[Samba] Samba as AD member can not validate domain user

Sun Apr 5 14:42:08 MDT 2015

Greetings, Rowland Penny!

>>> When domain user tries to access file server (samba4, member of AD
>>> domain)
>>> server logs such error:
>>>
>>> 2015/04/05 21:13:01.095178,  1] 
>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>> Username DOMAINwusername is invalid on this system
>>>
>>> [2015/04/05 21:13:01.095200,  1] 
>>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>>> Failed to map kerberos principal to system user 
>>> (NT_STATUS_LOGON_FAILURE)
>>>
>>> which, on one hand, is right - such UNIX user does not exist on the 
>>> file server. If I try to access file server as user registered both 
>>> in AD domain and file server's local passwd/shadow, I succed.
>>>
>>> Does it mean that I have to have all intended users to be registered 
>>> as local UNIX users on file server, and, if I plan to manage share 
>>> permissions using domain groups, I have to make "mirror" groups 
>>> locally as well?
>>
>> quotation form another Rowland's e-mail:
>> Are your users & groups uidNumber & gidNumber attributes inside the 
>> '10000=99999' range ?
>>
>> Does this question relates to the UIDs/GIDs on Samba AD DC (for domain 
>> users/groups) or local UNIX accounts (on file server, for example)?
>>
>>
>> Janis
>>

> If you are using AD for authentication, you can ignore local Unix 
> accounts, all your users should be in AD apart from at least one local 
> AD user (which can't be in AD) just in case something catastrophic happens.

> Just use AD users and extend them to be Unix users and set up Linux to 
> use them.

For cases of catastrophic happenings, it is worth setting up sshd with
AllowRootLogin without-password and an appropriate public key preloaded to a
root account.
In case of AD DC, it is a VERY good idea to RESTRICT access to the ssh server
to only local subnet range.

-- 
With best regards,
Andrey Repin
Sunday, April 5, 2015 23:29:15

Sorry for my terrible english...