Originally posted by: blt

Is there someone who got samba 4.6.4-2 working on AIX7 with winbind?

i cannot access my shares.

Originally posted by: blt

net ads join -U username

Join is succesful.

i started smbd, nmbd and winbindd.

wbinfo --ping-dc
checking the NETLOGON for domain[DOMAIN] dc connection to "dc.Domain.local" succeeded

Originally posted by: blt

SMB.CONF

[global]
    security = ADS
    realm = DOMAIN.LOCAL
    workgroup = DOMAIN
    netbios name = infapp1
    netbios aliases = infrun1

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

    server signing = auto

    client ntlmv2 auth = no
    client use spnego = yes

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = yes

    template shell = /bin/bash

    winbind use default domain = Yes
    winbind enum users = Yes

    winbind enum groups = Yes
    winbind nested groups = Yes
    winbind refresh tickets = Yes
    winbind separator = +

    map untrusted to domain = Yes

    idmap config * : backend  = tdb
    idmap config * : range = 30000-10000000

    idmap config DOMAIN:backend = ad
    idmap config DOMAIN:unix_nss_info = yes
    idmap config DOMAIN:range = 1677721600-33554431000

    enable core files = false

    interfaces = en4 172.20.20.191/255.255.254.0

    max log size = 50
    log level = 3
    log file = /var/samba/log.%m

    preferred master = no

    local master = no
    os level = 20

[samba-test]
    path = /samba-test
    public = yes
    writable = yes

[ESA]
    path = /home1/ESA
    comment = ESA Users
    public = no
    valid users = @"Domain Users"
    writable = yes
    browsable = yes
    force create mode = 0777
    force directory mode = 0777

 

Originally posted by: blt

log after smbclient

[2017/10/03 10:34:16.034699,  3] ../source3/auth/auth.c:178(auth_check_ntlm_pass
  check_ntlm_password:  Checking password for unmapped user [DOMAIN]\[username]@
[2017/10/03 10:34:16.034798,  3] ../source3/auth/auth.c:181(auth_check_ntlm_pass
  check_ntlm_password:  mapped user is: [DOMAIN]\[username]@[W2K8BEHEER]
[2017/10/03 10:34:16.045131,  3] ../source3/auth/auth_util.c:1233(check_account)
  Failed to find authenticated user DOMAIN+username via getpwnam(), denying acce
[2017/10/03 10:34:16.045209,  2] ../source3/auth/auth.c:315(auth_check_ntlm_pass
  check_ntlm_password:  Authentication for user [username] -> [username] FAILED with
[2017/10/03 10:34:16.045335,  2] ../auth/gensec/spnego.c:768(gensec_spnego_serve
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/10/03 10:34:16.045452,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_re
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATU
[2017/10/03 10:34:16.047907,  3] ../source3/smbd/server_exit.c:246(exit_server_c
  Server exit (NT_STATUS_CONNECTION_RESET)
 

Originally posted by: AyappanP

Hi,

Increase log level to 10 and then paste the samba logs. 

Originally posted by: blt

KRB5.CONF

[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

Originally posted by: blt

nsswitch.conf

passwd: compat winbind
shadow: compat winbind
group: compat winbind
#hosts: files winbind

Originally posted by: blt

methods.cfg

DCE:
        program = /usr/lib/security/DCE

NISPLUS:
        program = /usr/lib/security/NISPLUS

WINBIND:
         program = /usr/lib/security/WINBIND
        options = authonly

ls -l  /usr/lib/security/WINBIND
lrwxrwxrwx    1 root     sys              28 Oct 02 15:12 /usr/lib/security/WINBIND -> /opt/freeware/lib/WINBIND.so

Originally posted by: blt

log attached

Originally posted by: AyappanP

"  Get_Pwnam_internals didn't find user [username]!
[2017/10/03 13:14:52.492382,  3, pid=12517444, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username DOMAIN+username is invalid on this system
[2017/10/03 13:14:52.492463,  3, pid=12517444, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) "

 

Seems like it couldn't able to find the username. Invoke wbinfo -u and -i to list & get info about the users.

Originally posted by: blt

when i do a wbinfo -u | grep username the user is found

but when i do wbinfo -i i got:

wbinfo -i username
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user username

 

 

Originally posted by: AyappanP

You need to enter the Domain as well with the username.

I guess your main issue is also due to not passing correct username to access the shares. Also check out winbindd logs. 

Originally posted by: blt

new log

Originally posted by: AyappanP

   "sys_getgrouplist: user [username]
[2017/10/03 15:05:47.332142, 10, pid=10223660, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:46(getgrouplist_getgrset)
  getgrset returned (NULL)
[2017/10/03 15:05:47.332211, 10, pid=10223660, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [username]
[2017/10/03 15:05:47.332932, 10, pid=10223660, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:46(getgrouplist_getgrset)
  getgrset returned (NULL)
[2017/10/03 15:05:47.333000,  0, pid=10223660, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:226(getgroups_unix_user)
  get_user_groups: failed to get the unix group list
[2017/10/03 15:05:47.333262,  1, pid=10223660, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:463(add_local_groups)
  getgroups_unix_user for user username failed "

 

Now it seems to be a problem with getting group id. Trying allocating gid through wbinfo. 

Originally posted by: blt

I think that is working:

 

wbinfo -r username
50000000
50000473
50000602
50000677
50000670
50000494
50000459
50000678
50000468
50000679
50000680
50000681
50000641
50000142
50000070
50000373
50000297
50000676
 

Originally posted by: blt

i changed the idmap values and now i got:

 

wbinfo -i username
username:*:50000001:50000000::/home/DOMAIN/username:/bin/bash

but still cannot access shares,

 

frustrating

Originally posted by: blt

Do you have any tips for me, i'm kind of stuck.

it looks like everything is fine except the group..

 

Originally posted by: AyappanP

How you are trying to access the shares through smbclient ? Can you paste me the entire command ?

wbinfo shows the grouplist. But smbd couldn't. What i see from the logs is getgrset is returning NULL. So smbd is probably not redirecting the query to winbind. 

You can also remove "winbind nested groups" from the smb.conf , restart the daemons and try accessing the shares.

 

Originally posted by: blt

browsing and the smbclient command doesn't work. i removed the winbind nested groups.

 

smbclient -L localhost -d3 -U username
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface en4 ip=172.20.22.193 bcast=172.20.23.255 netmask=
interpret_interface: Adding interface 172.20.20.191/255.255.254.0
added interface 172.20.20.191/2 ip=172.20.20.191 bcast=172.20.21.255 netmask=255.255.254.0
Client started (version 4.6.4).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Enter DOMAIN\username's password:
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GSE to 'localhost' does not make sense
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: Undetermined error
session setup failed: NT_STATUS_UNSUCCESSFUL

[2017/10/05 12:44:30.992630, 10, pid=10223836, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
  Parsing value for key [IDMAP/SID2XID/S-1-5-21-3855219484-2485371615-219349322-5958]: id=[3000], endptr=[:U]
[2017/10/05 12:44:30.992710, 10, pid=10223836, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1503(sid_to_uid)
  sid S-1-5-21-3855219484-2485371615-219349322-5958 -> uid 3000
[2017/10/05 12:44:31.009282, 10, pid=10223836, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [USERNAME]
[2017/10/05 12:44:31.010464, 10, pid=10223836, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:46(getgrouplist_getgrset)
  getgrset returned (NULL)
[2017/10/05 12:44:31.010533, 10, pid=10223836, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [USERNAME]
[2017/10/05 12:44:31.011317, 10, pid=10223836, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:46(getgrouplist_getgrset)
  getgrset returned (NULL)
[2017/10/05 12:44:31.011386,  0, pid=10223836, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:226(getgroups_unix_user)
  get_user_groups: failed to get the unix group list
[2017/10/05 12:44:31.011653,  1, pid=10223836, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:463(add_local_groups)
  getgroups_unix_user for user USERNAME failed
[2017/10/05 12:44:31.011724,  3, pid=10223836, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:317(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2017/10/05 12:44:31.011787, 10, pid=10223836, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:86(auth3_generate_session_info)
  create_local_token failed: NT_STATUS_UNSUCCESSFUL
 

Originally posted by: AyappanP

Not sure what's the problem. Try giving the username along with the Domain name. 

Check this wiki about group mappings. https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html

Originally posted by: blt

in the log.idmap-winbindd i got the following error, maybe something is missing:

 

Error loading module '/opt/freeware/lib/samba/idmap/ad.so': rtld: 0712-001 Symbol wb_dsgetdcname_gencache_get was referenced
        from module /opt/freeware/lib/samba/idmap/ad.so(), but a runtime definition
        of the symbol was not found.
  rtld: 0712-001 Symbol ads_idmap_cached_connection was referenced
        from module /opt/freeware/lib/samba/idmap/ad.so(), but a runtime definition
        of the symbol was not found.
 

 

Originally posted by: AyappanP

Oh !!!. This seems to be a build/compile issue. We will check it out and fix this soon

Originally posted by: blt

do you think this could be related to my problem of not resolving the groups?

Originally posted by: AyappanP

Could be. I just checked the idmap.so library in Linux (both redhat & ubuntu). There also the symbols have no definitions. But AIX is more strict in the sense that while loading the module itself, it check for all symbol definitions.

 

Originally posted by: Vecheslav

Good afternoon!
I tested the latest SAMBA assemblies (4.5.15 and 4.6.11) from the site http: //www.bullfreeware.com.

It seems that the problem "getgrset returned (NULL)" is not solved. I attached logs with a debugging level of 10. Look, please

Originally posted by: blt

it looks like you have the same problem as i do. Is there anybody who got this working?

Originally posted by: MNK

Hi,

 

We have installed below rpm's and when trying to join to AD getting below.Can you help

 

samba-winbind-4.6.4-2.ppc
samba-winbind-clients-4.6.4-2.ppc
samba-devel-4.6.4-2.ppc
samba-common-4.6.4-2.ppc
samba-libs-4.6.4-2.ppc
samba-4.6.4-2.ppc

 

 

Error we are getting

net -s /etc/samba/smb.conf join -U ID

 

utils/net_rpc_join.c:net_rpc_join_newstyle(326)

  Error domain join verification (reused connection): NT code 0xc0000388

Unable to join domain XXXX

 

Originally posted by: AyappanP

Make sure you also install samba-client and samba-winbind-krb5-locator rpms as well.

"net ads join -U <admin_user>"

That is the command to join Active Directory.

In your case , it is doing net rpc join which works for only NT4 domain.

 

Originally posted by: blt

Hello AyappanP,

 

we still cannot access any shares when joined to the domain. Do you have a working config?

 

kind regards Alex

Originally posted by: AyappanP

Hi,

There seems to be some issue with Group Mapping. Can you check by removing the "winbind nested groups" parameter from the smb.conf file ?

I will check with one of the samba developers about this.

Originally posted by: blt

Hello AyappanP,

 

I will try next week, i will do a clean install.

 

kind regards alex

Originally posted by: Damske0008

Hi,

 

I have exactly the same issue with all samba v4 packages available on the linux toolbox sites ....

 

Is there a solution for that ?

Originally posted by: AyappanP

What is the issue you are facing ? Not able to join the AD ? 

 

Originally posted by: Damske0008

No, i'm able to :

- join the domain

- list user/grou with wbinfo and lsuser -R Winbind

 

But shares don't work .... when running in debug mode i'm facing the same issue :

getgrset returned (NULL)

 

Originally posted by: AyappanP

I think you need to create the same user through normal AIX mode as well ( by mkuser)

Originally posted by: iGadget

Hi Ayappan,

 

I hope you can help here.

I hit the same "getgrset returned (NULL)" with ADS security option.

I'm trying with Samba 4.10.6 and  4.6.11 on AIX 7.1

We also have VAS integration (OneIdentity) which provides access to AD users on UNIX systems.

But to share AIX files to Windows clients I need also SAMBA which is integrated with VAS.

All users from all domains are correctly authenticated over SAMBA winbind:

[2019/12/03 12:46:59.361732,  3] ../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [***] succeeded
[2019/12/03 12:46:59.361809,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [***] -> [***] -> [domain\***] succeeded

Bust just the users which are local UNIX or UNIX-enabled over VAS (means both have UID/GID) are able to browse the defined shares.

All pure AD users are not able to. Winbind assigns them ID from the idmap range, but as you mentioned in your other post seems the connection between smb and winbind gets broken.

[2019/12/03 12:46:59.816463,  0] ../source3/lib/system_smbd.c:226(getgroups_unix_user)
  get_user_groups: failed to get the unix group list
[2019/12/03 12:46:59.816579,  1] ../source3/auth/token_util.c:463(add_local_groups)
  getgroups_unix_user for user *** failed

If I add the above AD user in /etc/passwd (having UID/GID) - it is working, but it makes no sense do the same for thousands of users.

wbinfo is working just fine.

"wbinfo -r *** " works fine, most of the time.

What I noticed when running "smbd -b" is that all SAMBA 4 versions are compiled with HAVE_* Defines: HAVE_GETGRSET

While on SAMBA 3 version from PWARE it is not there and the access to shares by pure AD users is fine.

The same is missing also on SAMBA 4.9.x RedHat package and also no issue.

 

Is it possible that this HAVE_GETGRSET compiled for AIX can cause that issue "getgrset returned (NULL)"  for AD accounts without UID/GID?

Is it possible to compile a SAMBA version without it? Or this is essential, but it is a bug?

 

In the example below we see that if "getgrset" returns NULL then it is not binding "domain users" (GID 60000) at all while if it returns one UNIX group then if says 2 groups are found and performs the mapping GID to SID. Bug?

 

Thanks in advance.

 

log.smbd v4.6.11 debug log for the same pure AD user added locally on AIX in /etc/passwd and then removed locally.

GID 1 is "staff" group on AIX. UID/GID 60083 / 60000 are the ones mapped by WINBIND for the user ***

 

Working one with AD user *** in /etc/passwd:

[2019/12/03 13:23:56.707310,  5, pid=9502938, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2019/12/03 13:23:56.707353,  5, pid=9502938, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:640(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2019/12/03 13:23:56.707430,  4, pid=9502938, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/12/03 13:23:56.709167, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:225(create_local_nt_token_from_info3)
  Create local NT token for ***
[2019/12/03 13:23:56.727424, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
  Parsing value for key [IDMAP/SID2XID/S-1-5-21-4153117351-1444607597-2867050581-531324]: value=[60083:U]
[2019/12/03 13:23:56.727487, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
  Parsing value for key [IDMAP/SID2XID/S-1-5-21-4153117351-1444607597-2867050581-531324]: id=[60083], endptr=[:U]
[2019/12/03 13:23:56.727610, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1503(sid_to_uid)
  sid S-1-5-21-4153117351-1444607597-2867050581-531324 -> uid 60083
[2019/12/03 13:23:56.780444, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [***]
[2019/12/03 13:23:56.781951, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:46(getgrouplist_getgrset)
  getgrset returned 1
[2019/12/03 13:23:56.782004, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:76(getgrouplist_getgrset)
  Found 2 groups for user ***
[2019/12/03 13:23:56.782544, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1335(gid_to_sid)
  gid 60000 -> sid S-1-5-21-4153117351-1444607597-2867050581-513
[2019/12/03 13:23:56.782663, 10, pid=9502938, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1335(gid_to_sid)
  gid 1 -> sid S-1-22-2-1

 

Not working one without AD user in /etc/passwd:

[2019/12/03 13:32:50.003937,  5, pid=23003374, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)

[2019/12/03 13:32:50.003982,  5, pid=23003374, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:640(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2019/12/03 13:32:50.004061,  4, pid=23003374, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/12/03 13:32:50.014387, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:225(create_local_nt_token_from_info3)
  Create local NT token for ***
[2019/12/03 13:32:50.016774, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
  Parsing value for key [IDMAP/SID2XID/S-1-5-21-4153117351-1444607597-2867050581-531324]: value=[60083:U]
[2019/12/03 13:32:50.016836, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
  Parsing value for key [IDMAP/SID2XID/S-1-5-21-4153117351-1444607597-2867050581-531324]: id=[60083], endptr=[:U]
[2019/12/03 13:32:50.016897, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1503(sid_to_uid)
  sid S-1-5-21-4153117351-1444607597-2867050581-531324 -> uid 60083
[2019/12/03 13:32:50.051292, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [***]
[2019/12/03 13:32:50.564092, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:46(getgrouplist_getgrset)
  getgrset returned (NULL)
[2019/12/03 13:32:50.564182, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [***]
[2019/12/03 13:32:50.566302, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:46(getgrouplist_getgrset)
  getgrset returned (NULL)
[2019/12/03 13:32:50.566357,  0, pid=23003374, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:226(getgroups_unix_user)
  get_user_groups: failed to get the unix group list
[2019/12/03 13:32:50.566465,  1, pid=23003374, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:463(add_local_groups)
  getgroups_unix_user for user *** failed
[2019/12/03 13:32:50.566545,  3, pid=23003374, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:317(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2019/12/03 13:32:50.566590, 10, pid=23003374, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:86(auth3_generate_session_info)
  create_local_token failed: NT_STATUS_UNSUCCESSFUL

 

Originally posted by: AyappanP

Thanks for the detailed information.

Let me check out the "HAVE_GETGRSET" thing doing inside Samba code and come back. 

Originally posted by: iGadget

Hi Ayappan,

 

Did more troubleshooting.

As we use VAS integrated with SAMBA, NSS VAS commands correctly connect to WINBIND and report the user status.

VAS itself works just with UNIX-enabled users that have UID/GID assigned. Native AD users are not recognized.

All these 60000+ GIDs below are the ones WINBIND mapped from the defined id range.

*** is the native AD user from my initial post:

 

# vastool nss getgrset ***

*** belongs to:
60000,60160,60161,60162,60004,60155,60153,60163,60164,60165,60146,60166,60167,60168,60169,60170,60171,60172,60173,60174,60008,60175,60176,60138,60177,60178,60179,60180,60181,60182,60183,60184,60185,60124,60011,60186,60012,60187,60188,60189,60115,60190,60191,60192,60193,60107,60019,60020,60194,60103,60195,60196,60197,60198,60199,60200,60201,60202,60203,60204,60205,60206,60207,60085,60053,60054,60422,60055,60056,60208,60025,60209,60026,60210,60211,60212,60030,60033,60213,60214,60036,60215,60037,60040,60041,60042,60216,60045,60046,60048,60050,60052,60002

 

# vastool nss getgroups ***
60000,60160,60161,60162,60004,60155,60153,60163,60164,60165,60146,60166,60167,60168,60169,60170,60171,60172,60173,60174,60008,60175,60176,60138,60177,60178,60179,60180,60181,60182,60183,60184,60185,60124,60011,60186,60012,60187,60188,60189,60115,60190,60191,60192,60193,60107,60019,60020,60194,60103,60195,60196,60197,60198,60199,60200,60201,60202,60203,60204,60205,60206,60207,60085,60053,60054,60422,60055,60056,60208,60025,60209,60026,60210,60211,60212,60030,60033,60213,60214,60036,60215,60037,60040,60041,60042,60216,60045,60046,60048,60050,60052,60002

# vastool nss getpwnam ***
***:*:60083:60000::/home/DOMAIN/***:/bin/false

 

We can see the user *** gets UID/GID assigned by WINBIND.

Seems SMBD is not able to parse it properly.

I found the source related with the error message inside:

https://download.samba.org/pub/unpacked/standalone_projects/source3/lib/system_smbd.c

if (sys_getgrouplist(user, primary_gid,
                     temp_groups, &max_grp) == -1) {
            DEBUG(0, ("get_user_groups: failed to get the unix "
                  "group list\n"));
            TALLOC_FREE(to_free);
            return False;
        }

 

May you check/comment.

Thanks a lot.

Originally posted by: AyappanP

Thanks. I will check it out and get back.

Originally posted by: blt

we bought a license from sambaplus (sernet) and that one is working. users are mapped the right way and the member server works.

is there a possibility to get this to work with the ibm aix toolbox packages?

Originally posted by: AyappanP

Great !!!. The source code they (sernet) claim is Opensource. So wondering how it worked there ? 

May be they have some patches locally or some specific build flags. Not sure.

Can you share the sambaplus output of "smbd -b" ?

Originally posted by: blt

sorry for the late response, i attached the output.

The issue is fixed in the latest samba-4.14.4-2 available in AIX Toolbox.

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Fri March 20, 2020 06:25 AM
From: Archive User
Subject: Re: Samba 4.6.4-2 as AD member server

Originally posted by: blt

sorry for the late response, i attached the output.