samba4 alpha16 windows clients issue after alpha15 migration and samba config problems

David Lindauer david at
Sun Jan 22 13:23:12 MST 2012

I migrated our Ubutnu samba4 alpha15 server to a new Ubuntu install and 
samba alpha 16.  I copied over my etc, var, and private folders and got 
samba to run and to authenticate.  In order to try to get it all the way 
online, I connected it to the old alpha15 server and let it join the 
active directory (planning to retire other machine).

The server is setup as and the clients are all in the same /24 
(via openvpn), and all the dns entries point to the public IPs (samba is 
listening on public and private IPs momentarily).

I AM able to authenticate with pam_winbind, however there are two problems:
  #1 - Windows 7 PCs are able to browse the shares list via \\ 
(it's ignoring 'browseable = No' on shares annoyingly), however Windows 
throws an error when trying to open the shares "The parameter is 
incorrect".  If I open cmd and "net use \\\share_name /delete" 
on a share I've tried to access, and remap it via "net use 
\\\share_name /U username" I CAN successfully access (only) that 
specific share and work on files.

#2 - A couple of errors keep showing up in the Samba log now (which I 
believe is related to the above)
[2012/01/22 15:02:46,  1] 
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed
[2012/01/22 15:02:46,  2] 
   dcerpc: bind_nak reason 0
[2012/01/22 15:02:46,  0] 
   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at[1024,seal,krb5] 

I think that Samba is currently listing out the shares to anonymous 
users, and then it is not allowing / forcing the windows machine to 
authenticate itself.  None of the previous config variables for 'guest 
ok' or 'restrict anonymous' work on samba4 and I can't find anyway to 
force it.  I also had pam_winbind set to 
"require_membership_of=S-1-5-rest-of-sid" and it didn't work at all.  I 
had users not within that group, and they were still able to connect via 
ssh.  I tried having it in all 3 files that pam_winbind is listed in 
common-* for and nothing was restricted.

My smb.conf:

I'm not sure if this is a problem with corruption in my AD now or if 
it's an issue with the authentication, this is using the latest pull 
from git as of a couple days ago, previously tried it with a week+ copy 
of it.  I have iptables completely letting all traffic through for 
troubleshooting purposes to confirm it's not firewall related.  thanks 
for any thoughts on this

More information about the samba-technical mailing list