In order to accept AD Kerberos authentication you need to configure the server as
domain member with 'security = ads' and without 'server role = standalone server'.
In your case you most likely want to configure idmap_nss (see man idmap_nss)
and run winbindd, but without nss_winbind.
Samba Team announced that domain member setups must use winbindd in 4.8.0: /www.samba. org/samba/ history/ samba-4. 8.0.html in 2018.
https:/
In order to accept AD Kerberos authentication you need to configure the server as
domain member with 'security = ads' and without 'server role = standalone server'.
In your case you most likely want to configure idmap_nss (see man idmap_nss)
and run winbindd, but without nss_winbind.
Note the above implies the patches from /bugzilla. samba.org/ show_bug. cgi?id= 14901
https:/
are included.
Unrelated here but the patch from /bugzilla. samba.org/ show_bug. cgi?id= 14899
https:/
should also be applied.