On domain members using RFC2307, machine acccounts without an uidNumber
attribute are not retrieved via idmap_ad. This leads to many of the following
two error messages:
Username DOMAIN\machineaccountname$ is invalid on this system
and
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
Machine accounts don't have an uidNumber attribute, if not set manually. To
avoid flooding the logs, setting message from debug level 1 to DBG_NOTICE.
Bugreport: https://bugzilla.samba.org/show_bug.cgi?id=9912
Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 4 00:46:15 CET 2015 on sn-devel-104
&ntuser, &ntdomain,
&username, &pw);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to map kerberos principal to system user "
- "(%s)\n", nt_errstr(status)));
+ DBG_NOTICE("Failed to map kerberos principal to system user "
+ "(%s)\n", nt_errstr(status));
status = NT_STATUS_ACCESS_DENIED;
goto done;
}
/* extra sanity check that the guest account is valid */
if (!pw) {
- DEBUG(1, ("Username %s is invalid on this system\n",
- fuser));
+ DBG_NOTICE("Username %s is invalid on this system\n",
+ fuser);
return NT_STATUS_LOGON_FAILURE;
}
}