[Samba] Samba as AD member can not validate domain user
jd at ionica.lv
jd at ionica.lv
Sun Apr 5 12:42:19 MDT 2015
I am sorry for many P.S.
>> When domain user tries to access file server (samba4, member of AD domain)
>> server logs such error:
>>
>> 2015/04/05 21:13:01.095178, 1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username DOMAINwusername is invalid on this system
>>
>> [2015/04/05 21:13:01.095200, 1]
>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>>
>> which, on one hand, is right - such UNIX user does not exist on the
>> file server. If I try to access file server as user registered both
>> in AD domain and file server's local passwd/shadow, I succed.
>>
>> Does it mean that I have to have all intended users to be
>> registered as local UNIX users on file server, and, if I plan to
>> manage share permissions using domain groups, I have to make
>> "mirror" groups locally as well?
>
> quotation from another Rowland's e-mail:
> Are your users & groups uidNumber & gidNumber attributes inside the
> '10000=99999' range ?
>
> Does this question relates to the UIDs/GIDs on Samba AD DC (for
> domain users/groups) or local UNIX accounts (on file server, for
> example)?
getent group lists only local groups;
getent passwd shows list of local users, freezes for a while and exits;
id user shows user info if it exists locally.
Janis
More information about the samba
mailing list