[Samba] change in AD authentication behaviour since 3.0.24

Neal A. Lucier nlucier at math.purdue.edu
Wed Feb 20 05:11:18 GMT 2008

Robert Cohen wrote:
> BTW I should mention that we're simply not using winbind.
> The behaviour I'm talking about is when an XP client machine attempts to
> connect to our server to get a network share.
> So winbind doesn't enter into the equation.

If you are a member server of a Windows 200x domain, you are using 
winbind and it enters into the equation.  I don't know exactly what 
"winbind" is a contraction of, but it always made sense to me to think 
of it as "Windows Bind", as in the ypbind sense.  Anyway it's the part 
of Samba that talks to Windows.

>> Just in case theres something in my configuration which is causing the
>> problem, the relevant bits are.
>>> From smb.conf
>> ; Security/authentication stuff
>>   security = ADS
>>   realm = XX.ANU.EDU.AU
>>   password server = xx03.anu.edu.au
>>   password level = 0
>>   local master = no
>>   domain master = no
>>   encrypt passwords = yes
>>   guest ok = no

It would be interesting to know what your workgroup setting is as well 
as you idmap settings.  The IDMap subsystem was rewritten (to be vastly 
superior IMHO) for 3.0.25.

>>> From krb5.conf
>> [libdefaults]
>>         default_realm = XX.ANU.EDU.AU
>> [realms]
>>         XX.ANU.EDU.AU = {
>>                 kdc = xx01.anu.edu.au
>>                 kdc = xx02.anu.edu.au
>>                 kdc = xx03.anu.edu.au
>>                 admin_server = xx01.anu.edu.au
>>         }
>> [domain_realm]
>>         .xx.anu.edu.au = XX.ANU.EDU.AU
>>         xx.anu.edu.au = XX.ANU.EDU.AU
>>         .anu.edu.au = XX.ANU.EDU.AU
>>         anu.edu.au = XX.ANU.EDU.AU

If this is an MIT Kerberos config file, you don't need it if your ADS 
DNS records are correct.  MIT Kerberos (as well as Heimdal but I can't 
speak about its config file) have extended themselves to embrace 
Microsoft's ADS DNS entries and can query the values and self-configure 
just fine.

In the "net ads join" step you will need to specify the realm of the 
user, e.g., Administrator at REALM.NAME.COM, but other than that, there is 
no real advantage to configuring a krb5.conf file to Samba.  (Unless 
your DNS is all jacked up as I already said.)

As I (and others) have mentioned "winbind use default domain = yes" 
should solve the problem; however, you can use it in conjunction with 
"allow trusted domains = no" if you are only using the single domain.  I 
only fully studied the interaction of those 2 directives pre-3.0.25 with 
an interesting idmap config (which the new sub-system made much easier), 
so I'm not sure if "allow trusted domains" will have any real affect here.

More information about the samba mailing list