Security problem? ads_sasl_spnego_gensec_bind(KRB5) failed
Thomas Schulz
schulz at adi.com
Tue Apr 19 17:36:11 UTC 2016
I wonder if the fillowing indicates a reduction in security with
Samba 4.4.2, or is it just an unimportant warning.
> Testing Samba 4.4.2 as a file server running on Solaris 10 i386
> with a Windows Server 2000 computer as the DC.
>
> Upon startup the smb.log contains the following:
>
> [2016/04/15 10:08:09.738117, 0] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind)
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
> [2016/04/15 10:08:09.738732, 0] ../source3/printing/nt_printing.c:187(nt_printing_init)
> nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
>
>
> These messages do not show up with 4.4.0.
>
> The output to testparm is:
>
> # Global parameters
> [global]
> realm = ADI.COM
> server string =
> workgroup = ADI
> client ldap sasl wrapping = plain
> log file = /opt/local/samba4/var/logs/%h/log.%m
> max log size = 1500
> lock directory = /var/samba/locks/%h
> pid directory = /var/samba/locks/%h
> load printers = No
> printcap name = /etc/printers.samba
> name resolve order = bcast host
> unix extensions = No
> client NTLMv2 auth = No
> client signing = if_required
> guest account = nobody2
> security = ADS
> require strong key = No
> winbind sealed pipes = No
> dns proxy = No
> idmap config * : backend = tdb
> delete readonly = Yes
> dos filemode = Yes
> include = /opt/local/samba4/etc/smb.conf.mackerel
> wide links = Yes
> printing = sysv
> msdfs root = Yes
Just for testing I added the following parameters to see if they had
any effect on the above messages. There was no change.
ldap server require strong auth = No
client use spnego = No
use spnego = No
client ipc signing = No
client lanman auth = Yes
lanman auth = Yes
raw NTLMv2 auth = Yes
server signing = if_required
tls verify peer = no_check
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com
More information about the samba-technical
mailing list