I have setup a new AD DC setup and configured smart card login to the domain, with Feitian ePass2003 USB smart card token using the wiki.samba.org/index.php/Samba4/Smart_Card_Login instructions, and logging in from a Windows 7 machine hooked up to the domain. We're using version 4.1.0pre1-GIT-4990080 currently. Everything is working great, except that every time I go to access a share, it seemingly forgets who I am and I have to reauthenticate using the smart card again in order to continue. It sounds very similar to what's happening here: https://lists.samba.org/archive/samba-technical/2013-January/090059.html I have the debug logs enabled and the following is what I'm getting at the start of the session (when loginng in): dreplsrv_notify_schedule(5) scheduled for: Sun Feb 3 14:51:20 2013 EST Kerberos: AS-REQ k.allan\@bca.office@BCA.OFFICE from ipv4:10.1.1.146:53953 for krbtgt/BCA.OFFICE@BCA.OFFICE Kerberos: Client sent patypes: PK-INIT(win2k), OCSP, 132, 128 Kerberos: Looking for PKINIT pa-data -- k.allan\@bca.office@BCA.OFFICE Kerberos: PK-INIT request of type PK-INIT-Win2k Kerberos: Trying to authorize PK-INIT subject DN emailAddress=k.allan@******.com.au,CN=Ken Allan,OU=Certs,O=******,L=******,S=Queensland,C=AU Kerberos: found MS UPN SAN: k.allan@bca.office Kerberos: Found matching MS UPN SAN in certificate Kerberos: PKINIT pre-authentication succeeded -- k.allan\@bca.office@BCA.OFFICE using emailAddress=k.allan@******.com.au,CN=Ken Allan,OU=Certs,O=******,L=******,S=Queensland,C=AU authsam_account_ok: Checking SMB password for user k.allan\@bca.office@BCA.OFFICE logon_hours_ok: No hours restrictions for user k.allan\@bca.office@BCA.OFFICE Kerberos: AS-REQ authtime: 2013-02-03T14:51:18 starttime: unset endtime: 2013-02-04T00:51:18 renew till: 2013-02-10T14:51:18 Kerberos: Client supported enctypes: 12, 15, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using aes256-cts-hmac-sha1-96/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.3246.39 single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: TGS-REQ k.allan@BCA.OFFICE from ipv4:10.1.1.146:53954 for host/guarana.bca.office@BCA.OFFICE [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2013-02-03T14:51:18 starttime: 2013-02-03T14:51:18 endtime: 2013-02-04T00:51:18 renew till: 2013-02-10T14:51:18 Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.3246.39 single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Then later on when trying to access the shares we're seeing things like: cldap netlogon query domain=bca.office. host=GUARANA user=(null) version=536870934 guid=a26184a9-5b1f-4803-bd92-b8c92eb6958e ... Got user=[] domain=[] workstation=[GUARANA] len1=1 len2=0 auth_check_password_send: Checking password for unmapped user []\[]@[GUARANA] map_user_info_cracknames: Mapping user []\[] from workstation [GUARANA] auth_check_password_send: mapped user is: [BCA]\[]@[GUARANA] auth_get_challenge: returning previous challenge by module random (normal) [0000] 79 44 2B D6 C6 0B 3D 56 yD+...=V auth_check_password_recv: anonymous authentication for user [NT AUTHORITY\ANONYMOUS LOGON] succeeded ... Client unknown requested to decrypt a client side wrapped secret Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED' imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.3240.45 single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Please retry with 4.5.0rc1 or later and reopen if the problem still exist.