[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Rowland penny rpenny at samba.org
Tue Jun 18 18:34:01 UTC 2019

On 18/06/2019 19:02, Edouard Guigné via samba wrote:
> Hello,
> I mean that i added "winbind refresh tickets = yes" in smb.cnf, but 
> does not seem to be link with my problem (Kerberos and NTLMv2 
> authentication).
> After several test, without changing content of smb.conf (except for 
> winbind refresh tickets = yes) :
> 0. nsswitch.conf
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> That's working (share is accessible from windows 7, permissions and 
> acls working)
> But in in log, I see only NTLMv2 Auth
> 1. nsswitch.conf
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> That's not working (share is not accessible from windows 7, access 
> denied)
> 2. nsswitch.conf
> passwd:     files sss winbind
> shadow:     files sss
> group:      files sss winbind
> not working (share is accessible but it take time to see permissions 
> acls from security tab on windows 7)
You are using the winbind 'ad' backend according to the smb.conf you 
posted earlier, have you given your AD users a uidNumber attribute 
containing a unique number inside the ' 10000-14999' range ? and have 
you also given 'Domain Users' a gidNumber attribute containing a number 
inside the same range ?

Do you really want to use a different primary group for your Unix users 
over Samba (when they connect to a Samba share) ?

If not, remove 'idmap config MYDOMAIN : unix_primary_group = yes'

If all the above is correct, it should work.


More information about the samba mailing list