[Samba] samba member logon.. question.

L.P.H. van Belle belle at bazuin.nl
Thu Apr 9 05:01:35 MDT 2015


Ok, thanks, now you say it, logical yes.. 
It also explains more why lots of users have the problem accessing the member servers.. 
can we mix ad and rid... 

Thanks! 

Louis




>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 9 april 2015 12:41
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba member logon.. question.
>
>On 09/04/15 09:19, L.P.H. van Belle wrote:
>> Hai all,
>>   
>> I was testing with a member server and i had a small problem.
>> I found the solution but im just asking why?
>> Situation. DC + Member server, all is working fine.
>> All test ok. with AD backend !
>>   
>> Now i did set some GPO's and i created a user to test.  
>Tested wbinfo -u worked ok, id user did not work.. but i ignored that.
>
>Hi Louis, surely if 'id user' didn't work then your user is unknown to 
>the Unix machine.
>
>> Now im logging in and my pc was complaining the user and 
>profiles share was inaccessable.
>>   
>> i noticed these messages [2015/04/08 16:48:19.967842, 0] 
>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>    gss_unwrap_iov failed with [ Miscellaneous failure (see 
>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>    [2015/04/08 16:48:19.968069, 0] 
>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>    
>> I increased the logging level on the member to 3 and found 
>the following messages..
>> Found account name from PAC: testuser [T. testuser] Kerberos 
>ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>> and now it goes wrong.
>>   
>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>
>Well yes, the user doesn't exist on the machine.
>
>> Failed to map kerberos principal to system user 
>(NT_STATUS_LOGON_FAILURE)
>>   
>> If you encounter this problem, then give the user a UID and 
>the problem is solved, I was able to login again and the 
>message was gone.
>
>There you go, proof that the user must be known to the machine, you 
>could also have used the 'rid' backend, this would have 
>allocated an ID 
>number without one in being in AD.
>
>A windows user is just a windows user, unless you do something to make 
>it known to Unix.
>
>Rowland
>
>>   
>> Is it obligated to give your users a uid/gid ?  or is this 
>backend depending?
>> So what if you want to run you setup with AD backend but you 
>dont want to give all your users an uid/gid.
>> Is this possible?  should be imo.
>>   
>> Greetz,
>>   
>> Louis
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list