[Samba] Samba as AD member can not validate domain user
Rowland Penny
rowlandpenny at googlemail.com
Sun Apr 5 13:19:07 MDT 2015
On 05/04/15 19:26, jd at ionica.lv wrote:
> Hi!
>
> Wheh domain user tries to access file server (samba4, member of AD
> domain)
> server logs such error:
>
> 2015/04/05 21:13:01.095178, 1]
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username DOMAINwusername is invalid on this system
>
> [2015/04/05 21:13:01.095200, 1]
> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>
> which, on one hand, is right - such UNIX user does not exist on the
> file server. If I try to access file server as user registered both in
> AD domain and file server's local passwd/shadow, I succed.
>
> Does it mean that I have to have all intended users to be registered
> as local UNIX users on file server, and, if I plan to manage share
> permissions using domain groups, I have to make "mirror" groups
> locally as well?
>
> Janis
>
No, you can have local Unix users & groups and AD domain users & groups,
but the two cannot mix i.e. if user 'joe' is in /etc/passwd, you cannot
have a user 'joe' in AD. This applies when you correctly set up smb.conf
on the file server and join it to the domain.
What you have to do to get AD users known to Unix, is:
Correctly set up smb.conf
Join the machine to the domain
Ensure that the users & groups have the required uidNumbers & gidNumber
Ensure that kerberos, resolv.conf and nsswitch.conf are correctly set up.
Or to put it another way, you do not add Unix users to AD, you extend AD
users to become Unix users.
If unsure what to do, see the samba wiki member server page:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Rowland
More information about the samba
mailing list