[Pkg-samba-maint] Bug#899269: changes to 4.8
Chad William Seys
cwseys at physics.wisc.edu
Mon Jun 18 22:36:17 BST 2018
I'm bumping up against this bug as well. My guess is that this has
to do with this change in 4.8 :
Domain member setups require winbindd
Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.
> This was never really an active directory install, it's a standard unix
> LDAP + Kerberos install, using sssd to provide unix accounts.
This "not an active directory install" is similar to my situation. I'm
authenticating against MIT kerberos KDC only.
I haven't figured out what makes sense with winbind idmap-ing yet, so
glad to read someone else got it to work.
I don't have sssd set up on my working 4.5 server, but I believe
security = ADS causes samba to contact the KDC for authentication.
Switching to security = user allows smbd to start without configuring
winbind/idmap, but smbd then doesn't pay attention to kerberos tickets.
(I can see authentication at the kerberos server, but then log.smbd
says: Checking NTLMSSP password for PHYSICS.WISC.EDU\cwseys failed:
I'm guessing sssd contacts the KDC on behalf of smbd when it is set up
properly and smbd trusts sssd's response.
I've posted to the samba mailing list about this:
More information about the Pkg-samba-maint