[Samba] samba member logon.. question.

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 9 05:16:44 MDT 2015 

On 09/04/15 12:01, L.P.H. van Belle wrote:
> Ok, thanks, now you say it, logical yes..
> It also explains more why lots of users have the problem accessing the member servers..
> can we mix ad and rid...
I would suppose so, but not on the same machine :-)

Why would you want to though ?

Using the RFC2307 attributes, you will get the same ID number on every 
Unix machine, whereas if you use the 'rid' backend, whilst you should 
get the same ID on each Unix machine, you will never get the same ID on 
an AD DC, in fact without intervention, you will get a different ID on 
different DCs

If you only have one DC and one member server, then use the member 
server and use the 'rid' backend, anything other than this, use the 
RFC2307 attributes and the 'ad' backend.

Rowland
> Thanks!
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: donderdag 9 april 2015 12:41
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba member logon.. question.
>>
>> On 09/04/15 09:19, L.P.H. van Belle wrote:
>>> Hai all,
>>>    
>>> I was testing with a member server and i had a small problem.
>>> I found the solution but im just asking why?
>>> Situation. DC + Member server, all is working fine.
>>> All test ok. with AD backend !
>>>    
>>> Now i did set some GPO's and i created a user to test.
>> Tested wbinfo -u worked ok, id user did not work.. but i ignored that.
>>
>> Hi Louis, surely if 'id user' didn't work then your user is unknown to
>> the Unix machine.
>>
>>> Now im logging in and my pc was complaining the user and
>> profiles share was inaccessable.
>>>    
>>> i noticed these messages [2015/04/08 16:48:19.967842, 0]
>> ../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>     gss_unwrap_iov failed with [ Miscellaneous failure (see
>> text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>     [2015/04/08 16:48:19.968069, 0]
>> ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>     
>>> I increased the logging level on the member to 3 and found
>> the following messages..
>>> Found account name from PAC: testuser [T. testuser] Kerberos
>> ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>>> and now it goes wrong.
>>>    
>>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>> Well yes, the user doesn't exist on the machine.
>>
>>> Failed to map kerberos principal to system user
>> (NT_STATUS_LOGON_FAILURE)
>>>    
>>> If you encounter this problem, then give the user a UID and
>> the problem is solved, I was able to login again and the
>> message was gone.
>>
>> There you go, proof that the user must be known to the machine, you
>> could also have used the 'rid' backend, this would have
>> allocated an ID
>> number without one in being in AD.
>>
>> A windows user is just a windows user, unless you do something to make
>> it known to Unix.
>>
>> Rowland
>>
>>>    
>>> Is it obligated to give your users a uid/gid ?  or is this
>> backend depending?
>>> So what if you want to run you setup with AD backend but you
>> dont want to give all your users an uid/gid.
>>> Is this possible?  should be imo.
>>>    
>>> Greetz,
>>>    
>>> Louis
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

More information about the samba mailing list