[Samba] Win10 forcing NTLMSSP when KRB5 desired

Jeremy Allison jra at samba.org
Fri Nov 4 18:24:25 UTC 2016

On Thu, Nov 03, 2016 at 04:58:56PM +0000, J K via samba wrote:
> Hi all,
> I've 4.5.1 Samba on a machine with SSSD 1.13.4 setup and joined with a
> Windows Server 2012 domain. Everything works great for Windows 8.1 - I can
> connect to the Samba share and get authenticated as a domain user and files
> are created with the correct Windows domain username and group.
> With a Windows 10 client, I get an 'Access Denied'. After some debugging,
> I'm putting this down to the fact that, with the Windows 8 client, the
> GSS-API SPNGEO KRB5 mechanism is selected, which is what I (and SSSD
> wants). However, looking at the Windows 10 sequence of events, I see that
> it attempts to use the NTLMSSP mechtype.
> I choose winbind over SSSD, and if anything would have expected the
> behaviour above to be the other way around with Windows 8 maybe using NTLM.
> Is anyone aware of this issue with Windows 10, or is it possible to disable
> the advertising of the NTLMSSP mechanism, or force Windows to use KRB5?

Can you explain the problem more please. What does "I choose winbind over SSSD"
mean ? Above you say "4.5.1 Samba on a machine with SSSD 1.13.4 setup". Which
are you using ? Does it work with one and not the other ?

More information about the samba mailing list