[Samba] samba member logon.. question.

L.P.H. van Belle belle at bazuin.nl
Thu Apr 9 02:19:46 MDT 2015

Hai all, 
I was testing with a member server and i had a small problem. 
I found the solution but im just asking why?  
Situation. DC + Member server, all is working fine. 
All test ok. with AD backend ! 
Now i did set some GPO's and i created a user to test.  Tested wbinfo -u worked ok, id user did not work.. but i ignored that. 
Now im logging in and my pc was complaining the user and profiles share was inaccessable. 
i noticed these messages [2015/04/08 16:48:19.967842, 0] ../source3/librpc/crypto/gse.c:645(gse_unseal) 
  gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2] 
  [2015/04/08 16:48:19.968069, 0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu) 
I increased the logging level on the member to 3 and found the following messages.. 
Found account name from PAC: testuser [T. testuser] Kerberos ticket principal name is [testuser at INTERNAL.DOMAIN.TLD] 
and now it goes wrong. 
Username INTERNAL\testuser is invalid on this system  ....  uh? 
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) 
If you encounter this problem, then give the user a UID and the problem is solved, I was able to login again and the message was gone.
Is it obligated to give your users a uid/gid ?  or is this backend depending? 
So what if you want to run you setup with AD backend but you dont want to give all your users an uid/gid. 
Is this possible?  should be imo.  

More information about the samba mailing list