[Samba] Samba as AD member can not validate domain user

jd at ionica.lv jd at ionica.lv
Sun Apr 5 12:37:03 MDT 2015


> When domain user tries to access file server (samba4, member of AD domain)
> server logs such error:
> 2015/04/05 21:13:01.095178,  1]  
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username DOMAINwusername is invalid on this system
> [2015/04/05 21:13:01.095200,  1]  
> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> which, on one hand, is right - such UNIX user does not exist on the  
> file server. If I try to access file server as user registered both  
> in AD domain and file server's local passwd/shadow, I succed.
> Does it mean that I have to have all intended users to be registered  
> as local UNIX users on file server, and, if I plan to manage share  
> permissions using domain groups, I have to make "mirror" groups  
> locally as well?

quotation form another Rowland's e-mail:
Are your users & groups uidNumber & gidNumber attributes inside the  
'10000=99999' range ?

Does this question relates to the UIDs/GIDs on Samba AD DC (for domain  
users/groups) or local UNIX accounts (on file server, for example)?


More information about the samba mailing list