[Samba] Samba 4 AD member server authentication issues, domain vs. ads security

Rowland penny rpenny at samba.org
Wed Jun 22 16:23:44 UTC 2016

On 22/06/16 17:11, Eric Shell wrote:
> I have an environment with two separate AD instances which each have both a
> samba 3 and samba 4 file server joined to them.  Last week, we began to
> experience authentication failures in both domains on the samba 4 file
> servers.  After a lot of experimenting, we found that changing the security
> setting from domain to ads resolved the problem for the samba 4 servers.
> However, the samba 3 servers are still configured with security = domain
> and are continuing to authenticate users without issue.  Also, due to the
> fact that ads requires a kerberos ticket, there are some clients that can
> no longer authenticate because they are not able to acquire tickets from
> the AD kerberos realms.
> I have a few questions that I've so far been unable to answer:
> 1.  What happened to break authentication for the samba 4 servers last
> week, was it some kind of Microsoft patch perhaps?  Why weren't the samba 3
> servers affected by whatever changed?
> 2.  Is there an "ideal" configuration for a samba file server as a member
> of an AD domain?  From what I've read, ads is the preferred security
> method.  If we should continue using ads, how do we best handle clients
> that will not have kerberos tickets?

Then you haven't visited the Samba wiki, see here:


As for the lack of kerberos tickets, if your machines are joined to an 
AD domain, they should have kerberos tickets.

Can you tell us what OS you are using and can you also post your 
smb.conf files


More information about the samba mailing list