[Samba] Samba as AD member can not validate domain user
Rowland Penny
rowlandpenny at googlemail.com
Sun Apr 5 13:28:29 MDT 2015
On 05/04/15 19:42, jd at ionica.lv wrote:
> I am sorry for many P.S.
>
>>> When domain user tries to access file server (samba4, member of AD
>>> domain)
>>> server logs such error:
>>>
>>> 2015/04/05 21:13:01.095178, 1]
>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>> Username DOMAINwusername is invalid on this system
>>>
>>> [2015/04/05 21:13:01.095200, 1]
>>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>>> Failed to map kerberos principal to system user
>>> (NT_STATUS_LOGON_FAILURE)
>>>
>>> which, on one hand, is right - such UNIX user does not exist on the
>>> file server. If I try to access file server as user registered both
>>> in AD domain and file server's local passwd/shadow, I succed.
>>>
>>> Does it mean that I have to have all intended users to be registered
>>> as local UNIX users on file server, and, if I plan to manage share
>>> permissions using domain groups, I have to make "mirror" groups
>>> locally as well?
>>
>> quotation from another Rowland's e-mail:
>> Are your users & groups uidNumber & gidNumber attributes inside the
>> '10000=99999' range ?
>>
>> Does this question relates to the UIDs/GIDs on Samba AD DC (for
>> domain users/groups) or local UNIX accounts (on file server, for
>> example)?
>
> getent group lists only local groups;
'getent group' only shows local groups, whilst 'getent group adgroup'
should show the info for the 'adgroup'
> getent passwd shows list of local users, freezes for a while and exits;
This is possibly because you may have (somehow) the same username in AD
and /etc/passwd
> id user shows user info if it exists locally.
On an AD joined machine id should show user info if the user exists in
AD and has the required rfc2307 attributes.
Rowland
>
> Janis
>
More information about the samba
mailing list