We have a 4.4.3 Samba server on a RHEL 6 machine which is part of an Active Directory. Everything works when users authenticate with Kerberos tickets, but we have some older clients (Win 7) that are not part of this Active Directory.

These clients could authenticate in earlier Samba releases to the Samba server, but in 4.4.3 the authentication fails via NTLMSSP to the Active Directory server:

  session setup failed: NT_STATUS_NOT_SUPPORTED 

Which generates this snippet in the logfile:
[2016/05/23 11:42:28.768543,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
[2016/05/23 11:42:28.768560,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2016/05/23 11:42:28.768569,  5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
  check lock order 1 for /var/samba/locks/smbXsrv_session_global.tdb
[2016/05/23 11:42:28.768588,  5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/samba/locks/smbXsrv_session_global.tdb
[2016/05/23 11:42:28.768608,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(276) cmd=115 (SMBsesssetupX) NT_STATUS_NOT_SUPPORTED


What works is an Samba 4.4.2 server with the following option:

  client ipc max protocol = NT1 


However, this does not work anymore with Samba 4.4.3