[Samba] Samba as AD member can not validate domain user

jd at ionica.lv jd at ionica.lv
Sun Apr 5 12:42:19 MDT 2015

I am sorry for many P.S.

>> When domain user tries to access file server (samba4, member of AD domain)
>> server logs such error:
>> 2015/04/05 21:13:01.095178,  1]  
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username DOMAINwusername is invalid on this system
>> [2015/04/05 21:13:01.095200,  1]  
>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>> which, on one hand, is right - such UNIX user does not exist on the  
>> file server. If I try to access file server as user registered both  
>> in AD domain and file server's local passwd/shadow, I succed.
>> Does it mean that I have to have all intended users to be  
>> registered as local UNIX users on file server, and, if I plan to  
>> manage share permissions using domain groups, I have to make  
>> "mirror" groups locally as well?
> quotation from another Rowland's e-mail:
> Are your users & groups uidNumber & gidNumber attributes inside the  
> '10000=99999' range ?
> Does this question relates to the UIDs/GIDs on Samba AD DC (for  
> domain users/groups) or local UNIX accounts (on file server, for  
> example)?

getent group lists only local groups;
getent passwd shows list of local users, freezes for a while and exits;
id user shows user info if it exists locally.


More information about the samba mailing list