[Samba] Samba 4 AD member server authentication issues, domain vs. ads security
Eric Shell
eshell at ucsc.edu
Wed Jun 22 18:29:32 UTC 2016
I should add that the samba.log file was logging NT_STATUS_NO_LOGON_SERVERS
errors when authentication attempts were failing. Workstations in the
domains were still able to authenticate, however, and I verified that the
DNS records were still correct. The SRV records were all in place and the
domain controllers' host names were resolving.
On Wed, Jun 22, 2016 at 9:44 AM, Eric Shell <eshell at ucsc.edu> wrote:
> Thanks for the quick replies.
>
> One domain is at Windows Server 2008 functional level, and the other is
> Windows Server 2012 R2. The samba 4 servers are running 4.2.10 and the
> samba 3 servers are running 3.6.23, both from rpms available from either
> the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6).
>
> Here's the smb.conf used on the two samba 4 servers:
>
> [global]
>> workgroup = BSOE
>> server string = SAMBA-01
>> netbios name = SAMBA-01
>> realm = ad.soe.ucsc.edu
>> security = ads
>> log file = /var/log/samba.log
>> log level = 2
>> browseable = yes
>> read only = no
>> local master = no
>> load printers = no
>> preserve case = yes
>> case sensitive = yes
>> wins support = no
>> passdb backend = tdbsam
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>> client ldap sasl wrapping = sign
>> short preserve case = yes
>> nt acl support = no
>> wide links = no
>> unix extensions = no
>> strict locking = no
>> kernel change notify = no
>
> include = /etc/samba/shares.conf
>
>
> Rowland, I changed the security option based on the example on that page
> of the wiki but I didn't perform the winbind portion because I wasn't sure
> whether it was necessary or wise. The issue with some clients not having
> kerberos tickets is that we have some systems that are not integrated with
> AD and have been using password authentication thus far. If possible, we
> would like to continue to be able to use password authentication for
> clients that aren't part of the domains since some of them will not/can not
> be joined.
>
--
Eric Shell
UNIX Software & Google Apps Administrator
Baskin School of Engineering
UC Santa Cruz
831 459 4919
More information about the samba
mailing list