[Samba] Samba as AD member can not validate domain user
Andrey Repin
anrdaemon at yandex.ru
Sun Apr 5 14:42:08 MDT 2015
Greetings, Rowland Penny!
>>> When domain user tries to access file server (samba4, member of AD
>>> domain)
>>> server logs such error:
>>>
>>> 2015/04/05 21:13:01.095178, 1]
>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>> Username DOMAINwusername is invalid on this system
>>>
>>> [2015/04/05 21:13:01.095200, 1]
>>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>>> Failed to map kerberos principal to system user
>>> (NT_STATUS_LOGON_FAILURE)
>>>
>>> which, on one hand, is right - such UNIX user does not exist on the
>>> file server. If I try to access file server as user registered both
>>> in AD domain and file server's local passwd/shadow, I succed.
>>>
>>> Does it mean that I have to have all intended users to be registered
>>> as local UNIX users on file server, and, if I plan to manage share
>>> permissions using domain groups, I have to make "mirror" groups
>>> locally as well?
>>
>> quotation form another Rowland's e-mail:
>> Are your users & groups uidNumber & gidNumber attributes inside the
>> '10000=99999' range ?
>>
>> Does this question relates to the UIDs/GIDs on Samba AD DC (for domain
>> users/groups) or local UNIX accounts (on file server, for example)?
>>
>>
>> Janis
>>
> If you are using AD for authentication, you can ignore local Unix
> accounts, all your users should be in AD apart from at least one local
> AD user (which can't be in AD) just in case something catastrophic happens.
> Just use AD users and extend them to be Unix users and set up Linux to
> use them.
For cases of catastrophic happenings, it is worth setting up sshd with
AllowRootLogin without-password and an appropriate public key preloaded to a
root account.
In case of AD DC, it is a VERY good idea to RESTRICT access to the ssh server
to only local subnet range.
--
With best regards,
Andrey Repin
Sunday, April 5, 2015 23:29:15
Sorry for my terrible english...
More information about the samba
mailing list