[Samba] Samba as AD member can not validate domain user
jd at ionica.lv
jd at ionica.lv
Sun Apr 5 12:37:03 MDT 2015
Hi!
> When domain user tries to access file server (samba4, member of AD domain)
> server logs such error:
>
> 2015/04/05 21:13:01.095178, 1]
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username DOMAINwusername is invalid on this system
>
> [2015/04/05 21:13:01.095200, 1]
> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>
> which, on one hand, is right - such UNIX user does not exist on the
> file server. If I try to access file server as user registered both
> in AD domain and file server's local passwd/shadow, I succed.
>
> Does it mean that I have to have all intended users to be registered
> as local UNIX users on file server, and, if I plan to manage share
> permissions using domain groups, I have to make "mirror" groups
> locally as well?
quotation form another Rowland's e-mail:
Are your users & groups uidNumber & gidNumber attributes inside the
'10000=99999' range ?
Does this question relates to the UIDs/GIDs on Samba AD DC (for domain
users/groups) or local UNIX accounts (on file server, for example)?
Janis
More information about the samba
mailing list