[Samba] Win10 forcing NTLMSSP when KRB5 desired

J K johnnykimble at gmail.com
Thu Nov 3 16:58:56 UTC 2016

Hi all,

I've 4.5.1 Samba on a machine with SSSD 1.13.4 setup and joined with a
Windows Server 2012 domain. Everything works great for Windows 8.1 - I can
connect to the Samba share and get authenticated as a domain user and files
are created with the correct Windows domain username and group.

With a Windows 10 client, I get an 'Access Denied'. After some debugging,
I'm putting this down to the fact that, with the Windows 8 client, the
GSS-API SPNGEO KRB5 mechanism is selected, which is what I (and SSSD
wants). However, looking at the Windows 10 sequence of events, I see that
it attempts to use the NTLMSSP mechtype.

I choose winbind over SSSD, and if anything would have expected the
behaviour above to be the other way around with Windows 8 maybe using NTLM.

Is anyone aware of this issue with Windows 10, or is it possible to disable
the advertising of the NTLMSSP mechanism, or force Windows to use KRB5?


More information about the samba mailing list