[Samba] Samba 4 AD member server authentication issues, domain vs. ads security

[Eric Shell]

Thanks for the quick replies.

One domain is at Windows Server 2008 functional level, and the other is
Windows Server 2012 R2.  The samba 4 servers are running 4.2.10 and the
samba 3 servers are running 3.6.23, both from rpms available from either
the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6).

Here's the smb.conf used on the two samba 4 servers:

[global]
>  workgroup = BSOE
>  server string = SAMBA-01
>  netbios name = SAMBA-01
>  realm = ad.soe.ucsc.edu
>  security = ads
>  log file = /var/log/samba.log
>  log level = 2
>  browseable = yes
>  read only = no
>  local master = no
>  load printers = no
>  preserve case = yes
>  case sensitive = yes
>  wins support = no
>  passdb backend = tdbsam
>  printing = bsd
>  printcap name = /dev/null
>  disable spoolss = yes
>  client ldap sasl wrapping = sign
>  short preserve case = yes
>  nt acl support = no
>  wide links = no
>  unix extensions = no
>  strict locking = no
>  kernel change notify = no

 include = /etc/samba/shares.conf


Rowland, I changed the security option based on the example on that page of
the wiki but I didn't perform the winbind portion because I wasn't sure
whether it was necessary or wise.  The issue with some clients not having
kerberos tickets is that we have some systems that are not integrated with
AD and have been using password authentication thus far.  If possible, we
would like to continue to be able to use password authentication for
clients that aren't part of the domains since some of them will not/can not
be joined.