[Samba] Samba as AD member can not validate domain user
Rowland Penny
rowlandpenny at googlemail.com
Sun Apr 5 13:24:00 MDT 2015
On 05/04/15 19:37, jd at ionica.lv wrote:
> Hi!
>
>> When domain user tries to access file server (samba4, member of AD
>> domain)
>> server logs such error:
>>
>> 2015/04/05 21:13:01.095178, 1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username DOMAINwusername is invalid on this system
>>
>> [2015/04/05 21:13:01.095200, 1]
>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>> Failed to map kerberos principal to system user
>> (NT_STATUS_LOGON_FAILURE)
>>
>> which, on one hand, is right - such UNIX user does not exist on the
>> file server. If I try to access file server as user registered both
>> in AD domain and file server's local passwd/shadow, I succed.
>>
>> Does it mean that I have to have all intended users to be registered
>> as local UNIX users on file server, and, if I plan to manage share
>> permissions using domain groups, I have to make "mirror" groups
>> locally as well?
>
> quotation form another Rowland's e-mail:
> Are your users & groups uidNumber & gidNumber attributes inside the
> '10000=99999' range ?
>
> Does this question relates to the UIDs/GIDs on Samba AD DC (for domain
> users/groups) or local UNIX accounts (on file server, for example)?
>
>
> Janis
>
If you are using AD for authentication, you can ignore local Unix
accounts, all your users should be in AD apart from at least one local
AD user (which can't be in AD) just in case something catastrophic happens.
Just use AD users and extend them to be Unix users and set up Linux to
use them.
Rowland
More information about the samba
mailing list