[Samba] AD integration issues

Andrew Bartlett abartlet at samba.org
Sat Sep 15 12:56:07 UTC 2018

On Fri, 2018-09-14 at 14:58 -0700, Jagga Soorma via samba wrote:
> Hello,
> I have a CentOS 7 system configured as a samba server using ADS
> security.  I am able to get users to login from PC's that are part of
> the AD domain but users coming from systems that are not part of the
> AD domain are not able to access the smb shares.  Here is more
> information about the enviornment and issue:

You are running Samba as a member of an AD domain, but not not running
winbindd, so each smbd needs to contact the DC to check the password.

We removed that code from later Samba versions as it was not reliable.
 In this case it seems that either SMB1 or something about the NTLMSSP
mode we chose is being used by Samba is disabled on the server. 

Your in-domain users are being accepted because we can decrypt the
kerberos ticket, presumably by the keytab that you somehow provided. 

Rowland is guessing you are using sssd to provide that, is that

In any case, I suggest joining the domain and using winbindd.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list