Re: [Samba] Clients cannot auth to server 2012 with MIT DC
- Date: Thu, 5 Apr 2018 20:24:49 -0400
- From: Ryan Bair via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Clients cannot auth to server 2012 with MIT DC
Any pointers here? I've poked this a bit more but haven't come up with any
more clues as to why Windows is rejecting the tickets.
On Sun, Apr 1, 2018 at 9:59 PM, Ryan Bair <ryandbair@xxxxxxxxx> wrote:
> I've been playing with a MIT powered DC. There are two DCs, an existing
> Heimdal based one running Samba 4.5 and a new MIT based one running 4.7.6.
> There are clients running Windows 7 and 10, a 2012R2 server, and a Samba
> 4.5 file server.
> Once the new MIT DC is brought online, clients can no longer connect to
> the Windows server by hostname. Connections still work via IP address which
> makes me suspect a Kerberos issue. Shutting down the MIT DC allows the
> clients to connect again.
> Packet captures show that clients are getting STATUS_ACCESS_DENIED while
> attempting to connect. This pops open a password dialog on the client,
> entering the credentials there causes the client to issue a TGS to the MIT
> DC, which gives a successful response, but the Windows server again denies
> On the Windows Server, I see an error 551 (authentication) in failure
> cases. Somewhat interesting is that the error has FULL.DOMAIN.NAME/user
> as the user versus the usual case of WORKGROUP/user.
> Any help would be appreciated.
To unsubscribe from this list go to the following URL and read the