Created attachment 15478 [details] compress file; krb5.conf; log.nmbd; log.winbindd; methods.cfg; nsswitch.conf & smb.conf https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity I followed the directions from the above website. However, winbindd fails to initialize on my new server build with ADS support. Stand alone SAMBA V4 works fine on the other two AIX systems. The older V3 SAMBA is also functioning fine. Debug [-10] output; the complete log is attached. interpret_interface: using netmask value 255.255.255.0 from config file on interface en0 added interface en0 ip=10.10.40.35 bcast=10.10.40.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="NRFVCLYDE" interpret_interface: using netmask value 255.255.255.0 from config file on interface en0 added interface en0 ip=10.10.40.35 bcast=10.10.40.255 netmask=255.255.255.0 exit_daemon: daemon failed to start: Failed to create session, error code 1 with Si & d10 options; interpret_interface: using netmask value 255.255.255.0 from config file on interface en0 added interface en0 ip=10.10.40.35 bcast=10.10.40.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="NRFVCLYDE" interpret_interface: using netmask value 255.255.255.0 from config file on interface en0 added interface en0 ip=10.10.40.35 bcast=10.10.40.255 netmask=255.255.255.0 Process with PID=23789688 does not exist. TimeInit: Serverzone is 14400 msg_dgm_ref_destructor: refs=0 messaging_dgm_ref: messaging_dgm_init returned Error 0 messaging_dgm_ref: unique = 15999726618317231583 Attempting to find a passdb backend to match tdbsam (tdbsam) No builtin backend found, trying to load plugin load_module_absolute_path: Probing module '/opt/freeware/lib/samba/pdb/tdbsam.so' load_module_absolute_path: Module '/opt/freeware/lib/samba/pdb/tdbsam.so' loaded Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Found pdb backend tdbsam pdb backend tdbsam has a valid init initialize_winbindd_cache: clearing cache and re-creating with version number 2 Registering messaging pointer for type 33 - private_data=0 Registering messaging pointer for type 13 - private_data=0 Registering messaging pointer for type 1028 - private_data=0 Registering messaging pointer for type 1027 - private_data=0 Registering messaging pointer for type 1029 - private_data=0 Registering messaging pointer for type 1036 - private_data=0 Registering messaging pointer for type 1035 - private_data=0 Registering messaging pointer for type 1032 - private_data=0 Registering messaging pointer for type 1033 - private_data=0 Registering messaging pointer for type 1034 - private_data=0 Registering messaging pointer for type 1 - private_data=0 Overriding messaging pointer for type 1 - private_data=0 Registering messaging pointer for type 1038 - private_data=0 wcache_tdc_add_domain: Adding domain BUILTIN ((NULL)), SID S-1-5-32, flags = 0x0, attributes = 0x0, type = 0x1 pack_tdc_domains: Packing 1 trusted domains pack_tdc_domains: Packing domain BUILTIN (UNKNOWN) add_trusted_domain: Added domain [BUILTIN] [(NULL)] [S-1-5-32] wcache_tdc_add_domain: Adding domain NRFVCLYDE ((NULL)), SID S-1-5-21-3403663269-735214362-347737058, flags = 0x2, attributes = 0x0, type = 0x1 pack_tdc_domains: Packing 2 trusted domains pack_tdc_domains: Packing domain BUILTIN (UNKNOWN) pack_tdc_domains: Packing domain NRFVCLYDE (UNKNOWN) add_trusted_domain: Added domain [NRFVCLYDE] [(NULL)] [S-1-5-21-3403663269-735214362-347737058] Could not fetch our SID - did we join? unable to initialize domain list Below are my various failed combinations. interfaces = 10.10.40.255/255.255.255.0 # interfaces = 10.10.41.15/24 10.10.40.35/24 # interfaces = 10.10.40.15/255.255.255.0 127.0.0.1/255.0.0.0 # interfaces = 10.10.40.35/24 # interfaces = en0 # netstat -in Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll en0 1500 link#2 62.43.3.44.17.4 633284 0 1072294 0 0 en0 1500 10.10.40 10.10.40.35 633284 0 1072294 0 0 en0 1500 10.10.40 10.10.40.15 633284 0 1072294 0 0 en1 1500 link#3 62.43.3.44.17.5 650101 0 213221 0 0 en1 1500 10.10.41 10.10.41.15 650101 0 213221 0 0 en2 1500 link#4 62.43.3.44.17.6 1427931 0 1629156 0 0 en2 1500 172.16.252 172.16.252.15 1427931 0 1629156 0 0 en3 1500 link#5 62.43.3.44.17.7 680634 0 1224463 0 0 en3 1500 172.16.253 172.16.253.15 680634 0 1224463 0 0 lo0 16896 link#1 54392 0 54392 0 0 lo0 16896 127 127.0.0.1 54392 0 54392 0 0 lo0 16896 ::1%1 54392 0 54392 0 0 nrfpclydea:/opt/freeware/var # netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll en0 1500 link#2 62.43.3.44.17.4 633301 0 1072333 0 0 en0 1500 10.10.40 nrfvclyde 633301 0 1072333 0 0 en0 1500 10.10.40 nrfpclydea 633301 0 1072333 0 0 en1 1500 link#3 62.43.3.44.17.5 650115 0 213223 0 0 en1 1500 10.10.41 nrfpclydea-rpv 650115 0 213223 0 0 en2 1500 link#4 62.43.3.44.17.6 1427953 0 1629180 0 0 en2 1500 172.16.252 nrfpclydea-xd1 1427953 0 1629180 0 0 en3 1500 link#5 62.43.3.44.17.7 680642 0 1224479 0 0 en3 1500 172.16.253 nrfpclydea-xd2 680642 0 1224479 0 0 lo0 16896 link#1 54392 0 54392 0 0 lo0 16896 127 loopback 54392 0 54392 0 0 lo0 16896 ::1%1 54392 0 54392 0 0 # /opt/freeware/sbin/winbindd --version Version 4.10.6 nrfpclydea:/opt/freeware/var # /opt/freeware/sbin/nmbd --version Version 4.10.6 # rpm -qa | grep sam samba-common-4.10.6-1.ppc samba-winbind-clients-4.10.6-1.ppc samba-winbind-4.10.6-1.ppc samba-test-4.10.6-1.ppc samba-python-4.10.6-1.ppc samba-winbind-devel-4.10.6-1.ppc samba-devel-4.10.6-1.ppc samba-client-4.10.6-1.ppc samba-libs-4.10.6-1.ppc samba-4.10.6-1.ppc samba-test-libs-4.10.6-1.ppc samba-pidl-4.10.6-1.ppc samba-winbind-krb5-locator-4.10.6-1.ppc The host system is AIX 71 TL05 SP04 yum install samba AIX_Toolbox | 2.9 kB 00:00:00 AIX_Toolbox_71 | 2.9 kB 00:00:00 AIX_Toolbox_noarch | 2.9 kB 00:00:00 Setting up Install Proces Package samba-4.10.6-1.ppc already installed and latest version Nothing to do # cat /etc/resolv.conf #nameserver 10.10.10.50 #nameserver 10.10.10.51 nameserver 192.168.4.19 domain ad.nrfdist.com options rotate search ad.nrfdist.com the new AD Servers; 10.10.10.50 NRFVAD01 NRFVAD01.ad.nrfdist.com nrfvad01.ad.nrfdist.com 10.10.10.51 NRFVAD02 NRFVAD02.ad.nrfdist.com nrfvad02.ad.nrfdist.com > set TYPE=SRV > NRFVAD01 Server: 192.168.4.19 Address: 192.168.4.19#53 Non-authoritative answer: *** Can't find NRFVAD01: No answer Authoritative answers can be found from: ad.nrfdist.com origin = nrfvad02.ad.nrfdist.com mail addr = hostmaster.ad.nrfdist.com serial = 114325 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > set TYPE=SRV > NRFVAD02 Server: 192.168.4.19 Address: 192.168.4.19#53 Non-authoritative answer: *** Can't find NRFVAD02: No answer Authoritative answers can be found from: ad.nrfdist.com origin = NRFVAD02.ad.nrfdist.com mail addr = hostmaster.ad.nrfdist.com serial = 114349 refresh = 900 retry = 600 expire = 86400 minimum = 3600 net ads info LDAP server: 10.10.10.50 LDAP server name: NRFVAD01.ad.nrfdist.com Realm: AD.NRFDIST.COM Bind Path: dc=AD,dc=NRFDIST,dc=COM LDAP port: 389 Server time: Wed, 18 Sep 2019 21:38:06 EDT KDC server: 10.10.10.50 Server time offset: 88 Last machine account password change: Wed, 31 Dec 1969 19:00:00 EST net ads join -U administrator Enter administrator's password: Failed to join domain: failed to lookup DC info for domain 'AD.NRFDIST.COM' over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information. # testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER The netbios or pre-windows 2000 name of the domain = ad The fqdn for the domain = ad.nrfdist.com Domain Controllers = nrfvad01.ad.nrfdist.com 10.10.10.50 nrfvad02.ad.nrfdist.com 10.10.10.51 The OU that contains user accounts = CN=nrfusers,DC=ad,DC=nrfdist,DC=com The account to use when joining the server to the domain: LDAP://nrfvad01.ad.nrfdist.com/CN=aix.sa,CN=users,DC=ad,DC=nrfdist,DC=com cat /etc/samba/user.map !root = AD.NRFDIST.COM\Administrator AD.NRFDIST.COM\administrator The samba-tool is not available with the IBM AIX distribution.
Hai, I dont know much of AIX, but you config dont look good to me. I suggest you try again but with the following settings, adapt where needed and check again. /etc/hosts 127.0.0.1 localhost IP of this server nrfvclyde.ad.nrfdist.com nrfvclyde # the ip of the server is the one that contains also the A+PTR record. # AD servers, should resolve through DNS, but this is allowed. 10.10.10.50 nrfvad01.ad.nrfdist.com nrfvad01 10.10.10.51 nrfvad02.ad.nrfdist.com nrfvad02 /etc/resolv.conf search ad.nrfdist.com nameserver 10.10.10.50 nameserver 10.10.10.51 options rotate /etc/krb5.conf [logging] default=FILE:/var/log/krb5/libs.log kdc=FILE:/var/log/krb5/kdc.log admin_server=FILE:/var/log/krb5/admin.log [libdefaults] default_realm = AD.NRFDIST.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes # Format: WORKGROUPNAME\Administrator /etc/samba/user.map !root = NRFDIST\Administrator NRFDIST\administrator /etc/samba/smb.conf # i removed most of you shares, so readd these but have a look at this. # much better to read now. [global] private dir = /opt/freeware/private cache directory = /opt/freeware/var/cache lock directory = /opt/freeware/var/locks private dir = /opt/freeware/var/private state directory = /opt/freeware/var/locks/state binddns dir = /opt/freeware/var/bind-dns log file = /opt/freeware/var/log.%m log level = smbd:1 passdb:1 auth:1 winbind:1 nmbd:1 max log size = 10 # double , the other had : 50 security = ADS workgroup = NRFDIST realm = AD.NRFDIST.COM netbios name = NRFVCLYDE server string = CLYDE Samba Server os level = 20 preferred master = no interfaces = ens3 lo #or interfaces = ip/mask lo #optinal: bind interfaces only = yes username map = /etc/samba/user.map ######################### CNL # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 1000-8999 # - You must set a DOMAIN backend configuration ( Should match with workgroup) idmap config NRFDIST : backend = rid idmap config NRFDIST : range = 10000-999999 idmap config NRFDIST : unix_nss_info = no ######################## dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes # Only set these to yes, while testing, yes, slows down you server.. # use: getent passwd username/group winbind enum users = no winbind enum groups = no # separate domain and username with '+', like DOMAIN+username winbind separator = + # and this removes the "DOM+" part from your users.. winbind use default domain = Yes # Disable printing load printers = no # give winbind users a real shell (only needed if they have telnet access) template homedir = /usr/users/%U template shell = /bin/bash # For ACL support on member servers with shares (Obligated for members) vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # other optional settings create mask = 0774 directory mask = 0775 ##################################### [homes] read only = No browseable = No [mgmtdata] path = /pcdata/mgmtdata comment = shared directory for MgmtInqScr data writable = yes # If you apply all above settings, these "valid user" need to be changed. force create mode = 0666 # I suggest, use groups here. valid users = \ NRFDIST+bobb, \ NRFDIST+wendyj, \ NRFDIST+peterr, \ NRFDIST+debbiej, \ NRFDIST+stephm, \ NRFDIST+sueb, \ NRFDIST+andrewr, \ NRFDIST+billn, \ NRFDIST+gordons, \ NRFDIST+gregc2, \ NRFDIST+brendab2, \ NRFDIST+erikaw, \ NRFDIST+operator, \ NRFDIST+melindab, \ NRFDIST+donnat [adtest] # Test like this and read man smb.conf # read also https://wiki.samba.org/index.php/Samba_File_Serving path = /home/billn/tmp browseable = yes comment = test this share writable = yes force directory mode = 4775 # or 4770 force group = +your-group-here This should give a better result.
Thank you. I changed the workgroup to match the domain & winbindd is now running. workgroup = AD.NRFDIST.COM <http://AD.NRFDIST.COM> File /etc/hosts already had the AD servers; # cat /etc/hosts | grep vad 10.10.10.50 NRFVAD01 NRFVAD01.ad.nrfdist.com nrfvad01.ad.nrfdist.com 10.10.10.51 NRFVAD02 NRFVAD02.ad.nrfdist.com nrfvad02.ad.nrfdist.com I changed the DNS server to use the AD servers. The 192.168.4.19 is the old AD/DNS server. # cat /etc/resolv.conf nameserver 10.10.10.50 nameserver 10.10.10.51 # nameserver 192.168.4.19 # domain ad.nrfdist.com options rotate search ad.nrfdist.com Could not find machine account in secrets database: Failed to fetch machine account password for AD.NRFDIST.COM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=AD.NRFDIST.COM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4712) and from /opt/freeware/var/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO [2019/09/20 09:01:51.894931, 1] ../../source3/winbindd/winbindd_cm.c:1306(cm_prepare_connection) Failed to prepare SMB connection to NRFVAD01.ad.nrfdist.com: NT_STATUS_NETWORK_NAME_DELETED # nslookup > set type=SRV > NRFVAD01.ad.nrfdist.com Server: 10.10.10.50 Address: 10.10.10.50#53 *** Can't find NRFVAD01.ad.nrfdist.com: No answer set type=SRV > NRFVAD01 Server: 10.10.10.50 Address: 10.10.10.50#53 *** Can't find NRFVAD01: No answer Can you tell which directory/files has an issue? From the smbd log; messaging_dgm_cleanup(20054066) returned Permission denied [2019/09/20 09:00:27.452589, 10, pid=12582966, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm.c:1600(messaging_dgm_wipe_fn) Also, the samba-tool is not compiled for my distribution. Is this a compiled module or a perl script? Where can I locate a copy for AIX? # wbinfo --ping-dc checking the NETLOGON for domain[AD.NRFDIST.COM] dc connection to "" failed failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND Thank you ‹ Regards, Chris Christopher Lee President / CEO, ITS, Inc. 888.264.7852 <tel:888.264.7852> | T: 207.929.2612 <tel:T:%20207.929.2613> | M: 207.266.9060 <tel:T:%20207.929.2613> Chris.Lee@itsne.com | itsne.com <http://itsne.com/> <http://www.facebook.com/itsne> <http://twitter.com/ITS_innovate> <http://www.linkedin.com/company/its-inc-?trk=company_logo> <http://plus.google.com/106571444730456248578/posts> IBM Premier Business Partner & Systems Integration Specialists Please treat this and all communications from ITS, Inc. as confidential. If you receive this in error please do not disseminate and destroy it immediately. On 9/20/19, 6:39 AM, "samba-bugs@samba.org" <samba-bugs@samba.org> wrote: >https://bugzilla.samba.org/show_bug.cgi?id=14135 > >--- Comment #1 from Louis <belle@samba.org> --- >Hai, > >I dont know much of AIX, but you config dont look good to me. >I suggest you try again but with the following settings, adapt where >needed and >check again. > > >/etc/hosts >127.0.0.1 localhost >IP of this server nrfvclyde.ad.nrfdist.com nrfvclyde ># the ip of the server is the one that contains also the A+PTR record. > ># AD servers, should resolve through DNS, but this is allowed. >10.10.10.50 nrfvad01.ad.nrfdist.com nrfvad01 >10.10.10.51 nrfvad02.ad.nrfdist.com nrfvad02 > > > >/etc/resolv.conf >search ad.nrfdist.com >nameserver 10.10.10.50 >nameserver 10.10.10.51 >options rotate > >/etc/krb5.conf >[logging] > default=FILE:/var/log/krb5/libs.log > kdc=FILE:/var/log/krb5/kdc.log > admin_server=FILE:/var/log/krb5/admin.log > >[libdefaults] > default_realm = AD.NRFDIST.COM > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > > ># Format: WORKGROUPNAME\Administrator >/etc/samba/user.map >!root = NRFDIST\Administrator NRFDIST\administrator > >/etc/samba/smb.conf ># i removed most of you shares, so readd these but have a look at this. ># much better to read now. >[global] > > private dir = /opt/freeware/private > cache directory = /opt/freeware/var/cache > lock directory = /opt/freeware/var/locks > private dir = /opt/freeware/var/private > state directory = /opt/freeware/var/locks/state > binddns dir = /opt/freeware/var/bind-dns > > log file = /opt/freeware/var/log.%m > log level = smbd:1 passdb:1 auth:1 winbind:1 nmbd:1 > max log size = 10 # double , the other had : 50 > > security = ADS > workgroup = NRFDIST > realm = AD.NRFDIST.COM > netbios name = NRFVCLYDE > > server string = CLYDE Samba Server > os level = 20 > preferred master = no > > interfaces = ens3 lo > #or interfaces = ip/mask lo > #optinal: bind interfaces only = yes > > username map = /etc/samba/user.map > > ######################### CNL > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000-8999 > > # - You must set a DOMAIN backend configuration ( Should match with >workgroup) > idmap config NRFDIST : backend = rid > idmap config NRFDIST : range = 10000-999999 > idmap config NRFDIST : unix_nss_info = no > > ######################## > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > > # Only set these to yes, while testing, yes, slows down you server.. > # use: getent passwd username/group > winbind enum users = no > winbind enum groups = no > > # separate domain and username with '+', like DOMAIN+username > winbind separator = + > > # and this removes the "DOM+" part from your users.. > winbind use default domain = Yes > > # Disable printing > load printers = no > > # give winbind users a real shell (only needed if they have telnet >access) > template homedir = /usr/users/%U > template shell = /bin/bash > > # For ACL support on member servers with shares (Obligated for >members) > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > # other optional settings > create mask = 0774 > directory mask = 0775 > >##################################### > >[homes] > read only = No > browseable = No > >[mgmtdata] > path = /pcdata/mgmtdata > comment = shared directory for MgmtInqScr data > writable = yes > # If you apply all above settings, these "valid user" need to be >changed. > force create mode = 0666 > # I suggest, use groups here. > valid users = \ > NRFDIST+bobb, \ > NRFDIST+wendyj, \ > NRFDIST+peterr, \ > NRFDIST+debbiej, \ > NRFDIST+stephm, \ > NRFDIST+sueb, \ > NRFDIST+andrewr, \ > NRFDIST+billn, \ > NRFDIST+gordons, \ > NRFDIST+gregc2, \ > NRFDIST+brendab2, \ > NRFDIST+erikaw, \ > NRFDIST+operator, \ > NRFDIST+melindab, \ > NRFDIST+donnat > >[adtest] > # Test like this and read man smb.conf > # read also https://wiki.samba.org/index.php/Samba_File_Serving > path = /home/billn/tmp > browseable = yes > comment = test this share > writable = yes > force directory mode = 4775 # or 4770 > force group = +your-group-here > > >This should give a better result. > >-- >You are receiving this mail because: >You reported the bug.
this is more of a config support case, please do not use bugzilla for this but move it to the samba mailing list instead.
Team, While there maybe a configuration issue with the smb.conf, it would be extremely helpful to have a better diagnostic msg. I cannot determine my error based on the message. interpret_interface: using netmask value 24 from config file on interface en0 added interface en0 ip=10.10.40.35 bcast=10.10.40.255 netmask=255.255.255.0 interpret_interface: Adding interface 127.0.0.1/8 added interface 127.0.0.1/8 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 Netbios name list:- my_netbios_names[0]="NRFVCLYDE" interpret_interface: using netmask value 24 from config file on interface en0 added interface en0 ip=10.10.40.35 bcast=10.10.40.255 netmask=255.255.255.0 interpret_interface: Adding interface 127.0.0.1/8 added interface 127.0.0.1/8 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 exit_daemon: daemon failed to start: Failed to create session, error code 1 The NETBIOS name & the workgroup names are both found. So, it is a puzzle why the winbindd session failed. Perhaps, provide the command so I could see the values. Also, testparm does not report any issues. thank you Chris