Hi, On our sernet-samba 4.2.4 AD-style we see that for some (newer) machine accounts, they do not have a gidNumber and uidNumber. Users logging on to those machines experience no problems, but in those systems eventlog we see during boot:: This computer was not able to set up a secure session with a domain controller in domain OURDOMAIN due to the following: There are currently no logon servers available to service the logon request. Also: we see that using the machine account to access our fileservers does not work (our GPO shutdown scripts do this). Can be visualised like this: - psexec -i -s cmd.exe (this will open a new cmd window, supposedly running under the system's machine account, in which we type:) - net use f: \\files.samba.domain.com\ninite On regular systems, that drive mapping will work, without asking for credentials, because it will use the machine account credentials. On not-working machines (without gidNumber and uidNumber) we get a username/password request: Enter the user name for 'files' The machines were added to our AD, using the regular windows workstation, system properties, computer name, add to domain. The join succeeds, and users can logon, drives are mapped, etc, etc. So, the questions are: - Do you experts agree with our reasoning above? - Do machine accounts need a gidNumber / uidNumber? And of course: - Why do our latest batch of machines suddenly not have a gidNumber / uidNumber anymore? In ADUC there is a unix attributes tab for User accounts where I can set a uid. But computer accounts have a different kind of Unix tab, where I can not set a uid. What to do? Thanks in advance, MJ
Some extra info from the samba side of things: During the psexec as machine user, samba logs the following:> [2015/10/12 20:38:45.552716, 1] ../source3/auth/token_util.c:777(create_token_from_sid) > getpwuid(1276) failed > [2015/10/12 20:38:45.552786, 1] ../source3/auth/auth_generic.c:119(auth3_generate_session_info_pac) > Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)1276 being the uidNumber I manually added to the machine account, to see if that solved my issue. (which it didn't) And, just for completeness, the machine account does exist, as can be seen in samba log entries like this:> [2015/10/12 20:29:45.724724, 2] ../source3/auth/auth.c:278(auth_check_ntlm_password) > check_ntlm_password: authentication for user [INSTR05$] -> [INSTR05$] -> [INSTR05$] succeeded > [2015/10/12 20:29:45.725599, 1] ../source3/auth/token_util.c:777(create_token_from_sid) > getpwuid(1276) failedIdeas? Am i looking in the right direction?
Hi, I can be wrong but for me UID and GID are UNIX concepts. If your workstations are Windows systems, those UID/GID are not necessary. This does not address your issue but it could help to understand things and to avoid searching in the wrong direction... Cheers, mathias 2015-10-12 20:41 GMT+02:00 mourik jan c heupink <heupink at merit.unu.edu>:> Some extra info from the samba side of things: > > During the psexec as machine user, samba logs the following: > > [2015/10/12 20:38:45.552716, 1] >> ../source3/auth/token_util.c:777(create_token_from_sid) >> getpwuid(1276) failed >> [2015/10/12 20:38:45.552786, 1] >> ../source3/auth/auth_generic.c:119(auth3_generate_session_info_pac) >> Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER) >> > > 1276 being the uidNumber I manually added to the machine account, to see > if that solved my issue. (which it didn't) > > And, just for completeness, the machine account does exist, as can be seen > in samba log entries like this: > > [2015/10/12 20:29:45.724724, 2] >> ../source3/auth/auth.c:278(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [INSTR05$] -> [INSTR05$] >> -> [INSTR05$] succeeded >> [2015/10/12 20:29:45.725599, 1] >> ../source3/auth/token_util.c:777(create_token_from_sid) >> getpwuid(1276) failed >> > > Ideas? Am i looking in the right direction? > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- Samba ADS-member-server: FQDNs in /etc/hosts
- machine accounts question
- Samba ADS-member-server: FQDNs in /etc/hosts
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID