[Samba] Event log 4768 audit failure user root

tom kr hurr1c4n.2011 at googlemail.com
Wed Mar 28 08:02:55 UTC 2018

Hi James,

first of all thanks for you answer.
I tried you suggestion with the user.map.
Unfortunately this does not solve the problem.

Each time I restart the smbd service, I got a new authentication request on my DC. 
So the problem is located at the service itself. 

Regarding the old / end of life version of the installed samba package.
I installed the package from the official Ubuntu repos. Do you think it could be a bug in this version?


> Am 27.03.2018 um 19:05 schrieb lingpanda101 <lingpanda101 at gmail.com>:
>> On 3/27/2018 11:45 AM, Tom via samba wrote:
>> Hi there,
>>  I’m new to this mailing list but I have a special question to you.
>> This older post https://lists.samba.org/archive/samba/2016-June/200271.html describes exactly my problem.
>>  In my case I do not upgraded the samba version. It is a fresh installation on a Ubuntu server box.
>> The samba version is:  Version 4.3.11-Ubuntu
>> The winbindd version is: Version 4.3.11-Ubuntu
>>  I use samba/winbindd to add the Ubuntu server through the MS ActiveDirectory.
>> The linux server is used as a Squid Proxy with a keytab configuration. So there is no user login needed.
>> It is also not needed to login with an AD user on the linux server.
>> This configuration is working fine and with no problems.
>>  The only thing is, that every time the server starts or the service [winbind/samba] tries to re-authenticate with the domain controller,
>> it produces the event 4768 in the active directory domain controllers.
>>  Is it possible to disable this functionality or to configure a dedicated AD user to run such Kerberos ticket requests instead of user root?
>>  Any idea / help is welcome.
> I don't use a Squid proxy but you can try mapping root to Administrator.
> Create the following file /etc/samba/user.map.  Add '!root = DOMAIN\Administrator DOMAIN\administrator' without quotes. In your smb.conf file add under [global] 'username map = /etc/samba/user.map' without quotes again.
> Any reason to run such an old version of Samba? It's end of life.
> -- 
> --
> James

More information about the samba mailing list