[Samba] Samba as AD member can not validate domain user

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 5 13:19:07 MDT 2015

On 05/04/15 19:26, jd at ionica.lv wrote:
> Hi!
> Wheh domain user tries to access file server (samba4, member of AD 
> domain)
> server logs such error:
> 2015/04/05 21:13:01.095178,  1] 
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username DOMAINwusername is invalid on this system
> [2015/04/05 21:13:01.095200,  1] 
> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> which, on one hand, is right - such UNIX user does not exist on the 
> file server. If I try to access file server as user registered both in 
> AD domain and file server's local passwd/shadow, I succed.
> Does it mean that I have to have all intended users to be registered 
> as local UNIX users on file server, and, if I plan to manage share 
> permissions using domain groups, I have to make "mirror" groups 
> locally as well?
> Janis

No, you can have local Unix users & groups and AD domain users & groups, 
but the two cannot mix i.e. if user 'joe' is in /etc/passwd, you cannot 
have a user 'joe' in AD. This applies when you correctly set up smb.conf 
on the file server and join it to the domain.

What you have to do to get AD users known to Unix, is:

Correctly set up smb.conf
Join the machine to the domain
Ensure that the users & groups have the required uidNumbers & gidNumber
Ensure that kerberos, resolv.conf and nsswitch.conf are correctly set up.

Or to put it another way, you do not add Unix users to AD, you extend AD 
users to become Unix users.

If unsure what to do, see the samba wiki member server page:



More information about the samba mailing list