[Samba] change in AD authentication behaviour since 3.0.24

Robert Cohen robert.cohen at anu.edu.au
Wed Feb 20 00:12:39 GMT 2008

We have noticed a change in the way AD authentication behaves starting with
3.0.25. Ive been hoping it was a bug and someone would notice and fix it.
But since its still there as of 3.0.28, I guess its a feature :-).

Anyway, our users on XP machines used to be able to authenticate against AD
with just a username/password eg u1234567. But as of 3.0.25 they need to use
a fully qualified username eg XX\u1234567 to authenticate.
Otherwise it appears to be attempting to authenticate against the local

Is there some setting I can use to get the old behaviour back?
Or is the old behaviour simply incorrect, and I'll just have to bite the
bullet and re-educate our users. The hassle is that lots of them have canned
scripts which they have been carting around forever which use the old

Just in case theres something in my configuration which is causing the
problem, the relevant bits are.

>From smb.conf

; Security/authentication stuff
  security = ADS
  realm = XX.ANU.EDU.AU
  password server = xx03.anu.edu.au
  password level = 0
  local master = no
  domain master = no
  encrypt passwords = yes
  guest ok = no

>From krb5.conf
        default_realm = XX.ANU.EDU.AU

        XX.ANU.EDU.AU = {
                kdc = xx01.anu.edu.au
                kdc = xx02.anu.edu.au
                kdc = xx03.anu.edu.au
                admin_server = xx01.anu.edu.au

        .xx.anu.edu.au = XX.ANU.EDU.AU
        xx.anu.edu.au = XX.ANU.EDU.AU
        .anu.edu.au = XX.ANU.EDU.AU
        anu.edu.au = XX.ANU.EDU.AU

The "net ads join" commands have been run to add the machine to the AD
domain and it was working fine prior to 3.0.25

Robert Cohen
Systems & Desktop Services
Division of Information
R.G Menzies Building
Building 2
The Australian National University
Canberra ACT 0200 Australia
T: +61 2 6125 8389
F: +61 2 6125 7699
CRICOS Provider #00120C

More information about the samba mailing list