Hi there, I’m new to this mailing list but I have a special question to you. This older post https://lists.samba.org/archive/samba/2016-June/200271.html describes exactly my problem. In my case I do not upgraded the samba version. It is a fresh installation on a Ubuntu server box. The samba version is: Version 4.3.11-Ubuntu The winbindd version is: Version 4.3.11-Ubuntu I use samba/winbindd to add the Ubuntu server through the MS ActiveDirectory. The linux server is used as a Squid Proxy with a keytab configuration. So there is no user login needed. It is also not needed to login with an AD user on the linux server. This configuration is working fine and with no problems. The only thing is, that every time the server starts or the service [winbind/samba] tries to re-authenticate with the domain controller, it produces the event 4768 in the active directory domain controllers. Is it possible to disable this functionality or to configure a dedicated AD user to run such Kerberos ticket requests instead of user root? Any idea / help is welcome.
On 3/27/2018 11:45 AM, Tom via samba wrote:> Hi there, > > I’m new to this mailing list but I have a special question to you. > This older post https://lists.samba.org/archive/samba/2016-June/200271.html describes exactly my problem. > > In my case I do not upgraded the samba version. It is a fresh installation on a Ubuntu server box. > The samba version is: Version 4.3.11-Ubuntu > The winbindd version is: Version 4.3.11-Ubuntu > > I use samba/winbindd to add the Ubuntu server through the MS ActiveDirectory. > The linux server is used as a Squid Proxy with a keytab configuration. So there is no user login needed. > It is also not needed to login with an AD user on the linux server. > This configuration is working fine and with no problems. > > The only thing is, that every time the server starts or the service [winbind/samba] tries to re-authenticate with the domain controller, > it produces the event 4768 in the active directory domain controllers. > > Is it possible to disable this functionality or to configure a dedicated AD user to run such Kerberos ticket requests instead of user root? > > Any idea / help is welcome.I don't use a Squid proxy but you can try mapping root to Administrator. Create the following file /etc/samba/user.map. Add '!root = DOMAIN\Administrator DOMAIN\administrator' without quotes. In your smb.conf file add under [global] 'username map = /etc/samba/user.map' without quotes again. Any reason to run such an old version of Samba? It's end of life. -- -- James
Hi James, first of all thanks for you answer. I tried you suggestion with the user.map. Unfortunately this does not solve the problem. Each time I restart the smbd service, I got a new authentication request on my DC. So the problem is located at the service itself. Regarding the old / end of life version of the installed samba package. I installed the package from the official Ubuntu repos. Do you think it could be a bug in this version? Regards, tom> Am 27.03.2018 um 19:05 schrieb lingpanda101 <lingpanda101 at gmail.com>: > >> On 3/27/2018 11:45 AM, Tom via samba wrote: >> Hi there, >> I’m new to this mailing list but I have a special question to you. >> This older post https://lists.samba.org/archive/samba/2016-June/200271.html describes exactly my problem. >> In my case I do not upgraded the samba version. It is a fresh installation on a Ubuntu server box. >> The samba version is: Version 4.3.11-Ubuntu >> The winbindd version is: Version 4.3.11-Ubuntu >> I use samba/winbindd to add the Ubuntu server through the MS ActiveDirectory. >> The linux server is used as a Squid Proxy with a keytab configuration. So there is no user login needed. >> It is also not needed to login with an AD user on the linux server. >> This configuration is working fine and with no problems. >> The only thing is, that every time the server starts or the service [winbind/samba] tries to re-authenticate with the domain controller, >> it produces the event 4768 in the active directory domain controllers. >> Is it possible to disable this functionality or to configure a dedicated AD user to run such Kerberos ticket requests instead of user root? >> Any idea / help is welcome. > > I don't use a Squid proxy but you can try mapping root to Administrator. > > Create the following file /etc/samba/user.map. Add '!root = DOMAIN\Administrator DOMAIN\administrator' without quotes. In your smb.conf file add under [global] 'username map = /etc/samba/user.map' without quotes again. > > Any reason to run such an old version of Samba? It's end of life. > > > > -- > -- > James >