 0/0 237515 Oct 6 22:13 2020 shr4.o
r--r--r-- 0/0 237637 Oct 6 22:13 2020 shr.o


If you do happen to have the rpm/Gnu version of libiconv installed,
then perhaps it is an issues with the users LIBPATH, and that may need updated to include /opt/freeware/lib
The GNU libiconv package can be obtained from AIX Toolbox for Linux Applications Downloads:
https://www.ibm.com/support/pages/node/883796


Good luck

Slawek

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Wed July 20, 2022 01:50 AM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
My test server joined AD fine.
When I tried to run some smb or samba related command it gives below errors..

/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

:/opt/freeware/bin # ./smbstatus
Could not load program ./smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/opt/freeware/bin # export PATH=/opt/freeware/bin:/opt/freeware/sbin:$PATH

:/opt/freeware/bin # smbstatus
Could not load program smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/ # rpm -qa |grep samba
samba-common-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc


How to fixed the issue. 

Thanks,
HD Team

------------------------------
Harley AIX

Original Message:
Sent: Tue July 12, 2022 09:34 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working



Im not fully sure but based on the above seems that from your samba host your are not able to establish communication with KDC servers

```
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)
```
Anyway you may use following commands to check authentication with using kerberos

kinit Administrator   
or kinit <KDC_USER>

To verify the keytab was acquired correctly you can try use

klist

"klist" must show an active ticket from "kinit".

then

net ads testjoin

Regards,


------------------------------
Slawomir Ksiazek

Original Message:
Sent: Mon July 11, 2022 01:18 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Hi

Thank you for your reply back, Looking on the last update and I see two things,
one smbstatus /or testparm expect samba config file into the /usr/lib directory
so you have to create into above directory configuration file for the SAMBA (smb.conf)
I'm not sure why smb.conf into /usr/lib directory is now expected, but for earlier versions
of samba distributed by IBM AIX Toolbox the default directory was /etc/samba
maybe something has changed in the meantime but i'm not sure, because im not maintainer of these packages
in any case putting smb.conf file in /usr/lib should help

Next thing based on the result from

ldd ./smbstatus|grep libiconv
/usr/lib/libiconv.a(libiconv.so.2)

into your system libiconv.a file is expected into /usr/lib directory,
I suspect it is related that your variable LIBPATH that is set to /usr/lib so try following step:

cd /opt/freeware/bin
export LIBPATH=/opt/freeware/lib
or export LIBPATH=/opt/freeware/lib:/usr/lib
then
./smbstatus

hope this helps

Have a nice day

Slawek

------------------------------
Slawomir Ksiazek
------------------------------

Original Message:
Sent: Thu July 21, 2022 11:37 AM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 

:/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it
:/ # cd /opt/freeware/bin

:/opt/freeware/bin # ldd ./smbstatus|grep libiconv
/usr/lib/libiconv.a(libiconv.so.2)
ar: 0707-109 Member name libiconv.so.2 does not exist.
dump: /tmp/tmpdir40960278/extract/libiconv.so.2: 0654-106 Cannot open the specified file.
/usr/lib/libiconv.a(shr4.o)
/opt/freeware/lib/libiconv.a(libiconv.so.2)

:/opt/freeware/bin # cd /opt/freeware/lib
:/opt/freeware/lib # ls -l libiconv*
-rw-r--r-- 1 root system 3205011 Jul 19 15:41 libiconv.a

:/opt/freeware/lib #
:/opt/freeware/lib # ar -t -v libiconv.a
rwxr-xr-x 203/1 1195058 Jun 2 04:18 2022 libiconv.so.2
rwxr-x--- 0/0 234296 Jul 19 15:41 2022 shr4.o
rwxr-x--- 0/0 234546 Jul 19 15:41 2022 shr.o

:/opt/freeware/lib # echo $LIBPATH
/usr/lib
:/opt/freeware/lib # cd /opt/freeware/bin

:/opt/freeware/bin # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

Thanks,
HD Team

------------------------------
Harley AIX

Original Message:
Sent: Wed July 20, 2022 11:06 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Hi there,

Seems that Please follow according below steps to check if libiconv.a contain libiconv.so.2 module.
here are steps from my test env (samba 4.10.13 libiconv 1.16-1)

/opt/freeware/bin# ldd ./smbstatus|grep libiconv
..
/opt/freeware/lib/libiconv.a(libiconv.so.2)
..

then go to /opt/freeware/lib/ directory and check if libiconf.a contain module libiconv.so.2
/opt/freeware/bin# cd ../lib
/opt/freeware/lib# ls -l libiconv*
-rw-r--r-- 1 root system 3047656 Oct 6 2020 libiconv.a
/opt/freeware/lib# ar -t -v libiconv.a
rwxr-xr-x 3262/1 1115895 May 21 09:04 2020 libiconv.so.2
r--r--r-- 0/0 237515 Oct 6 22:13 2020 shr4.o
r--r--r-- 0/0 237637 Oct 6 22:13 2020 shr.o


If you do happen to have the rpm/Gnu version of libiconv installed,
then perhaps it is an issues with the users LIBPATH, and that may need updated to include /opt/freeware/lib
The GNU libiconv package can be obtained from AIX Toolbox for Linux Applications Downloads:
https://www.ibm.com/support/pages/node/883796


Good luck

Slawek

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Wed July 20, 2022 01:50 AM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
My test server joined AD fine.
When I tried to run some smb or samba related command it gives below errors..

/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

:/opt/freeware/bin # ./smbstatus
Could not load program ./smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/opt/freeware/bin # export PATH=/opt/freeware/bin:/opt/freeware/sbin:$PATH

:/opt/freeware/bin # smbstatus
Could not load program smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/ # rpm -qa |grep samba
samba-common-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc


How to fixed the issue. 

Thanks,
HD Team

------------------------------
Harley AIX

Original Message:
Sent: Tue July 12, 2022 09:34 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working



Im not fully sure but based on the above seems that from your samba host your are not able to establish communication with KDC servers

```
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)
```
Anyway you may use following commands to check authentication with using kerberos

kinit Administrator   
or kinit <KDC_USER>

To verify the keytab was acquired correctly you can try use

klist

"klist" must show an active ticket from "kinit".

then

net ads testjoin

Regards,


------------------------------
Slawomir Ksiazek

Original Message:
Sent: Mon July 11, 2022 01:18 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Harley AIX,

/usr/lib/smb.conf was used by the LPP install of Samba.  Perhaps best to check and uninstall if not in use:

lslpp -l samba\*

Potential output:

samba.base     
samba.license  
samba.man.en_US

Also, I see you reference /etc/krb5/krb5.conf.  Are you using the Network Authentication Service Client?

lslpp -l krb5\*

As for libiconv.a issue, have you verified the integrity of the rpm containing it?

$ ldd /opt/freeware/bin/smbstatus | grep libiconv.a 
         /opt/freeware/lib/libiconv.a(libiconv.so.2)                  
         /opt/freeware/lib/libiconv.a(shr4.o)                         

$ rpm -q --whatprovides /opt/freeware/lib/libiconv.a
libiconv-1.16-1.ppc                                                   

You may want to reinstall if you get MD5 sum errors like below:

$ rpm -V libiconv                                   
S.5....T.    /opt/freeware/lib/libiconv.a

And while we're at it - is your DNF clean?

$ dnf check

I also see you set your HDMC domain to use the RID backend in your smb.conf.  How are you managing the UID of the people that sign in via SSH?  If AIX local accounts are what you're trying to map incoming samba connections to, NSS may be a better backend provided the usernames are the same.  If not, you may have to manually map AD accounts to AIX accounts or write a mapping script.

The below error makes me think samba doesn't know what AIX account to match the incoming connection to:

check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])

Also, make sure you have a FQDN entry for the host+AD domain you're joining in your /etc/hosts.  I had issues joining AD when that wasn't present.

If the above items don't get you working, perhaps best to start with what you're trying to accomplish and ideally a pristine AIX install.  I wouldn't recommend turning an AIX server into a windows fileserver.

Lastly, you may want to review this thread with your ISO/IT management.  You're starting to post some information that most companies would not want on the internet and available to people with nefarious intentions.

------------------------------
Cory Beverlin
------------------------------

Original Message:
Sent: Fri July 22, 2022 05:22 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Hi

Thank you for your reply back, Looking on the last update and I see two things,
one smbstatus /or testparm expect samba config file into the /usr/lib directory
so you have to create into above directory configuration file for the SAMBA (smb.conf)
I'm not sure why smb.conf into /usr/lib directory is now expected, but for earlier versions
of samba distributed by IBM AIX Toolbox the default directory was /etc/samba
maybe something has changed in the meantime but i'm not sure, because im not maintainer of these packages
in any case putting smb.conf file in /usr/lib should help

Next thing based on the result from

ldd ./smbstatus|grep libiconv
/usr/lib/libiconv.a(libiconv.so.2)

into your system libiconv.a file is expected into /usr/lib directory,
I suspect it is related that your variable LIBPATH that is set to /usr/lib so try following step:

cd /opt/freeware/bin
export LIBPATH=/opt/freeware/lib
or export LIBPATH=/opt/freeware/lib:/usr/lib
then
./smbstatus

hope this helps

Have a nice day

Slawek

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 21, 2022 11:37 AM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 

:/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it
:/ # cd /opt/freeware/bin

:/opt/freeware/bin # ldd ./smbstatus|grep libiconv
/usr/lib/libiconv.a(libiconv.so.2)
ar: 0707-109 Member name libiconv.so.2 does not exist.
dump: /tmp/tmpdir40960278/extract/libiconv.so.2: 0654-106 Cannot open the specified file.
/usr/lib/libiconv.a(shr4.o)
/opt/freeware/lib/libiconv.a(libiconv.so.2)

:/opt/freeware/bin # cd /opt/freeware/lib
:/opt/freeware/lib # ls -l libiconv*
-rw-r--r-- 1 root system 3205011 Jul 19 15:41 libiconv.a

:/opt/freeware/lib #
:/opt/freeware/lib # ar -t -v libiconv.a
rwxr-xr-x 203/1 1195058 Jun 2 04:18 2022 libiconv.so.2
rwxr-x--- 0/0 234296 Jul 19 15:41 2022 shr4.o
rwxr-x--- 0/0 234546 Jul 19 15:41 2022 shr.o

:/opt/freeware/lib # echo $LIBPATH
/usr/lib
:/opt/freeware/lib # cd /opt/freeware/bin

:/opt/freeware/bin # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

Thanks,
HD Team

------------------------------
Harley AIX

Original Message:
Sent: Wed July 20, 2022 11:06 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Hi there,

Seems that Please follow according below steps to check if libiconv.a contain libiconv.so.2 module.
here are steps from my test env (samba 4.10.13 libiconv 1.16-1)

/opt/freeware/bin# ldd ./smbstatus|grep libiconv
..
/opt/freeware/lib/libiconv.a(libiconv.so.2)
..

then go to /opt/freeware/lib/ directory and check if libiconf.a contain module libiconv.so.2
/opt/freeware/bin# cd ../lib
/opt/freeware/lib# ls -l libiconv*
-rw-r--r-- 1 root system 3047656 Oct 6 2020 libiconv.a
/opt/freeware/lib# ar -t -v libiconv.a
rwxr-xr-x 3262/1 1115895 May 21 09:04 2020 libiconv.so.2
r--r--r-- 0/0 237515 Oct 6 22:13 2020 shr4.o
r--r--r-- 0/0 237637 Oct 6 22:13 2020 shr.o


If you do happen to have the rpm/Gnu version of libiconv installed,
then perhaps it is an issues with the users LIBPATH, and that may need updated to include /opt/freeware/lib
The GNU libiconv package can be obtained from AIX Toolbox for Linux Applications Downloads:
https://www.ibm.com/support/pages/node/883796


Good luck

Slawek

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Wed July 20, 2022 01:50 AM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
My test server joined AD fine.
When I tried to run some smb or samba related command it gives below errors..

/ # smbstatus
Can't load /usr/lib/smb.conf - run testparm to debug it

:/opt/freeware/bin # ./smbstatus
Could not load program ./smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/opt/freeware/bin # export PATH=/opt/freeware/bin:/opt/freeware/sbin:$PATH

:/opt/freeware/bin # smbstatus
Could not load program smbstatus:
Could not load module /opt/freeware/lib/libsmbconf.so.
Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
Member libiconv.so.2 is not found in archive
Could not load module smbstatus.
Dependent module /opt/freeware/lib/libsmbconf.so could not be loaded.

:/ # rpm -qa |grep samba
samba-common-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc


How to fixed the issue. 

Thanks,
HD Team

------------------------------
Harley AIX

Original Message:
Sent: Tue July 12, 2022 09:34 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working



Im not fully sure but based on the above seems that from your samba host your are not able to establish communication with KDC servers

```
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)
```
Anyway you may use following commands to check authentication with using kerberos

kinit Administrator   
or kinit <KDC_USER>

To verify the keytab was acquired correctly you can try use

klist

"klist" must show an active ticket from "kinit".

then

net ads testjoin

Regards,


------------------------------
Slawomir Ksiazek

Original Message:
Sent: Mon July 11, 2022 01:18 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------

Hello HD-Team,

this issue looks like a firewall issue. actually. As you seem to have more unsolved issues with your Samba installation, feel free to contact me directly also to find a solution.

Cheers
Björn

------------------------------
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
https://samba.plus/samba-aix mailto:kontakt@sernet.de
------------------------------

Original Message:
Sent: Mon July 11, 2022 01:18 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi, 
:/ # wbinfo -t
checking the trust secret for domain HDMC via RPC calls succeeded
:/ #

:/ # wbinfo --ping-dc
checking the NETLOGON for domain[HDMC] dc connection to "hdwpadds02.hdmc.harley-davidson.com" succeeded

:/ # wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)
:/ #

From  /var/log/samba/log.winbindd-idmap  we see below errors logged...

[2022/07/11 12:15:03.793503, 3] ../../source3/libsmb/namequery.c:2388(resolve_hosts)
resolve_hosts: Attempting host lookup for name hdwpadds02.hdmc.harley-davidson.com<0x20>
[2022/07/11 12:15:03.795555, 3] ../../source3/lib/util_sock.c:447(open_socket_out_send)
Connecting to 10.240.25.22 at port 389
[2022/07/11 12:15:03.797300, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/07/11 12:15:03.804405, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:03.805496, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:06.806918, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:06.808546, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:06.809703, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:09.811092, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:09.811457, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.21
[2022/07/11 12:15:09.812470, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.25.22
[2022/07/11 12:15:12.814072, 2] ../../source4/auth/kerberos/krb5_init_context.c:379(smb_krb5_send_and_recv_func_int)
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.240.24.122
[2022/07/11 12:15:12.814204, 3] ../../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_creds)
Cannot reach a KDC we require to contact (NULL) : kinit for TESTLPM2$@HDMC.HARLEY-DAVIDSON.COM failed (Cannot contact any KDC for requested realm)

[2022/07/11 12:15:12.814256, 3] ../../auth/gensec/spnego.c:368(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/hdwpadds02.hdmc.harley-davidson.com failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
[2022/07/11 12:15:12.815832, 3] ../../auth/ntlmssp/ntlmssp_client.c:277(ntlmssp_client_challenge)
Got challenge flags:
[2022/07/11 12:15:12.815867, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898235
[2022/07/11 12:15:12.816091, 3] ../../auth/ntlmssp/ntlmssp_client.c:826(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2022/07/11 12:15:12.816117, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.816147, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.816175, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
[2022/07/11 12:15:12.818565, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/07/11 12:15:12.818604, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
:/ #

From samba.log, below error logged.....

[2022/07/11 12:15:31.980053, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/11 12:15:32.315077, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (17957250)]: request interface version (version = 31)
[2022/07/11 12:15:32.315223, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: request location of privileged pipe
[2022/07/11 12:15:32.315282, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (17957250)]: response location of privileged pipe: (NULL)
[2022/07/11 12:15:32.315767, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/11 12:15:32.318142, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam hdmc\rahmanm
[2022/07/11 12:15:32.322961, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\rahmanm
[2022/07/11 12:15:32.323655, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (17957250)] getpwnam HDMC\RAHMANM
[2022/07/11 12:15:32.324165, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/11 12:15:32.324282, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/11 12:15:32.367053, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/11 12:16:00.062122, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:00.062260, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065824, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:03.065968, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112255, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:36.112411, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120422, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/11 12:16:39.120567, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
:/ #

Let me know how to fix it. 

Thanks,
H-D Team.


------------------------------
Harley AIX

Original Message:
Sent: Mon July 11, 2022 07:35 AM
From: Slawomir Ksiazek
Subject: samba share access with AD, not working

Try to use 'net ads testjoin' and 'wbinfo -t' to test the join status, and if it return successful ?

------------------------------
Slawomir Ksiazek

Original Message:
Sent: Thu July 07, 2022 08:00 PM
From: Harley AIX
Subject: samba share access with AD, not working

Hi,
We are trying to test samba with AD join, But, it is giving below error in samb.log file. ...
Let me know how to fix the issue. 

[2022/07/07 18:39:24.927453, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/07/07 18:39:24.927890, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 10.242.145.213 (10.242.145.213)
[2022/07/07 18:39:24.928408, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2022/07/07 18:39:24.928510, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/07/07 18:39:24.928927, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/07/07 18:39:24.930217, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2022/07/07 18:39:24.930247, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2022/07/07 18:39:24.930273, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2022/07/07 18:39:24.930299, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2022/07/07 18:39:24.930325, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2022/07/07 18:39:24.930351, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2022/07/07 18:39:24.930377, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2022/07/07 18:39:24.930404, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2022/07/07 18:39:24.930437, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/07/07 18:39:24.930463, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2022/07/07 18:39:24.930490, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2022/07/07 18:39:24.930515, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2022/07/07 18:39:24.978304, 3] ../../source3/winbindd/winbindd_misc.c:433(winbindd_interface_version)
winbindd_interface_version: [<unknown> (6619598)]: request interface version (version = 31)
[2022/07/07 18:39:24.978466, 3] ../../source3/winbindd/winbindd_misc.c:471(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: request location of privileged pipe
[2022/07/07 18:39:24.978527, 3] ../../source3/winbindd/winbindd_misc.c:484(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [<unknown> (6619598)]: response location of privileged pipe: (NULL)
[2022/07/07 18:39:24.979099, 3] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
Found account name from PAC: rahmanm [Rahman, Mizanur]
[2022/07/07 18:39:24.981737, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam hdmc\rahmanm
[2022/07/07 18:39:24.986534, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\rahmanm
[2022/07/07 18:39:24.987227, 3] ../../source3/winbindd/winbindd_getpwnam.c:62(winbindd_getpwnam_send)
winbindd_getpwnam_send: [<unknown> (6619598)] getpwnam HDMC\RAHMANM
[2022/07/07 18:39:24.987751, 0] ../../source3/auth/auth_util.c:1914(check_account)
check_account: Failed to convert SID S-1-5-21-117609710-1482476501-1801674531-1899368 to a UID (dom_user[HDMC\rahmanm])
[2022/07/07 18:39:24.987896, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/07/07 18:39:25.030099, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2022/07/07 18:39:26.418186, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
[2022/07/07 18:39:26.418353, 3] ../../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
process_name_query_request: Name query from 10.240.96.191 on subnet 10.240.96.252 for name HDLPFILE01V1<20>
/ #


# oslevel -s
7200-05-04-2220

/ # rpm -qs |grep samba
rpm: no arguments given for query
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # oslevel -s
7200-05-04-2220
testlpm2:/ #
testlpm2:/ #
testlpm2:/ # rpm -qa |grep samba
samba-client-4.14.12-1.ppc
samba-devel-4.14.12-1.ppc
samba-winbind-4.14.12-1.ppc
samba-4.14.12-1.ppc
samba-test-4.14.12-1.ppc
samba-winbind-krb5-locator-4.14.12-1.ppc
samba-common-4.14.12-1.ppc
samba-libs-4.14.12-1.ppc
samba-winbind-clients-4.14.12-1.ppc
samba-test-libs-4.14.12-1.ppc
samba-python3-4.14.12-1.ppc
samba-winbind-devel-4.14.12-1.ppc
samba-pidl-4.14.12-1.ppc
/ #

Here is our smb.conf file...

# cat /etc/samba/smb.conf

[global]
security = ADS
workgroup = HDMC
realm = HDMC.HARLEY-DAVIDSON.COM
log file = /var/log/samba/samba.log
log level = 3
dos filemode = yes

template shell = /bin/bash
template homedir = /home/%U

socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HDMC : backend = rid
idmap config HDMC : range = 10000-99999999

[tmp]
path = /tmp
valid users = @staff
read only = no
vfs objects = aixacl2


/ #

/#cat /etc/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
program_64 = /usr/lib/security/WINBIND_64
options = authonly

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64


DCE:
program = /usr/lib/security/DCE

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no

KRB5files:
options = db=BUILTIN,auth=KRB5

 #

# ps -ef |grep samba
root 5046710 1 0 Jun 20 - 1:17 /opt/freeware/sbin/nmbd -D -s /etc/samba/smb.conf
root 6160854 1 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7078222 7340516 0 Jun 20 - 0:02 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7143916 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7209446 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7340516 1 0 Jun 20 - 0:03 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
root 7471596 6160854 0 Jun 20 - 0:00 /opt/freeware/sbin/smbd -D -s /etc/samba/smb.conf
root 7602674 7340516 0 Jun 20 - 0:04 /opt/freeware/sbin/winbindd -s /etc/samba/smb.conf
​

#:/opt/freeware/sbin # smbstatus

Samba version 4.14.12
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------

No locked files

:/opt/freeware/sbin # smbclient -L //testlpm2/tmp
Enter HDMC\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
tmp Disk
IPC$ IPC IPC Service (Samba 4.14.12)
SMB1 disabled -- no workgroup available
:/opt/freeware/sbin #
​

 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = HDMC.HARLEY-DAVIDSON.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 aes256-cts aes128-cts arcfour-hmac des-cbc-md5 des-cbc-crc aes128-cts

[realms]
HDMC.HARLEY-DAVIDSON.COM = {
kdc = HDWPADDS01.hdmc.harley-davidson.com:88
admin_server = HDWPADDS01.hdmc.harley-davidson.com:749
default_domain = HDMC.HARLEY-DAVIDSON.COM
}

[domain_realm]
.HDMC.HARLEY-DAVIDSON.COM = HDMC.HARLEY-DAVIDSON.COM
HDWPADDS01.hdmc.harley-davidson.com = HDMC.HARLEY-DAVIDSON.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

/ #

# wbinfo --name-to-sid rahmanm
S-1-5-21-117609710-1482476501-1801674531-1899368 SID_USER (1)

# ls -la /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Jul 6 15:35 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
testlpm2:/opt/freeware/lib #


/etc/security/user (in particular SYSTEM and registry option)
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND or compat"
registry = WINBIND


Thanks, 
HD Team

------------------------------
Harley AIX
------------------------------