Hi
My Windows folks made security changes in AD that caused my Samba server to not
work with AD anymore. Clients could not authenticate to their shares using their
AD credentials anymore. Looking at the Samba log I could see error so I decided
to reset the Computer account and to rejoin Samba to AD again.
When I tried to join Samba to AD, "net ads join -U username", I got
the following error:
[2014/04/08 09:39:48.298129, 0] libads/sasl.c:823()
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong authentication
required
Failed to join domain: failed to connect to AD: Strong authentication required
I was able to coerce google into telling me that in order to remedy this error I
need to add
"client ldap sasl wrapping = sign"
to my smb.conf file. After adding this line of code I get a new error when I try
and join my AD
[2014/04/08 09:40:39.131936, 0] libads/sasl.c:823()
kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED
Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED
and I have not been able to persuade google to give this answer up.
I am sure Kerberos works. When I test it, "kinit sambatest at
AD.TRW.COM", the test succeeds. I don't get an error. And I can view
the ticket with klist.
What does the "NT_STATUS_NOT_SUPPORTED" mean and how do I remedy it?
Here is a copy of my global section:
[global]
workgroup = ADTRW
realm = AD.TRW.COM
server string = SAtlZA-ZFS
security = ADS
log file = /var/samba/log/log.%m
max log size = 500
client ldap sasl wrapping = sign
load printers = No
local master = No
domain master = No
dns proxy = No
idmap uid = 20000-800000
idmap gid = 20000-800000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
Which samba version are you using ? And which linux distro are you using? That would be nice to know.>-----Oorspronkelijk bericht----- >Van: Andre.Kruger at TRW.COM >[mailto:samba-bounces at lists.samba.org] Namens Andre Kruger >Verzonden: dinsdag 8 april 2014 10:10 >Aan: samba at lists.samba.org >Onderwerp: [Samba] NT_STATUS_NOT_SUPPORTED > >Hi > >My Windows folks made security changes in AD that caused my >Samba server to not work with AD anymore. Clients could not >authenticate to their shares using their AD credentials >anymore. Looking at the Samba log I could see error so I >decided to reset the Computer account and to rejoin Samba to AD again. > >When I tried to join Samba to AD, "net ads join -U username", >I got the following error: > >[2014/04/08 09:39:48.298129, 0] libads/sasl.c:823() > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong >authentication required >Failed to join domain: failed to connect to AD: Strong >authentication required > >I was able to coerce google into telling me that in order to >remedy this error I need to add > >"client ldap sasl wrapping = sign" > >to my smb.conf file. After adding this line of code I get a >new error when I try and join my AD > >[2014/04/08 09:40:39.131936, 0] libads/sasl.c:823() > kinit succeeded but ads_sasl_spnego_krb5_bind failed: >NT_STATUS_NOT_SUPPORTED >Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED > >and I have not been able to persuade google to give this answer up. > >I am sure Kerberos works. When I test it, "kinit >sambatest at AD.TRW.COM", the test succeeds. I don't get an >error. And I can view the ticket with klist. > >What does the "NT_STATUS_NOT_SUPPORTED" mean and how do I remedy it? > >Here is a copy of my global section: > >[global] > workgroup = ADTRW > realm = AD.TRW.COM > server string = SAtlZA-ZFS > security = ADS > log file = /var/samba/log/log.%m > max log size = 500 > client ldap sasl wrapping = sign > load printers = No > local master = No > domain master = No > dns proxy = No > idmap uid = 20000-800000 > idmap gid = 20000-800000 > winbind separator = + > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >