[Pkg-samba-maint] Bug#899269: changes to 4.8

Chad William Seys cwseys at physics.wisc.edu
Mon Jun 18 22:36:17 BST 2018

Hi all,
   I'm bumping up against this bug as well.  My guess is that this has 
to do with this change in 4.8 :

Domain member setups require winbindd
Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.

> This was never really an active directory install, it's a standard unix 
> LDAP + Kerberos install, using sssd to provide unix accounts.

This "not an active directory install" is similar to my situation.  I'm 
authenticating against MIT kerberos KDC only.

I haven't figured out what makes sense with winbind idmap-ing yet, so 
glad to read someone else got it to work.

I don't have sssd set up on my working 4.5 server, but I believe 
security = ADS causes samba to contact the KDC for authentication.

Switching to security = user allows smbd to start without configuring 
winbind/idmap, but smbd then doesn't pay attention to kerberos tickets. 
(I can see authentication at the kerberos server, but then log.smbd 
says: Checking NTLMSSP password for PHYSICS.WISC.EDU\cwseys failed: 
NT_STATUS_NO_SUCH_USER, authoritative=1)

I'm guessing sssd contacts the KDC on behalf of smbd when it is set up 
properly and smbd trusts sssd's response.

I've posted to the samba mailing list about this:


More information about the Pkg-samba-maint mailing list