AIX Open Source

 View Only
Expand all | Collapse all

Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

  • 1.  Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Wed November 09, 2022 11:35 AM
    On our test Samba server running AIX 7200-05-04-2220 code I upgraded the Samba code from V4.14.4 to the latest available (V4.16.5) but had to revert back because mapping network drives was no longer possible.  The Samba client log was posting errors such as:
     
    Auth: [SMB2,(NULL)] user [workgroup]\[smbadmin] at [Tue, 08 Nov 2022 15:47:21.964918 EST] with [NTLMv2] status [NT_STATUS_CONNECTION_DISCONNECTED] workstation [2UA6422BXX] remote
    host [ipv4:10.12.3.53:57617] mapped to [workgroup]\[smbadmin]. local host [ipv4:10.2.3.88:445]
    [2022/11/08 15:47:22.016529, 2] ../../source3/auth/auth.c:348(auth_check_ntlm_password)
    check_ntlm_password: Authentication for user [smbadmin] -> [smbadmin] FAILED with error NT_STATUS_CONNECTION_DISCONNECTED, authoritative=1
    [2022/11/08 15:47:22.016678, 2] ../../auth/auth_log.c:665(log_authentication_event_human_readable)
    Auth: [SMB2,(NULL)] user [workgroup]\[smbadmin] at [Tue, 08 Nov 2022 15:47:22.016640 EST] with [NTLMv2] status [NT_STATUS_CONNECTION_DISCONNECTED] workstation [2UA6422BXX] remote
    host [ipv4:10.12.3.53:57618] mapped to [workgroup]\[smbadmin]. local host [ipv4:10.2.3.88:445]
    [2022/11/08 15:47:22.065590, 2] ../../source3/auth/auth.c:348(auth_check_ntlm_password)
    check_ntlm_password: Authentication for user [smbadmin] -> [smbadmin] FAILED with error NT_STATUS_CONNECTION_DISCONNECTED, authoritative=1

    On the AIX server the operating system error log filled with repetitive windbindd error messages:

    LABEL: CORE_DUMP
    IDENTIFIER: A924A5FC

    Date/Time: Wed Nov 9 10:55:36 EST 2022
    Sequence Number: 24138
    Machine Id: 00FB16F94C00
    Node Id: sentest4
    Class: S
    Type: PERM
    WPAR: Global
    Resource Name: SYSPROC

    Description
    SOFTWARE PROGRAM ABNORMALLY TERMINATED

    Probable Causes
    SOFTWARE PROGRAM

    User Causes
    USER GENERATED SIGNAL

    Recommended Actions
    CORRECT THEN RETRY

    Failure Causes
    SOFTWARE PROGRAM

    Recommended Actions
    RERUN THE APPLICATION PROGRAM
    IF PROBLEM PERSISTS THEN DO THE FOLLOWING
    CONTACT APPROPRIATE SERVICE REPRESENTATIVE

    Detail Data
    SIGNAL NUMBER
    4
    USER'S PROCESS ID:
    10551634
    FILE SYSTEM SERIAL NUMBER
    1
    INODE NUMBER
    2
    CORE FILE NAME
    //core
    PROGRAM NAME
    winbindd
    STACK EXECUTION DISABLED
    0
    COME FROM ADDRESS REGISTER
    krb5int_d 1E8

    PROCESSOR ID
    hw_fru_id: 0
    hw_cpu_id: 2

    ADDITIONAL INFORMATION
    ??
    ??
    Unable to generate symptom string.

    Running the "net ads testjoin" command results in:

    Illegal instruction(coredump)

    Reverting back to the previously installed Samba V4.14.4 code and all is well again, all such errors disappear...
     
    Is anyone successfully using the Samba V4.16.5 code?  Is there any known problems with it?  It is not working for me.

    Thank you --






    ------------------------------
    Mark Skinner
    ------------------------------


  • 2.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Thu November 10, 2022 01:47 AM
    Please update krb5-libs & openldap rpms to 1.18.5-2 & 2.4.58-4 version respectively.

    ------------------------------
    Ayappan P
    ------------------------------



  • 3.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Thu November 10, 2022 01:25 PM
    The server already shows those RPMs to be at the requested levels -

    [sentest4] /home/root # rpm -qa | grep -E "krb5|openldap"
    openldap-2.4.58-4.ppc
    krb5-libs-1.18.5-2.ppc

    Any further suggestions greatly appreciated, thanks -





  • 4.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Fri November 11, 2022 02:28 AM
    Please share the below outputs.
    "rpm -qa"
    ls /opt/freeware/lib | grep -E "ssl/crypto"
    lslpp -l | grep openssl


    ------------------------------
    Ayappan P
    ------------------------------



  • 5.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Thu January 12, 2023 09:03 AM
    I see other administrators having similar Samba-related problems so I just wanted to share my success I had back in November.  The solution to the problem I was having after updating to V4.16.5-1 code was suggested by Ayappan to another Samba administrator experiencing a similar problem, and that was to install the "samba-winbind-krb5-locator-4.16.5-1.aix7.1.ppc.rpm" RPM, which I had never needed before.  I don't know why this additional RPM is required to successfully mount Samba fileshares, but it worked for me.  The Samba RPMs installed on the working V4.16.5-1 servers are:

    samba-libs-4.16.5-1.ppc
    samba-winbind-4.16.5-1.ppc
    samba-client-4.16.5-1.ppc
    samba-winbind-krb5-locator-4.16.5-1.ppc
    samba-devel-4.16.5-1.ppc
    samba-winbind-clients-4.16.5-1.ppc
    samba-common-4.16.5-1.ppc
    samba-4.16.5-1.ppc

    ------------------------------
    Mark Skinner
    ------------------------------



  • 6.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Fri January 13, 2023 02:43 AM
    Thanks for reporting it.
    Toolbox Samba prior to 4.16.5 version is built with bundled heimdal kerberos. Now in 4.16.5 version , it is build against Toolbox krb5-libs (MIT Keberos) rpm. So the samba-winbind-krb5-locator is required now.

    ------------------------------
    Ayappan P
    ------------------------------



  • 7.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Mon January 16, 2023 10:50 AM
    Edited by Ben Cowan Mon January 16, 2023 10:53 AM
    So even with the locator installed, this is what I'm seeing with my current samba config that joins to AD.

    1) winbindd won't start.
    [2023/01/16 07:22:11.067933, 5] ../../source3/lib/messages.c:718(messaging_register)
    Registering messaging pointer for type 1038 - private_data=0
    [2023/01/16 07:22:11.070003, 3] ../../source3/winbindd/winbindd_util.c:293(add_trusted_domain)
    add_trusted_domain: Added domain [BUILTIN] [(NULL)] [S-1-5-32]
    [2023/01/16 07:22:11.070107, 3] ../../source3/winbindd/winbindd_util.c:293(add_trusted_domain)
    add_trusted_domain: Added domain [LEOPARD] [(NULL)] [S-1-5-21-2275589638-3178371853-1380871141]
    [2023/01/16 07:22:11.070147, 0] ../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
    Could not fetch our SID - did we join?
    [2023/01/16 07:22:11.070202, 0] ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
    unable to initialize domain list

    2) If I edit smb.conf and change security = ADS to security = user, then I can start winbindd successfully

    3) The join still fails because security = user does not allow joining to Active Directory, however, if i edit
    smb.conf again and change security = user back to security = ADS, then the join works.  Note, the -k 
    option is deprecated, and needs to be replaced w/ --use-kerberos=required.

    4) This is all well and good until a reboot or restart of winbindd occurs and it won't start up again?

    So, I think we still have a problem.

    ------------------------------
    Ben Cowan
    ------------------------------



  • 8.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Tue January 17, 2023 01:18 AM
    We solved this by moving to the SAMBA+ packages from SerNet. They are not free but they worked right out if the box and there is good support from the vendor also.

    ------------------------------
    Susan Miller
    ------------------------------



  • 9.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    IBM Champion
    Posted Tue January 31, 2023 03:17 PM
    I am having the same issue.  I have it on my AIX 7.2.5.4 system as well as my 7.3.1.1 system.  Below are details on the AIX 7.3.1.1 system. 

    server1: oslevel -s
    7300-01-01-2246


    server1: lslpp -l | grep ssl
    openssl.base 3.0.7.1000 COMMITTED Open Secure Socket Layer


    server1: rpm -qa | grep samba
    samba-common-4.16.8-1.ppc
    samba-winbind-4.16.8-1.ppc
    samba-libs-4.16.8-1.ppc
    samba-winbind-krb5-locator-4.16.8-1.ppc
    samba-client-4.16.8-1.ppc
    samba-devel-4.16.8-1.ppc
    samba-winbind-clients-4.16.8-1.ppc
    samba-4.16.8-1.ppc
    server1: rpm -qa | grep winb
    samba-winbind-4.16.8-1.ppc
    samba-winbind-krb5-locator-4.16.8-1.ppc
    samba-winbind-clients-4.16.8-1.ppc
    server1: rpm -qa | grep smb
    libsmbclient-4.16.8-1.ppc

    server1: rpm -qa | grep krb5
    samba-winbind-krb5-locator-4.16.8-1.ppc
    krb5-libs-1.18.5-2.ppc
    server1: rpm -qa | grep ldap
    openldap-2.5.12-1.ppc

    server1: ls /opt/freeware/lib | grep -E "ssl/crypto"
    server1: lslpp -l | grep openssl
    openssl.base 3.0.7.1000 COMMITTED Open Secure Socket Layer
    openssl.man.en_US 3.0.7.1000 COMMITTED Open Secure Socket Layer
    openssl.base 3.0.7.1000 COMMITTED Open Secure Socket Layer


    Jan 31 15:07:41 server1 daemon:err|error winbindd[15860144]: [2023/01/31 15:07:41.305371, 0] ../../source3/winbindd/winbindd_cache.c:3087(initialize_winbindd_cache)
    Jan 31 15:07:41 server1 daemon:err|error winbindd[15860144]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Jan 31 15:07:41 server1 daemon:err|error winbindd[15860144]: [2023/01/31 15:07:41.310462, 0] ../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
    Jan 31 15:07:41 server1 daemon:err|error winbindd[15860144]: Could not fetch our SID - did we join?
    Jan 31 15:07:41 server1 daemon:err|error winbindd[15860144]: [2023/01/31 15:07:41.310532, 0] ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
    Jan 31 15:07:41 server1 daemon:err|error winbindd[15860144]: unable to initialize domain list

    Any help much appreciated

    Thanks

    Jaqui

    ------------------------------
    Jaqui Lynch
    ------------------------------



  • 10.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    IBM Champion
    Posted Wed April 26, 2023 05:13 PM

    We have now narrowed the issue down to AIX 7.3.  We can get samba working at AIX 7.2.5.5 with samba 4.16.8-1 and active directory with SSL 1.1.2.2000 or SSL 3.0.8.100.  But when we upgrade to AIX 7.3 with those same levels winbind fails with the SID issue.  All other authentication is working fine.



    ------------------------------
    Jaqui Lynch
    ------------------------------



  • 11.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    Posted Fri April 28, 2023 03:21 AM

    There is an issue creating keytab files using Toolbox Samba-4.16.8-1. But other things work.
    Can you share the errors.



    ------------------------------
    Ayappan P
    ------------------------------



  • 12.  RE: Update to latest AIX Toolbox Samba code (V4.16.5) breaks winbind

    IBM Champion
    Posted Fri April 28, 2023 12:03 PM

    When we start samba on AIX 7.2.5.5 it works fine and winbind comes up
    When we start it on AIX 7.3 winbind does not come up - does not matter if it is a fresh install or an upgrade
    We have left and rejoined the domain and tried a number of things. We thought it might be SSL v3 but it works on AIX 7.2.5.5 with SSLv3 or V1.  Versions on the two systems are listed below.
    We are joined to the domain and authentication is working for everything else.

    This is stopping us from upgrading our systems to AIX 7.3 and is only happening when we go to 7.3 with all other levels the same


    ERROR MSGs are at bottom of this.

    Thanks

    Jaqui

    SYSTEM1 - Fails
    AIX 7.3 7300-01-01-2246
    SSL  3.0.8.1000    
    PBIS 22.3.0.267
    Samba 4.16.8-1


    SYSTEM2 - Works
    AIX 7.2 7200-05-05-2246
    SSL  3.0.8.1000    OR 1.1.2.2000
    PBIS 22.3.0.267 (AD bridge)
    Samba 4.16.8-1


    SYSTEM1 - NOT WORKING
    #rpm -qa | grep samba
    samba-client-4.16.8-1.ppc
    samba-libs-4.16.8-1.ppc
    samba-winbind-clients-4.16.8-1.ppc
    samba-4.16.8-1.ppc
    samba-devel-4.16.8-1.ppc
    samba-winbind-4.16.8-1.ppc
    samba-common-4.16.8-1.ppc
    samba-winbind-krb5-locator-4.16.8-1.ppc

    # rpm -qa | grep smb
    libsmbclient-4.16.8-1.ppc

    #rpm -qa | grep krb
    krb5-libs-1.18.5-2.ppc
    samba-winbind-krb5-locator-4.16.8-1.ppc

    #lslpp -l | grep pbis
      pbis.enterprise         22.3.0.267  COMMITTED  AD Bridge
      pbis.enterprise         22.3.0.267  COMMITTED  AD Bridge

    # lslpp -l | grep ssl
      openssl.base            3.0.8.1000  COMMITTED  Open Secure Socket Layer
      openssl.man.en_US       3.0.8.1000  COMMITTED  Open Secure Socket Layer
      openssl.base            3.0.8.1000  COMMITTED  Open Secure Socket Layer

    # oslevel -s
    7300-01-01-2246


    SYSTEM2 - WORKING
    2#: rpm -qa | grep samba
    samba-common-4.16.8-1.ppc
    samba-winbind-4.16.8-1.ppc
    samba-libs-4.16.8-1.ppc
    samba-4.16.8-1.ppc
    samba-client-4.16.8-1.ppc
    samba-devel-4.16.8-1.ppc
    samba-winbind-clients-4.16.8-1.ppc

    2#: rpm -qa | grep smb
    libsmbclient-4.16.8-1.ppc

    2#: lslpp -l | grep pbis
      pbis.enterprise         22.3.0.267  COMMITTED  AD Bridge
      pbis.enterprise         22.3.0.267  COMMITTED  AD Bridge

    2#: lslpp -l | grep ssl
      openssl.base            1.1.2.2000  COMMITTED  Open Secure Socket Layer
      openssl.license         1.1.2.2000  COMMITTED  Open Secure Socket License
      openssl.man.en_US       1.1.2.2000  COMMITTED  Open Secure Socket Layer
      openssl.base            1.1.2.2000  COMMITTED  Open Secure Socket Layer

    2#: oslevel -s
    7200-05-05-2246

    ERROR MSGS

    *.info log

    Apr 28 11:55:34 SYSTEM1 daemon:err|error smbd[20250990]: [2023/04/28 11:55:34.311511,  0] ../../source3/smbd/server.c:1741(main)
    Apr 28 11:55:34 SYSTEM1 daemon:err|error smbd[20250990]:   smbd version 4.16.8 started.
    Apr 28 11:55:34 SYSTEM1 daemon:err|error smbd[20250990]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
    Apr 28 11:55:34 SYSTEM1 daemon:err|error nmbd[20250998]: [2023/04/28 11:55:34.713781,  0] ../../source3/nmbd/nmbd.c:901(main)
    Apr 28 11:55:34 SYSTEM1 daemon:err|error nmbd[20250998]:   nmbd version 4.16.8 started.
    Apr 28 11:55:34 SYSTEM1 daemon:err|error nmbd[20250998]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[20251006]: [2023/04/28 11:55:35.116845,  0] ../../source3/winbindd/winbindd.c:1723(main)
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[20251006]:   winbindd version 4.16.8 started.
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[20251006]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]: [2023/04/28 11:55:35.162569,  0] ../../source3/winbindd/winbindd_cache.c:3087(initialize_winbindd_cache)
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]: [2023/04/28 11:55:35.180027,  0] ../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]:   Could not fetch our SID - did we join?
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]: [2023/04/28 11:55:35.180125,  0] ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]:   unable to initialize domain list
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]: [2023/04/28 11:55:35.180125,  0] ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
    Apr 28 11:55:35 SYSTEM1 daemon:err|error winbindd[17498564]:   unable to initialize domain list
    Apr 28 11:55:57 SYSTEM1 daemon:err|error nmbd[19726766]: [2023/04/28 11:55:57.823005,  0] ../../source3/nmbd/nmbd_become_lmb.c:398(become_local_master_stage2)
    Apr 28 11:55:57 SYSTEM1 daemon:err|error nmbd[19726766]:   *****
    Apr 28 11:55:57 SYSTEM1 daemon:err|error nmbd[19726766]:
    Apr 28 11:55:57 SYSTEM1 daemon:err|error nmbd[19726766]:   Samba name server SYSTEM1 is now a local master browser for workgroup FTICORPOT on subnet 10.192.194.17
    Apr 28 11:55:57 SYSTEM1 daemon:err|error nmbd[19726766]:
    Apr 28 11:55:57 SYSTEM1 daemon:err|error nmbd[19726766]:   *****



    ------------------------------
    Jaqui Lynch
    ------------------------------