since we did the SAMBA update from 4.14.4. to 4.14.10 we have problem with WINBIN.
Before WINBIN was not running, but when WINBIND is running, I can not connect to the SAMBA share. Same happened when WINBIND is not running.
I add WINBIND to /etc/methods.cfg
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
KRB5:
program = /usr/lib/security/KRB5
options = authonly,tgt_verify=no,is_kadmind_compat=no
program_64 = /usr/lib/security/KRB5_64
KRB5files:
options = db=BUILTIN,auth=KRB5
WINBIND:
program = /usr/lib/security/WINBIND
I add the symlink to /usr/lib/security/
# ll /usr/lib/security/WINBIND
lrwxrwxrwx 1 root system 28 Feb 01 08:47 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so
WINBIND -> /opt/freeware/lib/WINBIND.so
# ls -l /opt/freeware/lib/WINBIND.so
-rwxr-xr-x 1 root system 28153 Dec 20 16:03 /opt/freeware/lib/WINBIND.so
We have configured in /etc/security/user Kerberos to login to the LPAR with AD password
SYSTEM = "KRB5"
vi /etc/smb.conf
[global]
unix charset = ISO-8859-1
workgroup = DOMAIN-GROUP
realm = MYDOMAIN
server string = Samba Server
security = ADS
netbios name = aix010buhwpar
dedicated keytab file = /etc/krb5/krb5.keytab
kerberos method = dedicated keytab
log level = 4
log file = /var/log/samba/log.%m
max log size = 500
unix extensions = No
load printers = No
idmap config * : backend = tdb
create mask = 0664
directory mask = 0777
hide dot files = No
map archive = No
mangled names = No
interfaces = en0 10.20.31.166/24
host msdfs = no
Kerberos is working
# klist -k -e /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
when I try to connect I get a logon windows, before I cut connect automatically
and I get this error:
[2022/02/01 09:44:20.150388, 4] ../../source3/smbd/sec_ctx.c:446(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.214992, 3] ../../source3/auth/auth_util.c:1902(check_account)
Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), denying access.
[2022/02/01 09:44:20.215104, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.
c:146
[2022/02/01 09:44:20.216379, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216475, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216523, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216569, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.216619, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2022/02/01 09:44:20.218503, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
------------------------------
Wolfgang Tress
AIX, Storage,SAN und Backup Admin
Dürr IT Service GmbH
Schopfloch
+49 7443133121
------------------------------