thr3ads.net - samba - [Samba] Error 1069 when using gMSA on a Windows client [Jul 2024]

If this information is useful, please help other people find it:
Share via:

Юлмухаметов Динар Ансарович

2024-Jul-12 10:27 UTC

[Samba] Error 1069 when using gMSA on a Windows client

Hello, Samba list.

When configuring the gMSA on Samba DC (the domain was provisioned using Samba
DC, and this DC is the only one in the forest) and trying to use the created
service account on Windows, I get an error:

"Error 1069: The service did not start due to a logon failure."

If the domain is provisioned from Windows AD DS, and Samba is the second
controller in the domain (joined), then everything works correctly. In this
case, I can configure gMSA from samba-tool and use the created service accounts
on Windows Clients.

In my case:
- "al-r-dc1" - Samba DC
- "win-cl1" - windows client

I did configure gMSA using the following commands:
--------------
sudo ./samba-tool group add GMSA2 --groupou="OU=Groups"
--group-scope=Global
sudo ./samba-tool group addmembers gmsa2 al-r-dc1$,win-cl1$
sudo ./samba-tool service-account create --name=gmsaSrvc2
--dns-host-name=gmsaSrvc2.smblocal.net
sudo ./samba-tool service-account group-msa-membership add --name=gmsaSrvc2
--principal="CN=GMSA2,OU=Groups,DC=smblocal,DC=net"
--------------

smb.conf:
--------------
[global]
       dns forwarder = 10.1.188.10
       netbios name = AL-R-DC1
       realm = SMBLOCAL.NET
       server role = active directory domain controller
       workgroup = SMBLOCAL

[sysvol]
       path = /usr/local/samba/var/locks/sysvol
       read only = No

[netlogon]
       path = /usr/local/samba/var/locks/sysvol/smblocal.net/scripts
       read only = No
--------------

Maybe Matching Threads

Search for more seemingly similar threads

samba - Jul 2024 - Error 1069 when using gMSA on a Windows client

[Samba] Error 1069 when using gMSA on a Windows client

Maybe Matching Threads

Wisdom of the Ancients