[Samba] samba member logon.. question.

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 9 04:40:38 MDT 2015

On 09/04/15 09:19, L.P.H. van Belle wrote:
> Hai all,
> I was testing with a member server and i had a small problem.
> I found the solution but im just asking why?
> Situation. DC + Member server, all is working fine.
> All test ok. with AD backend !
> Now i did set some GPO's and i created a user to test.  Tested wbinfo -u worked ok, id user did not work.. but i ignored that.

Hi Louis, surely if 'id user' didn't work then your user is unknown to 
the Unix machine.

> Now im logging in and my pc was complaining the user and profiles share was inaccessable.
> i noticed these messages [2015/04/08 16:48:19.967842, 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
>    gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>    [2015/04/08 16:48:19.968069, 0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
> I increased the logging level on the member to 3 and found the following messages..
> Found account name from PAC: testuser [T. testuser] Kerberos ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
> and now it goes wrong.
> Username INTERNAL\testuser is invalid on this system  ....  uh?

Well yes, the user doesn't exist on the machine.

> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> If you encounter this problem, then give the user a UID and the problem is solved, I was able to login again and the message was gone.

There you go, proof that the user must be known to the machine, you 
could also have used the 'rid' backend, this would have allocated an ID 
number without one in being in AD.

A windows user is just a windows user, unless you do something to make 
it known to Unix.


> Is it obligated to give your users a uid/gid ?  or is this backend depending?
> So what if you want to run you setup with AD backend but you dont want to give all your users an uid/gid.
> Is this possible?  should be imo.
> Greetz,
> Louis

More information about the samba mailing list