[Samba] samba 4.1.7 member server errors trying to access share(s)

L.P.H. van Belle belle at bazuin.nl
Wed May 28 04:07:07 MDT 2014

I have some strange things and i cant figure out whats going on. 
The problem is the my domain users and the extra Domain Admin ( Admin )  cant access my member server ( and shares ) 
When i login with the DOMAIN\Administrator it all works fine, can access all shares not popups with authorisation requests. 
but as DOMAIN\Admin ( has the same rights as domain Administrator ), is added to "Domain Admins"  and the domain admins have all privilages. 
when i login as my "DOMAIN\Admin" and i try to access any share on my member server im getting  a popup with authorisation request. 
when entering as "Administrator" it works, all other users/Admins not. 
my 2 DC's  \\rtd-dc1 and \\rtd-dc2  i can access without any problem, but \\rtd-mem1  im getting the popup. 
also tried \rtd-mem1\software but the same, popup. 
I cant figure out where something is wrong, im missing something.. 
If someone can help me trace this, that would be nice. below is the info about the setup. 
Client pc, domain joined,  is Windows 7 64Bit, logged in as "DOMAIN\Admin"   
and other strange thing. 
I've also setup a zarafa mail server with webacces and Single Sing On which is working fine. 
( used this page for the SSO setup. https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 ) 
i can access https://mailserver/webassess as Admin and no popup and auths fine. 
I saw the following errors in the log.smbd  and these are the only errors i found on whole my system.
( can be from testing, i dont know anymore..  ) 
[2014/05/28 10:44:59.886717,  0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
  gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
[2014/05/28 10:44:59.887122,  0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
  Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
[2014/05/28 10:45:00.177559,  0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
  gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
[2014/05/28 10:45:00.177813,  0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
  Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
[2014/05/28 10:45:01.302718,  0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
  gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
[2014/05/28 10:45:01.302967,  0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
  Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)

It's setup with debian wheezy sernet samba 4.1.7.    2 x DC and 1 x member server.   ( all sernet samba ) 
Im testing/setting up the member server smb.conf is as the wiki says with few extra things. 
+> smb.conf of the member server. 
setup followed : http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server 
Joined with net ads join -U administrator

checked the A and PTR records, checked the keytab file all hosts entrys are there
wbinfo -u / -g  works fine for all my users and admins in the domain.
getent passwd gives back my users it RFC2307. 
libpam-krb5 is installed.
Time is in sync with less than 2 sec difference. 
shares setup followed : http://wiki.samba.org/index.php/Setup_and_configure_file_shares 
------------------  SMB conf -----------------------

   workgroup = MYDOMAIN
   security = ADS
   netbios name = rtd-mem1
   domain master = no
   local master = no
   host msdfs = no
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   client signing = if_required
   ## map id's outside to domain to tdb files.
   idmap config *:backend = tdb
   idmap config *:range = 50001-80000
   ## map ids from the domain  the range may not overlap !
   idmap config MYDOMAIN:backend = ad
   idmap config MYDOMAIN:schema_mode = rfc2307
   idmap config MYDOMAIN:range = 2000-40000
   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = yes
   winbind offline logon = yes
   wins server =,
   template shell = /bin/sh
   template homedir = /home/users/%USERNAME%
   # user Administrator workaround, without it you are unable to set privileges
   username map = /etc/samba/samba_usermapping
   # For ACL support on member server
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes
   # Share Setting Globally
   usershare allow guests = no
   unix extensions = no
   wide links = no
   reset on zero vc = yes
   veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
   hide unreadable = yes
   # disable printing completely
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   path = /home/users
   read only = no

   path = /home/samba/software
   read only = no
------------------  KRB5  -----------------------
## krb5 setup.  /etc/krb5.conf
        default_realm = MYDOMAIN.DOMAIN.TLD
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

------------------  NSSWITCH -----------------------

passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files


More information about the samba mailing list