[Samba] Error 1069 when using gMSA on a Windows client
Юлмухаметов Динар Ансарович
DYUlmukhametov at inno.tech
Fri Jul 12 10:27:42 UTC 2024
Hello, Samba list.
When configuring the gMSA on Samba DC (the domain was provisioned using Samba DC, and this DC is the only one in the forest) and trying to use the created service account on Windows, I get an error:
"Error 1069: The service did not start due to a logon failure."
If the domain is provisioned from Windows AD DS, and Samba is the second controller in the domain (joined), then everything works correctly. In this case, I can configure gMSA from samba-tool and use the created service accounts on Windows Clients.
In my case:
- "al-r-dc1" - Samba DC
- "win-cl1" - windows client
I did configure gMSA using the following commands:
--------------
sudo ./samba-tool group add GMSA2 --groupou="OU=Groups" --group-scope=Global
sudo ./samba-tool group addmembers gmsa2 al-r-dc1$,win-cl1$
sudo ./samba-tool service-account create --name=gmsaSrvc2 --dns-host-name=gmsaSrvc2.smblocal.net
sudo ./samba-tool service-account group-msa-membership add --name=gmsaSrvc2 --principal="CN=GMSA2,OU=Groups,DC=smblocal,DC=net"
--------------
smb.conf:
--------------
[global]
dns forwarder = 10.1.188.10
netbios name = AL-R-DC1
realm = SMBLOCAL.NET
server role = active directory domain controller
workgroup = SMBLOCAL
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/smblocal.net/scripts
read only = No
--------------
More information about the samba
mailing list