[Samba] Samba 4 AD member server authentication issues, domain vs. ads security

mathias dufresne infractory at gmail.com
Wed Jun 22 16:24:23 UTC 2016

Hi Eric,

No idea I didn't touched a Samba 3 for years but you should mentioned what
are the version you are using, for your domains (and also if they are NT4
or AD, even if it looks like they are NT4, can't really be sure) and your
file servers.

That would certainly help people around who know (largely) better than me
smb.conf and its history ;)



2016-06-22 18:11 GMT+02:00 Eric Shell <eshell at ucsc.edu>:

> I have an environment with two separate AD instances which each have both a
> samba 3 and samba 4 file server joined to them.  Last week, we began to
> experience authentication failures in both domains on the samba 4 file
> servers.  After a lot of experimenting, we found that changing the security
> setting from domain to ads resolved the problem for the samba 4 servers.
> However, the samba 3 servers are still configured with security = domain
> and are continuing to authenticate users without issue.  Also, due to the
> fact that ads requires a kerberos ticket, there are some clients that can
> no longer authenticate because they are not able to acquire tickets from
> the AD kerberos realms.
> I have a few questions that I've so far been unable to answer:
> 1.  What happened to break authentication for the samba 4 servers last
> week, was it some kind of Microsoft patch perhaps?  Why weren't the samba 3
> servers affected by whatever changed?
> 2.  Is there an "ideal" configuration for a samba file server as a member
> of an AD domain?  From what I've read, ads is the preferred security
> method.  If we should continue using ads, how do we best handle clients
> that will not have kerberos tickets?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list