[Samba] Winbind user authentication (-a) fails, but kerberos authentication succeeds

Steven Moyse smoyse at civica.com.au
Mon Oct 25 17:11:23 MDT 2010

I have tried various settings for the Authentication Methods, all with 
similar results, currently set for NTLMv2 only. I don't know why wbinfo 
attempts plaintext auth when it is turned off in smb.conf.
Also I have upgraded to the latest Samba available from RedHat, which 
did at least allow me to do on the fly account creation. I thought the 
two symptoms were linked, but obviously I was mistaken.
The only other clue I have is that I can't use smbclient to list or 
connect to shares on the Linux box (But can with Kerberos auth), but I 
can for shares on Windows machines.



charles weber wrote:
> Is AD set for ntlmv2 only?
> On Oct 22, 2010, at 8:45 AM, Robert Freeman-Day wrote:
>> Hash: SHA1
>> On 10/21/2010 09:36 PM, Gaiseric Vandal wrote:
>>> What kind of domain -  samba PDC or Windows Active Directory ?   Maybe the
>>> samba version is just too old.
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
>>> On Behalf Of Steven Moyse
>>> Sent: Thursday, October 21, 2010 8:52 PM
>>> To: samba at lists.samba.org
>>> Subject: [Samba] Winbind user authentication (-a) fails, but kerberos
>>> authentication succeeds
>>> I am having trouble setting up winbind authentication.
>>> I have successfully joined the domain
>>> winbind -t OK
>>> winbind -u OK
>>> winbind -g OK
>>> winbind -K 'DOMAIN\user%password' OK
>>> winbind -a 'DOMAIN\user%password' FAIL
>>> For winbind -a:
>>> Plaintext authentication is attempted, and fails with
>>> challenge/response authentication is attempted, and fails with
>>> Am using SAMBA 3.0.33 on Redhat 5.4 patched to latest.
>>> I have previously configured many SAMBA servers
>> If you are joined to a Windows domain, you can update your RHEL to 5.5
>> and take advantage of Red Hat's Samba3x package.  I wrote up a quickie
>> migration doc to get there:
>> https://wiki.uits.iu.edu/confluence-prd/pages/viewpage.action?pageId=116097702
>> It may be a good idea to migrate to it anyway to take advantages of
>> newer features.
>> - -- 
>> ________
>> Robert Freeman-Day
>> https://launchpad.net/~presgas
>> GPG Public Key:
>> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> iEYEARECAAYFAkzBh18ACgkQup357T5MfTYAgACfeuGaOaI51WMgD86dVNCgzq4b
>> agkAoM2a2FT4qJSBC126yz1H/Zg/fCbP
>> =pzMb
>> -----END PGP SIGNATURE-----
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Steven Moyse

Civica Pty Ltd
96 - 102 Lambton Rd. Broadmeadow NSW 2292
Phone:  02 4941 9493 (-9499 FAX)
email: smoyse at civica.com.au


This email is from Civica Pty Limited and it, together with 
any attachments, is confidential to the intended recipient(s) 
and the contents may be legally privileged or contain 
proprietary and private information. It is intended solely 
for the person to whom it is addressed. If you are not an 
intended recipient, you may not review, copy or distribute 
this email. If received in error, please notify the sender 
and delete the message from your system immediately. Any 
views or opinions expressed in this email and any files 
transmitted with it are those of the author only and may 
not necessarily reflect the views of Civica and do not create 
any legally binding rights or obligations whatsoever. Unless 
otherwise pre-agreed by exchange of hard copy documents 
signed by duly authorised representatives, contracts may not 
be concluded on behalf of Civica by email. Please note that 
neither Civica nor the sender accepts any responsibility for 
any viruses and it is your responsibility to scan the email 
and the attachments (if any). All email received and sent by 
Civica may be monitored to protect the business interests of 

More information about the samba mailing list