[Samba] Samba 4 AD member server authentication issues, domain vs. ads security

Rowland penny rpenny at samba.org
Wed Jun 22 19:52:17 UTC 2016 

On 22/06/16 19:29, Eric Shell wrote:
> I should add that the samba.log file was logging NT_STATUS_NO_LOGON_SERVERS
> errors when authentication attempts were failing.  Workstations in the
> domains were still able to authenticate, however, and I verified that the
> DNS records were still correct.  The SRV records were all in place and the
> domain controllers' host names were resolving.
>
> On Wed, Jun 22, 2016 at 9:44 AM, Eric Shell <eshell at ucsc.edu> wrote:
>
>> Thanks for the quick replies.
>>
>> One domain is at Windows Server 2008 functional level, and the other is
>> Windows Server 2012 R2.  The samba 4 servers are running 4.2.10 and the
>> samba 3 servers are running 3.6.23, both from rpms available from either
>> the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6).
>>
>> Here's the smb.conf used on the two samba 4 servers:
>>
>> [global]
>>>   workgroup = BSOE
>>>   server string = SAMBA-01
>>>   netbios name = SAMBA-01
>>>   realm = ad.soe.ucsc.edu
>>>   security = ads
>>>   log file = /var/log/samba.log
>>>   log level = 2
>>>   browseable = yes
>>>   read only = no
>>>   local master = no
>>>   load printers = no
>>>   preserve case = yes
>>>   case sensitive = yes
>>>   wins support = no
>>>   passdb backend = tdbsam
>>>   printing = bsd
>>>   printcap name = /dev/null
>>>   disable spoolss = yes
>>>   client ldap sasl wrapping = sign
>>>   short preserve case = yes
>>>   nt acl support = no
>>>   wide links = no
>>>   unix extensions = no
>>>   strict locking = no
>>>   kernel change notify = no
>>   include = /etc/samba/shares.conf
>>
>>
>> Rowland, I changed the security option based on the example on that page
>> of the wiki but I didn't perform the winbind portion because I wasn't sure
>> whether it was necessary or wise.  The issue with some clients not having
>> kerberos tickets is that we have some systems that are not integrated with
>> AD and have been using password authentication thus far.  If possible, we
>> would like to continue to be able to use password authentication for
>> clients that aren't part of the domains since some of them will not/can not
>> be joined.
>>
>
>


OK, back in April, Samba released major security releases, amongst which 
was version 4.2.11, this included a regression fix for 4.2.10 (which 
wasn't released), red-hat released this as 4.2.10
There has been another release since then (4.2.12), this was to fix a 
number of regressions from 4.2.11

You can read the release notes here:

https://www.samba.org/samba/history/samba-4.2.10.html
https://www.samba.org/samba/history/samba-4.2.11.html
https://www.samba.org/samba/history/samba-4.2.12.html

Samba did not release anything for the 3.6 versions because it is EOL, 
but red-hat backported the 4.x patches to 3.6, so if you can sort out 
your problem with 4.2.10, you will probably find it is the same problem 
for 3.6

I take it you are using sssd on the centos machines, I haven't checked 
lately (I don't use sssd), but you could try asking on the sssd mailing 
list for help as well.

Rowland

More information about the samba mailing list