AIX Open Source

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

Looks like it's more of a configuration issue. 
Just having WINBIND entry in /etc/methods.cfg is not going to enable it. 
You need to set /etc/security/user SYSTEM attribute to use "compat or WINBIND". 

If you are using KRB5 for that , then there is no need to use winbindd at all. 

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

before we did the SAMBA update alle was working with kerberos, without problems and without winbindd
But when winbindd is not running I getthis error
[2022/02/02 15:45:44.396558, 0] ../../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/02/02 15:45:44.396742, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:1
46



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

Original Message:
Sent: Wed February 02, 2022 08:24 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Looks like it's more of a configuration issue. 
Just having WINBIND entry in /etc/methods.cfg is not going to enable it. 
You need to set /etc/security/user SYSTEM attribute to use "compat or WINBIND". 

If you are using KRB5 for that , then there is no need to use winbindd at all. 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

Can you try downgrading Samba to 4.14.4-2 version and see if things are working ? 

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Wed February 02, 2022 09:50 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

before we did the SAMBA update alle was working with kerberos, without problems and without winbindd
But when winbindd is not running I getthis error
[2022/02/02 15:45:44.396558, 0] ../../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/02/02 15:45:44.396742, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:1
46



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Wed February 02, 2022 08:24 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Looks like it's more of a configuration issue. 
Just having WINBIND entry in /etc/methods.cfg is not going to enable it. 
You need to set /etc/security/user SYSTEM attribute to use "compat or WINBIND". 

If you are using KRB5 for that , then there is no need to use winbindd at all. 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

I did the downgrade, SAMBA is now running without problems. I can now connect to my SAMBA shares

##samba 4.14.10 downgrade to 4.14.4
yum downgrade samba-client-4.14.4-2.ppc samba-winbind-4.14.4-2.ppc samba-devel-4.14.4-2.ppc samba-common-4.14.4-2.ppc samba-winbind-clients-4.14.4-2.ppc samba-libs-4.14.4-2.ppc samba-4.14.4-2.ppc libsmbclient-4.14.4-2.ppc --skip-broken


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

Original Message:
Sent: Thu February 03, 2022 06:41 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Can you try downgrading Samba to 4.14.4-2 version and see if things are working ? 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 09:50 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

before we did the SAMBA update alle was working with kerberos, without problems and without winbindd
But when winbindd is not running I getthis error
[2022/02/02 15:45:44.396558, 0] ../../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/02/02 15:45:44.396742, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:1
46



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Wed February 02, 2022 08:24 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Looks like it's more of a configuration issue. 
Just having WINBIND entry in /etc/methods.cfg is not going to enable it. 
You need to set /etc/security/user SYSTEM attribute to use "compat or WINBIND". 

If you are using KRB5 for that , then there is no need to use winbindd at all. 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

Okay. I am looking into the changes that went between 4.14.4 and 4.14.10

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Thu February 03, 2022 10:22 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

I did the downgrade, SAMBA is now running without problems. I can now connect to my SAMBA shares

##samba 4.14.10 downgrade to 4.14.4
yum downgrade samba-client-4.14.4-2.ppc samba-winbind-4.14.4-2.ppc samba-devel-4.14.4-2.ppc samba-common-4.14.4-2.ppc samba-winbind-clients-4.14.4-2.ppc samba-libs-4.14.4-2.ppc samba-4.14.4-2.ppc libsmbclient-4.14.4-2.ppc --skip-broken


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Thu February 03, 2022 06:41 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Can you try downgrading Samba to 4.14.4-2 version and see if things are working ? 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 09:50 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

before we did the SAMBA update alle was working with kerberos, without problems and without winbindd
But when winbindd is not running I getthis error
[2022/02/02 15:45:44.396558, 0] ../../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/02/02 15:45:44.396742, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:1
46



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Wed February 02, 2022 08:24 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Looks like it's more of a configuration issue. 
Just having WINBIND entry in /etc/methods.cfg is not going to enable it. 
You need to set /etc/security/user SYSTEM attribute to use "compat or WINBIND". 

If you are using KRB5 for that , then there is no need to use winbindd at all. 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

I'll try what Sveinn Gunnarsson wrote me:

if your where using default fallback mapping of users like: user = DOMAIN\user - then this is not possible in Samba 4.14.10 - see important note: SAMBA+ 4.15.2, 4.14.10 and 4.13.14 Security Releases

Way around this is to manually define user mapping like this:

/etc/samba/smb.conf:

[global]
username map = /etc/samba/users.map

 

/etc/samba/users.map:
user1 = DOMAIN\user1
user2 = DOMAIN\user2



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

Original Message:
Sent: Fri February 04, 2022 02:21 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Okay. I am looking into the changes that went between 4.14.4 and 4.14.10

------------------------------
Ayappan P

Original Message:
Sent: Thu February 03, 2022 10:22 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

I did the downgrade, SAMBA is now running without problems. I can now connect to my SAMBA shares

##samba 4.14.10 downgrade to 4.14.4
yum downgrade samba-client-4.14.4-2.ppc samba-winbind-4.14.4-2.ppc samba-devel-4.14.4-2.ppc samba-common-4.14.4-2.ppc samba-winbind-clients-4.14.4-2.ppc samba-libs-4.14.4-2.ppc samba-4.14.4-2.ppc libsmbclient-4.14.4-2.ppc --skip-broken


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Thu February 03, 2022 06:41 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Can you try downgrading Samba to 4.14.4-2 version and see if things are working ? 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 09:50 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

before we did the SAMBA update alle was working with kerberos, without problems and without winbindd
But when winbindd is not running I getthis error
[2022/02/02 15:45:44.396558, 0] ../../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/02/02 15:45:44.396742, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:1
46



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Wed February 02, 2022 08:24 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Looks like it's more of a configuration issue. 
Just having WINBIND entry in /etc/methods.cfg is not going to enable it. 
You need to set /etc/security/user SYSTEM attribute to use "compat or WINBIND". 

If you are using KRB5 for that , then there is no need to use winbindd at all. 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

the suggested "username map" workaround for the regression is discussed in https://bugzilla.samba.org/show_bug.cgi?id=14901 .
The 4.14 and 4.15 SAMBA+ AIX packages don't need that workaround however, it was fixed shortly after the regression was found. Have in mind that, depending on how the idmapping looks like, you might have to add a "min domain uid" parameter as a result of the mentioned security fixes. Also have in mind that it's recommended to update to the Samba 4.15 branch because the complete fix for CVE-2021-44141 is only possible with the VFS rewrite of the 4.15 release.

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
https://samba.plus/samba-aix mailto:kontakt@sernet.de

------------------------------
Johannes Loxen
------------------------------

Original Message:
Sent: Fri February 04, 2022 04:58 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

I'll try what Sveinn Gunnarsson wrote me:

if your where using default fallback mapping of users like: user = DOMAIN\user - then this is not possible in Samba 4.14.10 - see important note: SAMBA+ 4.15.2, 4.14.10 and 4.13.14 Security Releases

Way around this is to manually define user mapping like this:

/etc/samba/smb.conf:

[global]
username map = /etc/samba/users.map

 

/etc/samba/users.map:
user1 = DOMAIN\user1
user2 = DOMAIN\user2



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Fri February 04, 2022 02:21 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Okay. I am looking into the changes that went between 4.14.4 and 4.14.10

------------------------------
Ayappan P

Original Message:
Sent: Thu February 03, 2022 10:22 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

I did the downgrade, SAMBA is now running without problems. I can now connect to my SAMBA shares

##samba 4.14.10 downgrade to 4.14.4
yum downgrade samba-client-4.14.4-2.ppc samba-winbind-4.14.4-2.ppc samba-devel-4.14.4-2.ppc samba-common-4.14.4-2.ppc samba-winbind-clients-4.14.4-2.ppc samba-libs-4.14.4-2.ppc samba-4.14.4-2.ppc libsmbclient-4.14.4-2.ppc --skip-broken


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Thu February 03, 2022 06:41 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Can you try downgrading Samba to 4.14.4-2 version and see if things are working ? 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 09:50 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

before we did the SAMBA update alle was working with kerberos, without problems and without winbindd
But when winbindd is not running I getthis error
[2022/02/02 15:45:44.396558, 0] ../../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/02/02 15:45:44.396742, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:1
46



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121

Original Message:
Sent: Wed February 02, 2022 08:24 AM
From: Ayappan P
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

Looks like it's more of a configuration issue. 
Just having WINBIND entry in /etc/methods.cfg is not going to enable it. 
You need to set /etc/security/user SYSTEM attribute to use "compat or WINBIND". 

If you are using KRB5 for that , then there is no need to use winbindd at all. 

------------------------------
Ayappan P

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

If you where mapping users like DOMAIN\user -> user - there is a breaking change when upgrading to 4.14.10
https://samba.plus/blog/detail/samba-4152-41410-and-41314-security-releases-available

Now user mapping must be defined manually like this:

/etc/samba/smb.conf:

[global]
username map = /etc/samba/users.map

/etc/samba/users.map:
user1 = DOMAIN\user1
user1 = DOMAIN\user1

Regards,
Svenni

------------------------------
Sveinn Gunnarsson
------------------------------

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

I tried with winbindd service. It works under 4.14.4

but not under 4.14.10:

samba log:
[2022/02/07 10:48:11.062900, 3] ../../source3/auth/user_util.c:419(map_username)
Mapped user DEFAULT_DOMAIN\user_x to user_x
[2022/02/07 10:48:11.065858, 3] ../../source3/auth/auth_util.c:2125(make_server_info_info3)
make_server_info_info3: Username 'DEFAULT_DOMAIN\user_x' is invalid on this system, it does not meet 'min domain uid' restric
tion (800 < 1000): NT_STATUS_INVALID_TOKEN
[2022/02/07 10:48:11.065974, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_TOKEN] || at ../../source3/smbd/smb
2_sesssetup.c:146

/etc/samba/users.map:
user_x = DEFAULT_DOMAIN\user_x
user_xy = second_DOMAIN\user_xy


user_x have the ID 800.

I Think I'll wait until Version 4.15. is avallibel, and hope it will work than.



------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------

Original Message:
Sent: Fri February 04, 2022 04:36 AM
From: Sveinn Gunnarsson
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

If you where mapping users like DOMAIN\user -> user - there is a breaking change when upgrading to 4.14.10
https://samba.plus/blog/detail/samba-4152-41410-and-41314-security-releases-available

Now user mapping must be defined manually like this:

/etc/samba/smb.conf:

[global]
username map = /etc/samba/users.map

/etc/samba/users.map:
user1 = DOMAIN\user1
user1 = DOMAIN\user1

Regards,
Svenni

------------------------------
Sveinn Gunnarsson

Original Message:
Sent: Wed February 02, 2022 04:32 AM
From: Wolfgang Tress
Subject: Update SAMBA from 4.14.4. to 4.14.10 problem with WINBIND

since we did the SAMBA update  from 4.14.4. to  4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.

I add WINBIND to /etc/methods.cfg

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly,tgt_verify=no,is_kadmind_compat=no
        program_64 = /usr/lib/security/KRB5_64

KRB5files:
        options = db=BUILTIN,auth=KRB5

WINBIND:
        program = /usr/lib/security/WINBIND



I add the symlink to /usr/lib/security/

# ll /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     system           28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so

# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x    1 root     system        28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so



We have configured in /etc/security/user Kerberos to login to the LPAR with AD password

SYSTEM = "KRB5"




vi /etc/smb.conf

[global]
        unix charset = ISO-8859-1
        workgroup = DOMAIN-GROUP
        realm = MYDOMAIN
        server string = Samba Server
        security = ADS
        netbios name = aix010buhwpar
        dedicated keytab file = /etc/krb5/krb5.keytab
        kerberos method = dedicated keytab
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 500
        unix extensions = No
        load printers = No
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0777
        hide dot files = No
        map archive = No
        mangled names = No
        interfaces = en0 10.20.31.166/24
        host msdfs = no

Kerberos is working

# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------


when I try to connect I get a logon windows, before I cut connect automatically




and I get this error:


[2022/02/01 09:44:20.150388,  4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992,  3] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104,  3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503,  3] ../../source3/smbd/server_exit.c:240(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------