[Samba] Samba as AD member can not validate domain user

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 5 13:28:29 MDT 2015

On 05/04/15 19:42, jd at ionica.lv wrote:
> I am sorry for many P.S.
>>> When domain user tries to access file server (samba4, member of AD 
>>> domain)
>>> server logs such error:
>>> 2015/04/05 21:13:01.095178,  1] 
>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>> Username DOMAINwusername is invalid on this system
>>> [2015/04/05 21:13:01.095200,  1] 
>>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>>> Failed to map kerberos principal to system user 
>>> which, on one hand, is right - such UNIX user does not exist on the 
>>> file server. If I try to access file server as user registered both 
>>> in AD domain and file server's local passwd/shadow, I succed.
>>> Does it mean that I have to have all intended users to be registered 
>>> as local UNIX users on file server, and, if I plan to manage share 
>>> permissions using domain groups, I have to make "mirror" groups 
>>> locally as well?
>> quotation from another Rowland's e-mail:
>> Are your users & groups uidNumber & gidNumber attributes inside the 
>> '10000=99999' range ?
>> Does this question relates to the UIDs/GIDs on Samba AD DC (for 
>> domain users/groups) or local UNIX accounts (on file server, for 
>> example)?
> getent group lists only local groups;

'getent group' only shows local groups, whilst 'getent group adgroup' 
should show the info for the 'adgroup'
> getent passwd shows list of local users, freezes for a while and exits;

This is possibly because you may have (somehow) the same username in AD 
and /etc/passwd

> id user shows user info if it exists locally.

On an AD joined machine id should show user info if the user exists in 
AD and has the required rfc2307 attributes.


> Janis

More information about the samba mailing list