[Samba] change in AD authentication behaviour since 3.0.24

Robert Cohen robert.cohen at anu.edu.au
Wed Feb 20 05:33:56 GMT 2008

On 20/2/08 4:11 PM, "Neal A. Lucier" <nlucier at math.purdue.edu> wrote:

> Robert Cohen wrote:
>> BTW I should mention that we're simply not using winbind.
>> The behaviour I'm talking about is when an XP client machine attempts to
>> connect to our server to get a network share.
>> So winbind doesn't enter into the equation.
> If you are a member server of a Windows 200x domain, you are using
> winbind and it enters into the equation.  I don't know exactly what
> "winbind" is a contraction of, but it always made sense to me to think
> of it as "Windows Bind", as in the ypbind sense.  Anyway it's the part
> of Samba that talks to Windows.

Ok, I thought winbind was only relevant if you were using AD as a NSS (name
service source). We have all the users in the name service from LDAP or
NIS+. We're only getting the passwords from AD.

I guess this could be an unusual combination and could be whats causing our

>>> Just in case theres something in my configuration which is causing the
>>> problem, the relevant bits are.
>>>> From smb.conf
>>> ; Security/authentication stuff
>>>   security = ADS
>>>   realm = XX.ANU.EDU.AU
>>>   password server = xx03.anu.edu.au
>>>   password level = 0
>>>   local master = no
>>>   domain master = no
>>>   encrypt passwords = yes
>>>   guest ok = no
> It would be interesting to know what your workgroup setting is as well
> as you idmap settings.  The IDMap subsystem was rewritten (to be vastly
> superior IMHO) for 3.0.25.

We don't have any IDMAP settings.
We have workgroup = XX (our domain).

>>>> From krb5.conf
>>> [libdefaults]
>>>         default_realm = XX.ANU.EDU.AU
>>> [realms]
>>>         XX.ANU.EDU.AU = {
>>>                 kdc = xx01.anu.edu.au
>>>                 kdc = xx02.anu.edu.au
>>>                 kdc = xx03.anu.edu.au
>>>                 admin_server = xx01.anu.edu.au
>>>         }
>>> [domain_realm]
>>>         .xx.anu.edu.au = XX.ANU.EDU.AU
>>>         xx.anu.edu.au = XX.ANU.EDU.AU
>>>         .anu.edu.au = XX.ANU.EDU.AU
>>>         anu.edu.au = XX.ANU.EDU.AU
> If this is an MIT Kerberos config file, you don't need it if your ADS
> DNS records are correct.  MIT Kerberos (as well as Heimdal but I can't
> speak about its config file) have extended themselves to embrace
> Microsoft's ADS DNS entries and can query the values and self-configure
> just fine.
> In the "net ads join" step you will need to specify the realm of the
> user, e.g., Administrator at REALM.NAME.COM, but other than that, there is
> no real advantage to configuring a krb5.conf file to Samba.  (Unless
> your DNS is all jacked up as I already said.)
> As I (and others) have mentioned "winbind use default domain = yes"
> should solve the problem; however, you can use it in conjunction with
> "allow trusted domains = no" if you are only using the single domain.  I
> only fully studied the interaction of those 2 directives pre-3.0.25 with
> an interesting idmap config (which the new sub-system made much easier),
> so I'm not sure if "allow trusted domains" will have any real affect here.

Ok, I had a krb5.conf because around 3.0.20 samba AD stopped working if you
didn't have a krb5.conf. net ads join just didn't work if you didn't have
I've only just noticed that it now works again without a krb5.conf
But even without one, it has the same behaviour

And allow trusted domains = no doesn't make any difference.

Robert Cohen
Systems & Desktop Services
Division of Information
R.G Menzies Building
Building 2
The Australian National University
Canberra ACT 0200 Australia
T: +61 2 6125 8389
F: +61 2 6125 7699
CRICOS Provider #00120C

More information about the samba mailing list