[Samba] Samba as AD member can not validate domain user

Andrey Repin anrdaemon at yandex.ru
Sun Apr 5 13:24:17 MDT 2015

Greetings, jd at ionica.lv!

>> When domain user tries to access file server (samba4, member of AD domain)
>> server logs such error:
>> 2015/04/05 21:13:01.095178,  1]  
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username DOMAINwusername is invalid on this system
>> [2015/04/05 21:13:01.095200,  1]  
>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>> which, on one hand, is right - such UNIX user does not exist on the  
>> file server. If I try to access file server as user registered both  
>> in AD domain and file server's local passwd/shadow, I succed.
>> Does it mean that I have to have all intended users to be registered  
>> as local UNIX users on file server, and, if I plan to manage share  
>> permissions using domain groups, I have to make "mirror" groups  
>> locally as well?

> quotation form another Rowland's e-mail:
> Are your users & groups uidNumber & gidNumber attributes inside the  
> '10000=99999' range ?

> Does this question relates to the UIDs/GIDs on Samba AD DC (for domain  
> users/groups) or local UNIX accounts (on file server, for example)?

It is related to both, assuming you are using idmap backend ad or similar.
Please refer to previous thread on the same subject (and my very recent email
explaining the judgmental diagnostic).

With best regards,
Andrey Repin
Sunday, April 5, 2015 22:22:18

Sorry for my terrible english...

More information about the samba mailing list