[Samba] Samba 4.2.0rc4 can't authenticate users

Thomas Schulz schulz at adi.com
Mon Feb 23 14:23:06 MST 2015

>>> On Thu, 2015-02-12 at 11:44 -0500, Thomas Schulz wrote:
>>>> This problem shows up on both Linux and Solaris. I am going to show
>>>> the logs from a Fedora 2.6.25-14.fc9.i686 machine.
>>>> We are using 'security = domain' with a Windows 2000 domain controller.
>>>> We are setting 'password server = starfish2' dispite the fact that the
>>>> documentation says that this in not necessary as we have found it to
>>>> be necessary. We are setting 'workgroup = adi'.
>>> Can you use security=ads
>>>> I installed Samba 4.2.0rc4 in the same location as a previous 4.1.7
>>>> installation after removing everything in bin, sbin & lib. We are
>>>> running just nmbd and smbd.
>>> Please also run winbindd.  The old code to pass authentication to the DC
>>> without winbindd is much less reliable, it has to find and set up the DC
>>> connection every time.  (It has probably got better in recent git
>>> master, but that's mostly because making it use better common code
>>> helped us get rid of old code, rather than this being a use case we want
>>> to encourage). 
>>> Andrew Bartlett
>> I was thinking about trying security=ads late yesterday after verifying
>> that security=user did work (I had an old smbpasswd file laying around).
>> security=ads does work. On the linux machine it just worked. On the
>> Solaris machine I had to re-join the domain first.
>> BUT, I had to revert to Samba 4.1.16 to get a net command that would work.
>> The Samba 4.2.0rc4 net command produced the following output:
>> ./net join member -Wadi -Uadministrator -Sstarfish2
>> Enter administrator's password:
>> ads_setup_sasl_wrapping() failed: The request is not supported.
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: The request is not supported.
>> Failed to join domain: failed to connect to AD: The request is not supported.
>> ADS join did not work, falling back to RPC...
>> Enter administrator's password:
>> ads_setup_sasl_wrapping() failed: The request is not supported.
>> So there is a problem there. Also, I would think that you would need to
>> support security=domain for people who have Domain Controllers that do
>> not support Active Directory.
>> I will look into running winbindd. But I absolutely do not want to use
>> it for unix logins. The server that runs the real copy of Samba is also
>> an important NFS server and I do not want it to rely on our Windows DC
>> for accounts.
> I just tried starting winbindd but I did so without making any changes
> to my smb.conf file. I suspect that some changes would be required for
> this test to have any value. In any case, running winbindd did not help.
> I just attached a new log file to Bug 11098. I think that this log file
> may actually have usefull information in it!

Success in getting it to work with security=domain.

If I set "client ldap sasl wrapping = plain" AND run winbindd then 4.2.0rc4
will authenticate with a Windows 2000 DC.

Also, with "client ldap sasl wrapping = plain" set, the net join command
will work.

The first time I try to connect after starting the servers, my PC says
that the service is not started, but if I immediately retry the
connection succeeds.

With security=ads, winbindd does not have to be running and "client ldap sasl
wrapping = plain" does not have to be set, but without "client ldap sasl
wrapping = plain" being set the net join command does not work.

So, there does seem to be a bug in the authenticate code in smbd for the case
when security=domain is set. At least in the case where a Windows 2000 DC is
being used. The last log file attached to Bug 11098 is for this case.
Setting "client ldap sasl wrapping = plain" does not help in this case.

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list