[Samba] Samba 4.2.0rc4 can't authenticate users

Thomas Schulz schulz at adi.com
Fri Feb 20 12:57:06 MST 2015 

> > On Thu, 2015-02-12 at 11:44 -0500, Thomas Schulz wrote:
> > > This problem shows up on both Linux and Solaris. I am going to show
> > > the logs from a Fedora 2.6.25-14.fc9.i686 machine.
> > > 
> > > We are using 'security = domain' with a Windows 2000 domain controller.
> > > We are setting 'password server = starfish2' dispite the fact that the
> > > documentation says that this in not necessary as we have found it to
> > > be necessary. We are setting 'workgroup = adi'.
> > 
> > Can you use security=ads
> > 
> > > I installed Samba 4.2.0rc4 in the same location as a previous 4.1.7
> > > installation after removing everything in bin, sbin & lib. We are
> > > running just nmbd and smbd.
> > 
> > Please also run winbindd.  The old code to pass authentication to the DC
> > without winbindd is much less reliable, it has to find and set up the DC
> > connection every time.  (It has probably got better in recent git
> > master, but that's mostly because making it use better common code
> > helped us get rid of old code, rather than this being a use case we want
> > to encourage). 
> > 
> > Andrew Bartlett
> 
> I was thinking about trying security=ads late yesterday after verifying
> that security=user did work (I had an old smbpasswd file laying around).
> 
> security=ads does work. On the linux machine it just worked. On the
> Solaris machine I had to re-join the domain first.
> 
> BUT, I had to revert to Samba 4.1.16 to get a net command that would work.
> The Samba 4.2.0rc4 net command produced the following output:
> 
> ./net join member -Wadi -Uadministrator -Sstarfish2
> Enter administrator's password:
> ads_setup_sasl_wrapping() failed: The request is not supported.
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: The request is not supported.
> Failed to join domain: failed to connect to AD: The request is not supported.
> ADS join did not work, falling back to RPC...
> Enter administrator's password:
> ads_setup_sasl_wrapping() failed: The request is not supported.
> 
> 
> 
> So there is a problem there. Also, I would think that you would need to
> support security=domain for people who have Domain Controllers that do
> not support Active Directory.
> 
> I will look into running winbindd. But I absolutely do not want to use
> it for unix logins. The server that runs the real copy of Samba is also
> an important NFS server and I do not want it to rely on our Windows DC
> for accounts.

I just tried starting winbindd but I did so without making any changes
to my smb.conf file. I suspect that some changes would be required for
this test to have any value. In any case, running winbindd did not help.

I just attached a new log file to Bug 11098. I think that this log file
may actually have usefull information in it!

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list