[Samba] Samba + Winbind ADS on Win2012 AD with Native 2003 domain forest level

Andrej Pintar api984 at gmail.com
Tue Apr 16 13:01:38 MDT 2013 

Hello,

I am trying to connect samba to our NEW DCs running win2012 AD. Now I 
can join samba using net join and winbind lists users and groups but 
USER AUTH fails at by using smbclient and wbinfo -a. Error that I get is 
ACCESS DENIED. Now I'm guessing that something must be blocked on 
Windows servers that does not allow Winbind to authenticate. I tryed 
Samba 3.0.33 , 3.6.6 (3x package) , samba 4.0.0. All samba servers give 
same error. Kerberos is working. nsswitch is configured. I also added 
PAM auth. GPO policy? Winbind is the main problem currently. RPC server 
on win2012 (port 139) security. NTLM is allowed on LocalPolicy. SMB 
signing is enabled and working as I saw the samba logs. Tryed to google 
and reconfigure smb.conf many times. No sucess in 2 weeks yet. I am not 
giving up. I really want to know why its not working.

Have not tryed samba with SSSD yet because I am a little afraid to 
upgrade AD schema? should be painless right? because these are prod servers.

Linux: Centos 5.2 (will upgrade to 5.9) - tryed a VBOX 5.9- same error 
version does not matter.
Windows: 2x 2012 DC with AD 2003 native domain
Windows SBS : still connected to these DCs. Disabled SBcore so server 
will not shutdown by itself
because of EULA and SBS limits. This server is gonna retire once I setup 
samba to work with new DCs.
AD schema was migrated with exchange attributes so it works with postfix.

SMBclients error: SPNEGO auth fails.
Winbind: ACCESS_DENIED (0x00000022) -something like that

Hope anyone knows some windows server trick to make winbind work. I do 
thing its a security
feature that needs to be disabled.

Any thoughts?

-- 
Andrej Pintar

email : api984 at gmail.com
            andrej at skrad.com
            api984 at api984.net
web: http://www.api984.net
contact cell: 00385 98 790 639
home server: http://anetlocal.poweredbyclear.com
ICQ: 191748772
Skype: api9841
Twitter: api984
MSN: fatallord at hotmail.com
IRC: api984, freenode.net
::Software is like sex: it's better when it's free::

More information about the samba mailing list