[Samba] Samba as AD member can not validate domain user

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 5 13:24:00 MDT 2015

On 05/04/15 19:37, jd at ionica.lv wrote:
> Hi!
>> When domain user tries to access file server (samba4, member of AD 
>> domain)
>> server logs such error:
>> 2015/04/05 21:13:01.095178,  1] 
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username DOMAINwusername is invalid on this system
>> [2015/04/05 21:13:01.095200,  1] 
>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>> Failed to map kerberos principal to system user 
>> which, on one hand, is right - such UNIX user does not exist on the 
>> file server. If I try to access file server as user registered both 
>> in AD domain and file server's local passwd/shadow, I succed.
>> Does it mean that I have to have all intended users to be registered 
>> as local UNIX users on file server, and, if I plan to manage share 
>> permissions using domain groups, I have to make "mirror" groups 
>> locally as well?
> quotation form another Rowland's e-mail:
> Are your users & groups uidNumber & gidNumber attributes inside the 
> '10000=99999' range ?
> Does this question relates to the UIDs/GIDs on Samba AD DC (for domain 
> users/groups) or local UNIX accounts (on file server, for example)?
> Janis

If you are using AD for authentication, you can ignore local Unix 
accounts, all your users should be in AD apart from at least one local 
AD user (which can't be in AD) just in case something catastrophic happens.

Just use AD users and extend them to be Unix users and set up Linux to 
use them.


More information about the samba mailing list