[Samba] samba member logon.. question.
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 9 02:19:46 MDT 2015
I was testing with a member server and i had a small problem.
I found the solution but im just asking why?
Situation. DC + Member server, all is working fine.
All test ok. with AD backend !
Now i did set some GPO's and i created a user to test. Tested wbinfo -u worked ok, id user did not work.. but i ignored that.
Now im logging in and my pc was complaining the user and profiles share was inaccessable.
i noticed these messages [2015/04/08 16:48:19.967842, 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
[2015/04/08 16:48:19.968069, 0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
I increased the logging level on the member to 3 and found the following messages..
Found account name from PAC: testuser [T. testuser] Kerberos ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
and now it goes wrong.
Username INTERNAL\testuser is invalid on this system .... uh?
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
If you encounter this problem, then give the user a UID and the problem is solved, I was able to login again and the message was gone.
Is it obligated to give your users a uid/gid ? or is this backend depending?
So what if you want to run you setup with AD backend but you dont want to give all your users an uid/gid.
Is this possible? should be imo.
More information about the samba