samba - Mar 2015 - UPN authentication for windows 2003 server

Hi,

When samba is joined to a 2k3 domain, UPN authentication does not work. It
works using smbclient, but not from a workstation that is not part of
the domain. I can reproduce this easily and provide logs and tcpdump's if
necessary. The same problem does not occur when samba is joined to 2k8
or 2k12 domains. Is this by design? Am I missing something?

- John
-------------- next part --------------
[global]
    username map = /usr/local/etc/smbusers
    server max protocol = SMB2
    interfaces = 127.0.0.1 10.42.0.84
    bind interfaces only = yes
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 117191
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = guest
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    dfree command = /usr/local/libexec/samba/dfree
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    hostname lookups = yes
    time server = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    domain logons = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = BUGFIX
    netbios aliases = FOOFOO
    workgroup = 2K3
    realm = WIN2K3.DIVINIX.ORG
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind nss info = rfc2307
    idmap config 2K3: backend = ad
    idmap config 2K3: range = 10000-90000000
    idmap config 2K3: schema mode = rfc2307
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%U
    pid directory = /var/run/samba
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 10
    

[homes]
    valid users = %U
    path = /mnt/vol0/HOME1/%U
    comment = Home Directories
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    

[OPEN]
    path = /mnt/vol0/OPEN
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfsacl
    hide dot files = yes
    guest ok = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    

[SUBOPEN]
    path = /mnt/vol0/OPEN/SUBOPEN
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfsacl
    hide dot files = yes
    guest ok = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    

[share1]
    path = /mnt/vol0/share1
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    vfs objects = zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    

[share2]
    path = /mnt/vol0/share2
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    vfs objects = zfsacl
    hide dot files = yes
    guest ok = yes
    guest only = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare