Comment 11 for bug 1761737

Andreas Hasenack (ahasenack) wrote :

After changing security to ADS, did you join the realm/domain again? You might have some incorrect local databases. Can you start fresh with 4.7.6 on this box?

Also, even on a fresh 4.7.6, I couldn't get "kerberos method = secrets and keytab" to work without crashing, that's the samba bug I filed upstream. I think there is something wrong when it attempts "secrets". I was able to setup a standalone samba server and authenticate to it using plain kerberos (smbclient -k) just fine, but I had to set the dedicated keytab option to /etc/krb5.keytab (which is the system keytab file anyway).

Do you really need to specify "kerberos method"? The default value (not specify it) doesn't work for you case?

The bug in 4.7.4 is only when samba seems to only affect samba when used as a directory controller itself:
o BUG 13228: This is a major issue in Samba's ActiveDirectory domain
   controller code. It might happen that AD objects have missing or broken
   linked attributes. This could lead to broken group memberships e.g.
   All Samba AD domain controllers set up with Samba 4.6 or lower and then
   upgraded to 4.7 are affected. The corrupt database can be fixed with
   'samba-tool dbcheck --cross-ncs --fix'.