> > On Thu, 2015-02-12 at 11:44 -0500, Thomas Schulz wrote:
> > > This problem shows up on both Linux and Solaris. I am going to
show
> > > the logs from a Fedora 2.6.25-14.fc9.i686 machine.
> > >
> > > We are using 'security = domain' with a Windows 2000
domain controller.
> > > We are setting 'password server = starfish2' dispite the
fact that the
> > > documentation says that this in not necessary as we have found it
to
> > > be necessary. We are setting 'workgroup = adi'.
> >
> > Can you use security=ads
> >
> > > I installed Samba 4.2.0rc4 in the same location as a previous
4.1.7
> > > installation after removing everything in bin, sbin & lib. We
are
> > > running just nmbd and smbd.
> >
> > Please also run winbindd. The old code to pass authentication to the
DC
> > without winbindd is much less reliable, it has to find and set up the
DC
> > connection every time. (It has probably got better in recent git
> > master, but that's mostly because making it use better common code
> > helped us get rid of old code, rather than this being a use case we
want
> > to encourage).
> >
> > Andrew Bartlett
>
> I was thinking about trying security=ads late yesterday after verifying
> that security=user did work (I had an old smbpasswd file laying around).
>
> security=ads does work. On the linux machine it just worked. On the
> Solaris machine I had to re-join the domain first.
>
> BUT, I had to revert to Samba 4.1.16 to get a net command that would work.
> The Samba 4.2.0rc4 net command produced the following output:
>
> ./net join member -Wadi -Uadministrator -Sstarfish2
> Enter administrator's password:
> ads_setup_sasl_wrapping() failed: The request is not supported.
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: The request is not
supported.
> Failed to join domain: failed to connect to AD: The request is not
supported.
> ADS join did not work, falling back to RPC...
> Enter administrator's password:
> ads_setup_sasl_wrapping() failed: The request is not supported.
>
>
>
> So there is a problem there. Also, I would think that you would need to
> support security=domain for people who have Domain Controllers that do
> not support Active Directory.
>
> I will look into running winbindd. But I absolutely do not want to use
> it for unix logins. The server that runs the real copy of Samba is also
> an important NFS server and I do not want it to rely on our Windows DC
> for accounts.
I just tried starting winbindd but I did so without making any changes
to my smb.conf file. I suspect that some changes would be required for
this test to have any value. In any case, running winbindd did not help.
I just attached a new log file to Bug 11098. I think that this log file
may actually have usefull information in it!
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com
