[Samba] Printserver after latest MS updates

Christian chanlists at googlemail.com
Wed Nov 3 16:43:29 UTC 2021

Dear all,

sorry, I am lost with this and would be grateful for a summary. We run 
an active directory based on samba 4.14.7 with a print server that is 
configured for driver download. Connecting to printers and printing from 
domain-joined computers by logged-in domain users seems to work. Is this 
the expected behavior right now or did we just get lucky?

On non domain joined computers, we experience issues even if users 
connect to the printserver using their domain credentials. Connecting to 
printers fails with the evil 0x00000709 message. Is there any known 
working configuration for this that does not involve uninstalling the MS 
updates? Like a change on the server side or a registry fix on the non 
domain joined computer?

Thanks for any input,


On 29.10.2021 14:36, Rowland Penny via samba wrote:
> On Fri, 2021-10-29 at 14:20 +0200, Achim Gottinger wrote:
>> Am 29.10.2021 um 13:11 schrieb Rowland Penny via samba:
>>> On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote:
>>>>>> Indeed, which raises the quetion can kerberos be used with
>>>>>> local
>>>>>> account?
>>>>> This all depends what you mean by 'local account' if you mean
>>>>> an
>>>>> account that is in /etc/passwd, then, no it will not work,
>>>>> because
>>>>> the
>>>>> user would be unknown to AD and hence, kerberos.
>>>>> Rowland
>>>> Hello Rowland,
>>>> I was talking about an local account on the windows client side.
>>>> Authentication against the samba server is using NTLMSSP in this
>>>> case. I thought the file explorer may use kerberos if an valid
>>>> ticket
>>>> exists, which is not the case. Was just a wild guess.  Kerberos
>>>> only
>>>> works if an domain account is used to log in on the windows
>>>> client.
>>>> Achim
>>>> https://en.wikipedia.org/wiki/Security_Support_Provider_Interface
>>> A 'local' user is a local user what ever the OS and as such isn't a
>>> domain user, so cannot use kerberos.
>>> Rowland
>> Well a local user can manual acquire an ticket from kerberos (kinit
>> [spn]) and use that so for authentification.
>> In fact that is what i use as the "local" root user on linux if i use
>> samba-tools.
>> kinit administrator@[DOMAIN REALM]
>> samba-tools -k [whatever]
> The local user isn't getting a ticket here, 'Administrator' is, try
> running 'username@[DOMAIN REALM]' where 'username' is a local user
> unknown to the domain.
> Rowland

More information about the samba mailing list