[Samba] Clients cannot auth to server 2012 with MIT DC

Ryan Bair ryandbair at gmail.com
Mon Apr 2 01:59:00 UTC 2018

I've been playing with a MIT powered DC. There are two DCs, an existing
Heimdal based one running Samba 4.5 and a new MIT based one running 4.7.6.

There are clients running Windows 7 and 10, a 2012R2 server, and a Samba
4.5 file server.

Once the new MIT DC is brought online, clients can no longer connect to the
Windows server by hostname. Connections still work via IP address which
makes me suspect a Kerberos issue. Shutting down the MIT DC allows the
clients to connect again.

Packet captures show that clients are getting STATUS_ACCESS_DENIED while
attempting to connect. This pops open a password dialog on the client,
entering the credentials there causes the client to issue a TGS to the MIT
DC, which gives a successful response, but the Windows server again denies

On the Windows Server, I see an error 551 (authentication) in failure
cases. Somewhat interesting is that the error has FULL.DOMAIN.NAME/user as
the user versus the usual case of WORKGROUP/user.

Any help would be appreciated.

More information about the samba mailing list