samba - Mar 2015 - Oracle 11 nts authentication againts samba4 AD DC

Everytime I try to login using windows credentials to my db instance I 
get the error:

ORA-12638: Credential retrieval failed.

Looking at my alert log I find:

ns main err code: 12638

which means  the database is not able to connect the domain controller. 
The database connector makes use of NTLM protocol to authenticate.

Is it supported by samba4 (4.1.16)? I'm unable to find any information 
regarding this.

Thank you,

-- 
Izan D??ez S??nchez
Empresarios Agrupados
Magallanes 3
28015 Madrid
Tel. +34 91 309 80 00 (ext: 8813)
ids at empre.es


---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose or take any action based 
on this message or any information herein. If you have received this 
message by mistake, please advise the sender immediately by reply 
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es

Este mensaje puede contener informaci?n confidencial o privilegiada.
Si Vd. no es el destinatario ni est? autorizado por el mismo para 
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar 
ninguna medida basada en este mensaje o en la informaci?n que 
contiene. Si Vd. ha recibido este mensaje por error, notif?quelo de 
forma inmediata al remitente por correo electr?nico y borre el 
mensaje. Gracias por su cooperaci?n.
Visite nuestra p?gina web: www.empre.es
---------------------------------------------------------------------

Please, Do not print this message unless it is necessary. 
Our environment is in our hands.
Antes de imprimir este mensaje, aseg?rese de que es necesario.
El medio ambiente est? en nuestra mano.

Hi again. I apologize for my vague previous question. After some 
investigation I can be much more precise in my consult. Furthermore, I 
think I found a bug...

Context:
-Samba4 AD DC working fine with many user and machine accouns.
-Windows7 client trying to connect via sqlplus to an oracle database 
residing in a Windows2008 server. Both machines are in the domain.
-Server database is using Operating System Authentication, i.e. it 
relies on the client to authenticate the user connecting to the 
database. The user is a Domain User, therefore eventually authentication 
falls to the domain controller and kerberos.

Error:
-ORA-12638: Credential retrieval failed.

Samba logs:
-log level = 10
-User name -> ids
-Domain -> domain.ad
-Server account name -> DATABASE_SERVER
-Client IP -> 192.168.0.100
--------------------------------------------------------------------------------------------------
[2015/03/02 19:57:03.794542,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276 
for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable]
[2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_request: SEARCH
    dn: DC=domain,DC=ad
    scope: sub
    expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*))
    attr: objectClass
    attr: sAMAccountName
    attr: userPrincipalName
    attr: servicePrincipalName
    attr: msDS-KeyVersionNumber
    attr: msDS-SecondaryKrbTgtNumber
    attr: msDS-SupportedEncryptionTypes
    attr: supplementalCredentials
    attr: msDS-AllowedToDelegateTo
    attr: dBCSPwd
    attr: unicodePwd
    attr: userAccountControl
    attr: objectSid
    attr: pwdLastSet
    attr: accountExpires
    control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
    control: 1.2.840.113556.1.4.529  crit:1  data:yes

[2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_request: (resolve_oids)->search
[2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (rootdse)->search
[2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (schema_load)->search
[2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (lazy_commit)->search
[2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (dirsync)->search
[2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (paged_results)->search
[2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (ranged_results)->search
[2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (anr)->search
[2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (server_sort)->search
[2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (asq)->search
[2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (extended_dn_in)->search
[2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (descriptor)->search
[2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (acl)->search
[2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (aclread)->search
[2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (operational)->search
[2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (rdn_name)->search
[2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
[2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (show_deleted)->search
[2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (partition)->search
[2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: partition_request() -> (metadata partition)
[2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (tdb)->search
[2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_response: REFERRAL
   ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad

[2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_response: DONE
   error: 0

[2015/03/02 19:57:03.797497,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server)
*Failed to find an entry for DATABASE_SERVER*
[2015/03/02 19:57:03.797542,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Searching referral for DATABASE_SERVER
[2015/03/02 19:57:03.797595,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD: No 
such entry in the database
[2015/03/02 19:57:03.797637,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276
[2015/03/02 19:57:03.797891,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
--------------------------------------------------------------------------------------------------

User "ids" is requesting a ticket to connect to the
"DATABASE_SERVER".
In the process samba makes an ldbsearch looking for the server but does 
not find it. Why? Because the sAMAccountName that is searching lacks the 
trailing dollar "$" that every machine account has.

Is this a bug? Any idea on how can I workaround this issue?
We have a production environment with Windows DC working and planned to 
migrate to samba4 but need everything working flawlessly.

-- 
Izan D??ez S??nchez
Empresarios Agrupados
Magallanes 3
28015 Madrid
Tel. +34 91 309 80 00 (ext: 8813)
ids at empre.es


---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose or take any action based 
on this message or any information herein. If you have received this 
message by mistake, please advise the sender immediately by reply 
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es

Este mensaje puede contener informaci?n confidencial o privilegiada.
Si Vd. no es el destinatario ni est? autorizado por el mismo para 
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar 
ninguna medida basada en este mensaje o en la informaci?n que 
contiene. Si Vd. ha recibido este mensaje por error, notif?quelo de 
forma inmediata al remitente por correo electr?nico y borre el 
mensaje. Gracias por su cooperaci?n.
Visite nuestra p?gina web: www.empre.es
---------------------------------------------------------------------

Please, Do not print this message unless it is necessary. 
Our environment is in our hands.
Antes de imprimir este mensaje, aseg?rese de que es necesario.
El medio ambiente est? en nuestra mano.

Izan D?ez S?nchez <ids <at> empre.es> writes:
> 
> Hi again. I apologize for my vague previous question. After some 
> investigation I can be much more precise in my consult. Furthermore, I 
> think I found a bug...
> 
> Context:
> -Samba4 AD DC working fine with many user and machine accouns.
> -Windows7 client trying to connect via sqlplus to an oracle database 
> residing in a Windows2008 server. Both machines are in the domain.
> -Server database is using Operating System Authentication, i.e. it 
> relies on the client to authenticate the user connecting to the 
> database. The user is a Domain User, therefore eventually authentication 
> falls to the domain controller and kerberos.
> 
> Error:
> -ORA-12638: Credential retrieval failed.
> 

Hi Izan,

same problem here. With your hint - the missing dollar sign - we tried the
following: Using ldbedit we removed the '$' from the saMAccount property
and
the oracle sqlplus authentication worked.
Unfortunately this is not a well working workaround because now the
remotedesktop authentication doesn't work any longer.
After the horrible Credentialmanager Problem -
https://bugzilla.samba.org/show_bug.cgi?id=11097 - this is the second bug,
not to use samba 4.1 AD within a production env. 
We use the sernet debian packages 4.1.17-9.

Hope someone will soon fix this.

Cheers,

schnaggy:-)

On 03/03/15 09:56, Izan D?ez S?nchez wrote:
> Hi again. I apologize for my vague previous question. After some 
> investigation I can be much more precise in my consult. Furthermore, I 
> think I found a bug...
>
> Context:
> -Samba4 AD DC working fine with many user and machine accouns.
> -Windows7 client trying to connect via sqlplus to an oracle database 
> residing in a Windows2008 server. Both machines are in the domain.
> -Server database is using Operating System Authentication, i.e. it 
> relies on the client to authenticate the user connecting to the 
> database. The user is a Domain User, therefore eventually 
> authentication falls to the domain controller and kerberos.
>
> Error:
> -ORA-12638: Credential retrieval failed.
>
> Samba logs:
> -log level = 10
> -User name -> ids
> -Domain -> domain.ad
> -Server account name -> DATABASE_SERVER
> -Client IP -> 192.168.0.100
>
--------------------------------------------------------------------------------------------------
>
> [2015/03/02 19:57:03.794542,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276 
> for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable]
> [2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_request: SEARCH
>    dn: DC=domain,DC=ad
>    scope: sub
>    expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*))
>    attr: objectClass
>    attr: sAMAccountName
>    attr: userPrincipalName
>    attr: servicePrincipalName
>    attr: msDS-KeyVersionNumber
>    attr: msDS-SecondaryKrbTgtNumber
>    attr: msDS-SupportedEncryptionTypes
>    attr: supplementalCredentials
>    attr: msDS-AllowedToDelegateTo
>    attr: dBCSPwd
>    attr: unicodePwd
>    attr: userAccountControl
>    attr: objectSid
>    attr: pwdLastSet
>    attr: accountExpires
>    control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
>    control: 1.2.840.113556.1.4.529  crit:1  data:yes
>
> [2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_request: (resolve_oids)->search
> [2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (rootdse)->search
> [2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (schema_load)->search
> [2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (lazy_commit)->search
> [2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (dirsync)->search
> [2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (paged_results)->search
> [2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (ranged_results)->search
> [2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (anr)->search
> [2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (server_sort)->search
> [2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (asq)->search
> [2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (extended_dn_in)->search
> [2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (descriptor)->search
> [2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (acl)->search
> [2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (aclread)->search
> [2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (operational)->search
> [2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (rdn_name)->search
> [2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
> [2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (show_deleted)->search
> [2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (partition)->search
> [2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: partition_request() -> (metadata partition)
> [2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (tdb)->search
> [2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_response: REFERRAL
>   ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad
>
> [2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_response: DONE
>   error: 0
>
> [2015/03/02 19:57:03.797497,  3, pid=6266, effective(0, 0), real(0, 
> 0)] ../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server)
> *Failed to find an entry for DATABASE_SERVER*
> [2015/03/02 19:57:03.797542,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Searching referral for DATABASE_SERVER
> [2015/03/02 19:57:03.797595,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD: 
> No such entry in the database
> [2015/03/02 19:57:03.797637,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276
> [2015/03/02 19:57:03.797891,  3, pid=6266, effective(0, 0), real(0, 
> 0)] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'kdc_tcp_call_loop: 
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>
--------------------------------------------------------------------------------------------------
>
>
> User "ids" is requesting a ticket to connect to the
"DATABASE_SERVER".
> In the process samba makes an ldbsearch looking for the server but 
> does not find it. Why? Because the sAMAccountName that is searching 
> lacks the trailing dollar "$" that every machine account has.
>
> Is this a bug? Any idea on how can I workaround this issue?
> We have a production environment with Windows DC working and planned 
> to migrate to samba4 but need everything working flawlessly.
>
>
>
No, I don't think this is a bug, I think it is a mis-configuration of 
*oracle*.

If authentication works by removing the '$' sign from the computers 
samacountname, then there is your problem, oracle doesn't expect the
'$'
sign but it should because *every* AD computer samaccountname ends with 
a '$' sign.

So, to put it another way, this is not a samba problem, it is an oracle 
problem, try searching the internet with something like 'oracle windows 
authentication nts'

Rowland