> On Thu, 2015-02-12 at 11:44 -0500, Thomas Schulz wrote:
> > This problem shows up on both Linux and Solaris. I am going to show
> > the logs from a Fedora 2.6.25-14.fc9.i686 machine.
> >
> > We are using 'security = domain' with a Windows 2000 domain
controller.
> > We are setting 'password server = starfish2' dispite the fact
that the
> > documentation says that this in not necessary as we have found it to
> > be necessary. We are setting 'workgroup = adi'.
>
> Can you use security=ads
>
> > I installed Samba 4.2.0rc4 in the same location as a previous 4.1.7
> > installation after removing everything in bin, sbin & lib. We are
> > running just nmbd and smbd.
>
> Please also run winbindd. The old code to pass authentication to the DC
> without winbindd is much less reliable, it has to find and set up the DC
> connection every time. (It has probably got better in recent git
> master, but that's mostly because making it use better common code
> helped us get rid of old code, rather than this being a use case we want
> to encourage).
>
> Andrew Bartlett
I was thinking about trying security=ads late yesterday after verifying
that security=user did work (I had an old smbpasswd file laying around).
security=ads does work. On the linux machine it just worked. On the
Solaris machine I had to re-join the domain first.
BUT, I had to revert to Samba 4.1.16 to get a net command that would work.
The Samba 4.2.0rc4 net command produced the following output:
./net join member -Wadi -Uadministrator -Sstarfish2
Enter administrator's password:
ads_setup_sasl_wrapping() failed: The request is not supported.
kinit succeeded but ads_sasl_spnego_krb5_bind failed: The request is not
supported.
Failed to join domain: failed to connect to AD: The request is not supported.
ADS join did not work, falling back to RPC...
Enter administrator's password:
ads_setup_sasl_wrapping() failed: The request is not supported.
So there is a problem there. Also, I would think that you would need to
support security=server for people who have Domain Controllers that do
not support Active Directory.
I will look into running winbindd. But I absolutely do not want to use
it for unix logins. The server that runs the real copy of Samba is also
an important NFS server and I do not want it to rely on our Windows DC
for accounts.
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com