[Samba] AD authentication issue in Samba (kerberos errors)

Rowland Penny rpenny at samba.org
Thu Mar 21 08:27:20 UTC 2019

On Wed, 20 Mar 2019 19:56:10 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:

> On 3/20/19 9:40 AM, Rowland Penny via samba wrote:
> > On Wed, 20 Mar 2019 17:22:36 +0200
> > "linux.il via samba" <samba at lists.samba.org> wrote:  
> >> Rowland,
> >> Thank you, I'll try to implement your suggestions.
> >> But it definitely worked without winbind.
> >>
> >> Then your 'Samba' problem isn't a Samba problem :-)
> >>
> >> AS far as Samba is concerned, you have always needed to run
> >> winbind on a Unix ads domain member. It became mandatory from
> >> 4.8.0  
> I will also second that windbind is not necessary on a member server.
> I have 4 Centos 7 member servers and none of them have winbind
> running on them. Each of these use SSSD and have absolutely no
> problems. These systems have been operating without winbind for
> years. When I updated to 4.8 and 4.9 on the Samba AD which does use
> winbind the member servers never were updated to use winbind. So I
> don't know what circumstances it is deemed that winbind is necessary
> on a domain member. I can just confirm like the op that it is not
> necessary on any of the domain members I am running.

If you go here:


Under the heading 'Samba 4.8.0', there is the subheading 'Domain member
setups require winbindd', where it clearly says this:

Setups with "security = domain" or "security = ads" require a running
'winbindd' now. The fallback that smbd directly contacts domain
controllers is gone. 

You may be getting local auth to work without winbind because you are
using sssd, but there is a very great danger of problems with Samba if
winbindd isn't running.

It is your setup, so you get to pick up the pieces if something does go
wrong ;-)


More information about the samba mailing list