Hi all,
I'm bumping up against this bug as well. My guess is that this has
to do with this change in 4.8 :
"
Domain member setups require winbindd
-------------------------------------
Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.
"
This was never really an active directory install, it's a standard unix
LDAP + Kerberos install, using sssd to provide unix accounts.
This "not an active directory install" is similar to my situation. I'm
authenticating against MIT kerberos KDC only.
I haven't figured out what makes sense with winbind idmap-ing yet, so
glad to read someone else got it to work.
I don't have sssd set up on my working 4.5 server, but I believe
security = ADS causes samba to contact the KDC for authentication.
Switching to security = user allows smbd to start without configuring
winbind/idmap, but smbd then doesn't pay attention to kerberos tickets.
(I can see authentication at the kerberos server, but then log.smbd
says: Checking NTLMSSP password for PHYSICS.WISC.EDU\cwseys failed:
NT_STATUS_NO_SUCH_USER, authoritative=1)
I'm guessing sssd contacts the KDC on behalf of smbd when it is set up
properly and smbd trusts sssd's response.
I've posted to the samba mailing list about this:
https://lists.samba.org/archive/samba/2018-June/216447.html
C.
