[Samba] Samba as AD member can not validate domain user
anrdaemon at yandex.ru
Sun Apr 5 14:42:08 MDT 2015
Greetings, Rowland Penny!
>>> When domain user tries to access file server (samba4, member of AD
>>> server logs such error:
>>> 2015/04/05 21:13:01.095178, 1]
>>> Username DOMAINwusername is invalid on this system
>>> [2015/04/05 21:13:01.095200, 1]
>>> Failed to map kerberos principal to system user
>>> which, on one hand, is right - such UNIX user does not exist on the
>>> file server. If I try to access file server as user registered both
>>> in AD domain and file server's local passwd/shadow, I succed.
>>> Does it mean that I have to have all intended users to be registered
>>> as local UNIX users on file server, and, if I plan to manage share
>>> permissions using domain groups, I have to make "mirror" groups
>>> locally as well?
>> quotation form another Rowland's e-mail:
>> Are your users & groups uidNumber & gidNumber attributes inside the
>> '10000=99999' range ?
>> Does this question relates to the UIDs/GIDs on Samba AD DC (for domain
>> users/groups) or local UNIX accounts (on file server, for example)?
> If you are using AD for authentication, you can ignore local Unix
> accounts, all your users should be in AD apart from at least one local
> AD user (which can't be in AD) just in case something catastrophic happens.
> Just use AD users and extend them to be Unix users and set up Linux to
> use them.
For cases of catastrophic happenings, it is worth setting up sshd with
AllowRootLogin without-password and an appropriate public key preloaded to a
In case of AD DC, it is a VERY good idea to RESTRICT access to the ssh server
to only local subnet range.
With best regards,
Sunday, April 5, 2015 23:29:15
Sorry for my terrible english...
More information about the samba