Hello all,
We are migrating from SAMBA3 to SAMBA4 and come arround an authentification issues when not using NT1 protocol

smb.conf
workgroup = MYWORKGROUP
server string = Samba Server %v
name resolve order = hosts bcast
log file = /home/appusers/sapadm/ds4s/SAP_98_SM/logs/smb.log
log level = 5
encrypt passwords = Yes
password server = *
security = domain
preferred master = No
local master = No
domain master = No
invalid users = root bin daemon mail news uucp

Bind to customer interface only

     bind interfaces only = yes
     interfaces = vl329cus vl329cus:0

max log size = 5000
passdb backend =tdbsam:/usr/sap/toolbox/samba/private/passdb.tdb

template shell = /bin/false
create mask = 0664
directory mask = 0774
client ipc signing = auto
allow trusted domains = yes
client schannel = auto
map untrusted to domain = yes
#----Winbind settings-------------------
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = no
winbind reconnect delay = 30
winbind cache time = 300
winbind max domain connections = 1
winbind separator =\
winbind sealed pipes = false
require strong key = false

machine account created and domain is sucessfully joined with net rpc join command
w/o winbind it just doesnt create trusted connection to PDC

get_dc_list: preferred server list: ", dmuc0072… "
[2017/02/02 12:16:14.858072, 3] …/source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC DMUC0072 (10.138.144.119) for domain MYDOMAIN
[2017/02/02 12:16:14.858158, 3] …/source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.138.144.119 at port 445
[2017/02/02 12:16:14.909713, 3] …/source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[XXX]@[WLGGCEOD000E0] with the new password interface
[2017/02/02 12:16:14.909752, 3] …/source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[XXX]@[WLGGCEOD000E0]
[2017/02/02 12:16:14.910888, 3] …/source3/libsmb/namequery.c:3151(get_dc_list)
get_dc_list: preferred server list: “, dmuc0072…”
[2017/02/02 12:16:14.916842, 3] …/source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC DMUC0072 (10.138.144.119) for domain MYDOMAIN
[2017/02/02 12:16:14.939470, 3] …/source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.138.144.119 at port 445
[2017/02/02 12:16:14.943013, 3] …/source3/libsmb/cliconnect.c:1798(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/02/02 12:16:14.943083, 3] …/source3/libsmb/cliconnect.c:1825(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/02/02 12:16:14.943105, 3] …/source3/libsmb/cliconnect.c:1835(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/02/02 12:16:14.944658, 3] …/auth/ntlmssp/ntlmssp_client.c:275(ntlmssp_client_challenge)
Got challenge flags:
[2017/02/02 12:16:14.944684, 3] …/auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/02/02 12:16:14.944796, 3] …/auth/ntlmssp/ntlmssp_client.c:731(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/02/02 12:16:14.944815, 3] …/auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2017/02/02 12:16:14.944830, 3] …/auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/02/02 12:16:14.944842, 3] …/auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2017/02/02 12:16:14.946768, 3] …/source3/libsmb/cliconnect.c:2173(cli_session_setup_done_spnego)
SPNEGO login failed: Logon failure
[2017/02/02 12:16:15.007446, 0] …/source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2017/02/02 12:16:15.007469, 2] …/source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [XXX] → [XXX] FAILED with error NT_STATUS_LOGON_FAILURE
[2017/02/02 12:16:15.007494, 2] …/auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE

setting client max ipc protocol=NT1 will failover to NTLMv1 authentification which will work but the purpose to go to SAMBA4 is to use NTLMv2
starting winbind daemon will open secrets.ldb and authentification will suceed however as there is no kerberos ticket trusted connection is expired after some time

for more details (tcpdump etc) please contact me directly

Thanks
Stan

archimedeske,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

• Visit http://www.suse.com/support and search the knowledgebase and/or check all
  the other support options available.
• Open a service request: https://www.suse.com/support
• You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team
http://forums.suse.com