samba - Apr 2015 - samba member logon.. question.

Hai all,?
?
I was testing with a member server and i had a small problem. 
I found the solution but im just asking why???
Situation. DC + Member server, all is working fine. 
All test ok. with AD backend ! 
?
Now i did set some GPO's and i created a user to test.??Tested wbinfo -u
worked ok, id user did not work.. but i ignored that.
Now im logging in and my pc was complaining the user and profiles share was
inaccessable.
?
i noticed these messages [2015/04/08 16:48:19.967842, 0]
../source3/librpc/crypto/gse.c:645(gse_unseal)
? gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
? [2015/04/08 16:48:19.968069, 0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
? 
I increased the logging level on the member to 3 and found the following
messages..
Found account name from PAC: testuser [T. testuser] Kerberos ticket principal
name is [testuser at INTERNAL.DOMAIN.TLD]
and now it goes wrong. 
?
Username INTERNAL\testuser is invalid on this system? ....? uh? 
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) 
?
If you encounter this problem, then give the user a UID and the problem is
solved, I was able to login again and the message was gone.
?
Is it obligated to give your users a uid/gid ???or is this backend depending? 
So what if you want to run you setup with AD backend but you dont want to give
all your users an uid/gid.
Is this possible???should be imo.??
?
Greetz, 
?
Louis

On 09/04/15 09:19, L.P.H. van Belle wrote:
> Hai all,
>   
> I was testing with a member server and i had a small problem.
> I found the solution but im just asking why?
> Situation. DC + Member server, all is working fine.
> All test ok. with AD backend !
>   
> Now i did set some GPO's and i created a user to test.  Tested wbinfo
-u worked ok, id user did not work.. but i ignored that.
Hi Louis, surely if 'id user' didn't work then your user is unknown
to
the Unix machine.
> Now im logging in and my pc was complaining the user and profiles share was
inaccessable.
>   
> i noticed these messages [2015/04/08 16:48:19.967842, 0]
../source3/librpc/crypto/gse.c:645(gse_unseal)
>    gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
>    [2015/04/08 16:48:19.968069, 0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>    
> I increased the logging level on the member to 3 and found the following
messages..
> Found account name from PAC: testuser [T. testuser] Kerberos ticket
principal name is [testuser at INTERNAL.DOMAIN.TLD]
> and now it goes wrong.
>   
> Username INTERNAL\testuser is invalid on this system  ....  uh?
Well yes, the user doesn't exist on the machine.
> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>   
> If you encounter this problem, then give the user a UID and the problem is
solved, I was able to login again and the message was gone.
There you go, proof that the user must be known to the machine, you 
could also have used the 'rid' backend, this would have allocated an ID 
number without one in being in AD.

A windows user is just a windows user, unless you do something to make 
it known to Unix.

Rowland
>   
> Is it obligated to give your users a uid/gid ?  or is this backend
depending?
> So what if you want to run you setup with AD backend but you dont want to
give all your users an uid/gid.
> Is this possible?  should be imo.
>   
> Greetz,
>   
> Louis

Ok, thanks, now you say it, logical yes.. 
It also explains more why lots of users have the problem accessing the member
servers..
can we mix ad and rid... 

Thanks! 

Louis



>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 9 april 2015 12:41
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba member logon.. question.
>
>On 09/04/15 09:19, L.P.H. van Belle wrote:
>> Hai all,
>>   
>> I was testing with a member server and i had a small problem.
>> I found the solution but im just asking why?
>> Situation. DC + Member server, all is working fine.
>> All test ok. with AD backend !
>>   
>> Now i did set some GPO's and i created a user to test.  
>Tested wbinfo -u worked ok, id user did not work.. but i ignored that.
>
>Hi Louis, surely if 'id user' didn't work then your user is
unknown to
>the Unix machine.
>
>> Now im logging in and my pc was complaining the user and 
>profiles share was inaccessable.
>>   
>> i noticed these messages [2015/04/08 16:48:19.967842, 0] 
>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>    gss_unwrap_iov failed with [ Miscellaneous failure (see 
>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>    [2015/04/08 16:48:19.968069, 0] 
>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>    
>> I increased the logging level on the member to 3 and found 
>the following messages..
>> Found account name from PAC: testuser [T. testuser] Kerberos 
>ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>> and now it goes wrong.
>>   
>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>
>Well yes, the user doesn't exist on the machine.
>
>> Failed to map kerberos principal to system user 
>(NT_STATUS_LOGON_FAILURE)
>>   
>> If you encounter this problem, then give the user a UID and 
>the problem is solved, I was able to login again and the 
>message was gone.
>
>There you go, proof that the user must be known to the machine, you 
>could also have used the 'rid' backend, this would have 
>allocated an ID 
>number without one in being in AD.
>
>A windows user is just a windows user, unless you do something to make 
>it known to Unix.
>
>Rowland
>
>>   
>> Is it obligated to give your users a uid/gid ?  or is this 
>backend depending?
>> So what if you want to run you setup with AD backend but you 
>dont want to give all your users an uid/gid.
>> Is this possible?  should be imo.
>>   
>> Greetz,
>>   
>> Louis
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 09/04/15 12:01, L.P.H. van Belle wrote:
> Ok, thanks, now you say it, logical yes..
> It also explains more why lots of users have the problem accessing the
member servers..
> can we mix ad and rid...
I would suppose so, but not on the same machine :-)

Why would you want to though ?

Using the RFC2307 attributes, you will get the same ID number on every 
Unix machine, whereas if you use the 'rid' backend, whilst you should 
get the same ID on each Unix machine, you will never get the same ID on 
an AD DC, in fact without intervention, you will get a different ID on 
different DCs

If you only have one DC and one member server, then use the member 
server and use the 'rid' backend, anything other than this, use the 
RFC2307 attributes and the 'ad' backend.

Rowland
> Thanks!
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: donderdag 9 april 2015 12:41
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba member logon.. question.
>>
>> On 09/04/15 09:19, L.P.H. van Belle wrote:
>>> Hai all,
>>>    
>>> I was testing with a member server and i had a small problem.
>>> I found the solution but im just asking why?
>>> Situation. DC + Member server, all is working fine.
>>> All test ok. with AD backend !
>>>    
>>> Now i did set some GPO's and i created a user to test.
>> Tested wbinfo -u worked ok, id user did not work.. but i ignored that.
>>
>> Hi Louis, surely if 'id user' didn't work then your user is
unknown to
>> the Unix machine.
>>
>>> Now im logging in and my pc was complaining the user and
>> profiles share was inaccessable.
>>>    
>>> i noticed these messages [2015/04/08 16:48:19.967842, 0]
>> ../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>     gss_unwrap_iov failed with [ Miscellaneous failure (see
>> text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>     [2015/04/08 16:48:19.968069, 0]
>> ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>     
>>> I increased the logging level on the member to 3 and found
>> the following messages..
>>> Found account name from PAC: testuser [T. testuser] Kerberos
>> ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>>> and now it goes wrong.
>>>    
>>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>> Well yes, the user doesn't exist on the machine.
>>
>>> Failed to map kerberos principal to system user
>> (NT_STATUS_LOGON_FAILURE)
>>>    
>>> If you encounter this problem, then give the user a UID and
>> the problem is solved, I was able to login again and the
>> message was gone.
>>
>> There you go, proof that the user must be known to the machine, you
>> could also have used the 'rid' backend, this would have
>> allocated an ID
>> number without one in being in AD.
>>
>> A windows user is just a windows user, unless you do something to make
>> it known to Unix.
>>
>> Rowland
>>
>>>    
>>> Is it obligated to give your users a uid/gid ?  or is this
>> backend depending?
>>> So what if you want to run you setup with AD backend but you
>> dont want to give all your users an uid/gid.
>>> Is this possible?  should be imo.
>>>    
>>> Greetz,
>>>    
>>> Louis
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

wel, i was thinking about the following..

AD backend: 
member1 = fileserver with only company data.  linux and windows users.
member4 = database server with linux and windows users, nfs-kerberos connected
with member1.
member5 = webserver server with linux and windows users, nfs-kerberos connected
with member1.  ( no external web server only internal )

RID backend: 
member2 = profiles and user folders.  windows only users and linux administrator
user.
member3 = print server. windows users only for printing and linux administrator
user.

This way when you create a user and you forget to set a uid, a windows user can
always login
and policies are always set because of the generated uids. yes, access is denied
to member1 thats ok, when a uid is forgotten to set.
No copies are done of files between the member servers (2,3) and (1,4,5) in this
case.

A proxy server can use a rid backend, the proxy server needs a user with uid,
but that can be a different uid.
This increases security imo

A mail server, depending on the setup, can be rid or ad. 
in my case rid is an option, which also increases security. i dont need/have and
homedirs here, all users are virtual here.

and all servers wil be using kerberos auth, and based on the access denied
message of for fogotten uid,
i am makeing the asumption that i can have different uids/gids here ( with
kerberos auth i mean )

why al of this.. 

I think this wil increase security in proxy and mail. sure it all depends on
your setup,
but if by security leak/bugs access is gained, then the "faulty" uid,
makes sure not access to files is possible
on the member1 server because of the differences in uid/gid. 

What do you think about this, possible? 
Any thoughts? 

Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 9 april 2015 13:17
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba member logon.. question.
>
>On 09/04/15 12:01, L.P.H. van Belle wrote:
>> Ok, thanks, now you say it, logical yes..
>> It also explains more why lots of users have the problem 
>accessing the member servers..
>> can we mix ad and rid...
>I would suppose so, but not on the same machine :-)
>
>Why would you want to though ?
>
>Using the RFC2307 attributes, you will get the same ID number on every 
>Unix machine, whereas if you use the 'rid' backend, whilst you
should
>get the same ID on each Unix machine, you will never get the 
>same ID on 
>an AD DC, in fact without intervention, you will get a different ID on 
>different DCs
>
>If you only have one DC and one member server, then use the member 
>server and use the 'rid' backend, anything other than this, use the 
>RFC2307 attributes and the 'ad' backend.
>
>Rowland
>> Thanks!
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: rowlandpenny at googlemail.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: donderdag 9 april 2015 12:41
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] samba member logon.. question.
>>>
>>> On 09/04/15 09:19, L.P.H. van Belle wrote:
>>>> Hai all,
>>>>    
>>>> I was testing with a member server and i had a small problem.
>>>> I found the solution but im just asking why?
>>>> Situation. DC + Member server, all is working fine.
>>>> All test ok. with AD backend !
>>>>    
>>>> Now i did set some GPO's and i created a user to test.
>>> Tested wbinfo -u worked ok, id user did not work.. but i 
>ignored that.
>>>
>>> Hi Louis, surely if 'id user' didn't work then your
user is
>unknown to
>>> the Unix machine.
>>>
>>>> Now im logging in and my pc was complaining the user and
>>> profiles share was inaccessable.
>>>>    
>>>> i noticed these messages [2015/04/08 16:48:19.967842, 0]
>>> ../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>>     gss_unwrap_iov failed with [ Miscellaneous failure (see
>>> text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>>     [2015/04/08 16:48:19.968069, 0]
>>> ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>>     
>>>> I increased the logging level on the member to 3 and found
>>> the following messages..
>>>> Found account name from PAC: testuser [T. testuser] Kerberos
>>> ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>>>> and now it goes wrong.
>>>>    
>>>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>>> Well yes, the user doesn't exist on the machine.
>>>
>>>> Failed to map kerberos principal to system user
>>> (NT_STATUS_LOGON_FAILURE)
>>>>    
>>>> If you encounter this problem, then give the user a UID and
>>> the problem is solved, I was able to login again and the
>>> message was gone.
>>>
>>> There you go, proof that the user must be known to the machine, you
>>> could also have used the 'rid' backend, this would have
>>> allocated an ID
>>> number without one in being in AD.
>>>
>>> A windows user is just a windows user, unless you do 
>something to make
>>> it known to Unix.
>>>
>>> Rowland
>>>
>>>>    
>>>> Is it obligated to give your users a uid/gid ?  or is this
>>> backend depending?
>>>> So what if you want to run you setup with AD backend but you
>>> dont want to give all your users an uid/gid.
>>>> Is this possible?  should be imo.
>>>>    
>>>> Greetz,
>>>>    
>>>> Louis
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>