SAMBA 4 as NT4 domain member

Hello all,
We are migrating from SAMBA3 to SAMBA4 and come arround an authentification issues when not using NT1 protocol

workgroup = MYWORKGROUP
server string = Samba Server %v
name resolve order = hosts bcast
log file = /home/appusers/sapadm/ds4s/SAP_98_SM/logs/smb.log
log level = 5
encrypt passwords = Yes
password server = *
security = domain
preferred master = No
local master = No
domain master = No
invalid users = root bin daemon mail news uucp

Bind to customer interface only

     bind interfaces only = yes
     interfaces = vl329cus vl329cus:0

max log size = 5000
passdb backend =tdbsam:/usr/sap/toolbox/samba/private/passdb.tdb

template shell = /bin/false
create mask = 0664
directory mask = 0774
client ipc signing = auto
allow trusted domains = yes
client schannel = auto
map untrusted to domain = yes
#----Winbind settings-------------------
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = no
winbind reconnect delay = 30
winbind cache time = 300
winbind max domain connections = 1
winbind separator =\
winbind sealed pipes = false
require strong key = false

machine account created and domain is sucessfully joined with net rpc join command
w/o winbind it just doesnt create trusted connection to PDC

get_dc_list: preferred server list: ", dmuc0072… "
[2017/02/02 12:16:14.858072, 3] …/source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC DMUC0072 ( for domain MYDOMAIN
[2017/02/02 12:16:14.858158, 3] …/source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to at port 445
[2017/02/02 12:16:14.909713, 3] …/source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[XXX]@[WLGGCEOD000E0] with the new password interface
[2017/02/02 12:16:14.909752, 3] …/source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[XXX]@[WLGGCEOD000E0]
[2017/02/02 12:16:14.910888, 3] …/source3/libsmb/namequery.c:3151(get_dc_list)
get_dc_list: preferred server list: “, dmuc0072…”
[2017/02/02 12:16:14.916842, 3] …/source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC DMUC0072 ( for domain MYDOMAIN
[2017/02/02 12:16:14.939470, 3] …/source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to at port 445
[2017/02/02 12:16:14.943013, 3] …/source3/libsmb/cliconnect.c:1798(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/02/02 12:16:14.943083, 3] …/source3/libsmb/cliconnect.c:1825(cli_session_setup_spnego_send)
got OID=
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.
got OID=
[2017/02/02 12:16:14.943105, 3] …/source3/libsmb/cliconnect.c:1835(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/02/02 12:16:14.944658, 3] …/auth/ntlmssp/ntlmssp_client.c:275(ntlmssp_client_challenge)
Got challenge flags:
[2017/02/02 12:16:14.944684, 3] …/auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/02/02 12:16:14.944796, 3] …/auth/ntlmssp/ntlmssp_client.c:731(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/02/02 12:16:14.944815, 3] …/auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2017/02/02 12:16:14.944830, 3] …/auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/02/02 12:16:14.944842, 3] …/auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2017/02/02 12:16:14.946768, 3] …/source3/libsmb/cliconnect.c:2173(cli_session_setup_done_spnego)
SPNEGO login failed: Logon failure
[2017/02/02 12:16:15.007446, 0] …/source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2017/02/02 12:16:15.007469, 2] …/source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [XXX] → [XXX] FAILED with error NT_STATUS_LOGON_FAILURE
[2017/02/02 12:16:15.007494, 2] …/auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)

setting client max ipc protocol=NT1 will failover to NTLMv1 authentification which will work but the purpose to go to SAMBA4 is to use NTLMv2
starting winbind daemon will open secrets.ldb and authentification will suceed however as there is no kerberos ticket trusted connection is expired after some time

for more details (tcpdump etc) please contact me directly



It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team