Юлмухаметов Динар Ансарович
2024-Jul-12 10:27 UTC
[Samba] Error 1069 when using gMSA on a Windows client
Hello, Samba list.
When configuring the gMSA on Samba DC (the domain was provisioned using Samba
DC, and this DC is the only one in the forest) and trying to use the created
service account on Windows, I get an error:
"Error 1069: The service did not start due to a logon failure."
If the domain is provisioned from Windows AD DS, and Samba is the second
controller in the domain (joined), then everything works correctly. In this
case, I can configure gMSA from samba-tool and use the created service accounts
on Windows Clients.
In my case:
- "al-r-dc1" - Samba DC
- "win-cl1" - windows client
I did configure gMSA using the following commands:
--------------
sudo ./samba-tool group add GMSA2 --groupou="OU=Groups"
--group-scope=Global
sudo ./samba-tool group addmembers gmsa2 al-r-dc1$,win-cl1$
sudo ./samba-tool service-account create --name=gmsaSrvc2
--dns-host-name=gmsaSrvc2.smblocal.net
sudo ./samba-tool service-account group-msa-membership add --name=gmsaSrvc2
--principal="CN=GMSA2,OU=Groups,DC=smblocal,DC=net"
--------------
smb.conf:
--------------
[global]
dns forwarder = 10.1.188.10
netbios name = AL-R-DC1
realm = SMBLOCAL.NET
server role = active directory domain controller
workgroup = SMBLOCAL
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/smblocal.net/scripts
read only = No
--------------