Earlier it has been possible, to access ADUC as local administrator if the machine joined the domain and the password was the same as the domain administrator. Now I get an error message saying "Directory service not available". When controlling with Wireshark I notice malformed SASL packages. Could it be that the new Lorikeet Heimdal Kerberos broke something? The access as domain administrator works painless as before.
Have you tested it on a w2k3/w2k8 domain ?
No, since I don't have them available. But I imagine that SAMBA 4 's behaviour is wrong due a problem with the SASL negotiation (malformed SASL packages).
Access to the wrong domain by the happy coincidence of passwords is not a mode of operation I particularly care to support, unless it is clear we now mis-match windows.
Created attachment 4319 [details] Here a wireshark log
Created attachment 4331 [details] A logfile of samba at debug level 10
The behaviour (same username, same password, but only local administrator) is also the same on Windows Server. SAMBA 4 did it right until the latest KERBEROS update and we've to restore it.
The bug has been fixed by commit 57afa1edebe38ea48be5fc074a8284c762e35e17.