Hello all,
We are migrating from SAMBA3 to SAMBA4 and come arround an authentification issues when not using NT1 protocol

smb.conf
workgroup = MYWORKGROUP
server string = Samba Server %v
name resolve order = hosts bcast
log file = /home/appusers/sapadm/ds4s/SAP_98_SM/logs/smb.log
log level = 5
encrypt passwords = Yes
password server = *
security = domain
preferred master = No
local master = No
domain master = No
invalid users = root bin daemon mail news uucp

# Bind to customer interface only
bind interfaces only = yes
interfaces = vl329cus vl329cus:0
max log size = 5000
passdb backend =tdbsam:/usr/sap/toolbox/samba/private/passdb.tdb

template shell = /bin/false
create mask = 0664
directory mask = 0774
client ipc signing = auto
allow trusted domains = yes
client schannel = auto
map untrusted to domain = yes
#----Winbind settings-------------------
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = no
winbind reconnect delay = 30
winbind cache time = 300
winbind max domain connections = 1
winbind separator =\
winbind sealed pipes = false
require strong key = false

machine account created and domain is sucessfully joined with net rpc join command
w/o winbind it just doesnt create trusted connection to PDC

get_dc_list: preferred server list: ", dmuc0072.... "
[2017/02/02 12:16:14.858072, 3] ../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC DMUC0072 (10.138.144.119) for domain MYDOMAIN
[2017/02/02 12:16:14.858158, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.138.144.119 at port 445
[2017/02/02 12:16:14.909713, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[XXX]@[WLGGCEOD000E0] with the new password interface
[2017/02/02 12:16:14.909752, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[XXX]@[WLGGCEOD000E0]
[2017/02/02 12:16:14.910888, 3] ../source3/libsmb/namequery.c:3151(get_dc_list)
get_dc_list: preferred server list: ", dmuc0072...."
[2017/02/02 12:16:14.916842, 3] ../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC DMUC0072 (10.138.144.119) for domain MYDOMAIN
[2017/02/02 12:16:14.939470, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.138.144.119 at port 445
[2017/02/02 12:16:14.943013, 3] ../source3/libsmb/cliconnect.c:1798(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/02/02 12:16:14.943083, 3] ../source3/libsmb/cliconnect.c:1825(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/02/02 12:16:14.943105, 3] ../source3/libsmb/cliconnect.c:1835(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/02/02 12:16:14.944658, 3] ../auth/ntlmssp/ntlmssp_client.c:275(ntlmssp_client_challenge)
Got challenge flags:
[2017/02/02 12:16:14.944684, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/02/02 12:16:14.944796, 3] ../auth/ntlmssp/ntlmssp_client.c:731(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/02/02 12:16:14.944815, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2017/02/02 12:16:14.944830, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/02/02 12:16:14.944842, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2017/02/02 12:16:14.946768, 3] ../source3/libsmb/cliconnect.c:2173(cli_session_setup_done_spnego)
SPNEGO login failed: Logon failure
[2017/02/02 12:16:15.007446, 0] ../source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2017/02/02 12:16:15.007469, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [XXX] -> [XXX] FAILED with error NT_STATUS_LOGON_FAILURE
[2017/02/02 12:16:15.007494, 2] ../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE

setting client max ipc protocol=NT1 will failover to NTLMv1 authentification which will work but the purpose to go to SAMBA4 is to use NTLMv2
starting winbind daemon will open secrets.ldb and authentification will suceed however as there is no kerberos ticket trusted connection is expired after some time


for more details (tcpdump etc) please contact me directly

Thanks
Stan