[Samba] FW: kerberos nfs4's principals and root access

Rowland Penny rpenny at samba.org
Tue Aug 2 14:37:24 UTC 2016

On Tue, 2 Aug 2016 16:02:41 +0200
Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:

> ** I truncate my initial mail below for size reason **
> I've tried your tips but nothing better.... AD users can still
> accessing share (ouf !!), but local users not more.
> I can't find where it blocks....
> Thanks for your help Louis,
> Greetz,
> Bruno
> Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit :
> >
> > You keep 2 ranges.
> >
> > One for the “local (linux) users”
> >
> >     idmap config *:backend = tdb
> >
> >     idmap config *:range = 11-9999

Please don't use 'range = 11-9999', it will not do what you think it
will do. the '*' range is used for the 'BUILTIN' users & groups etc, so
if you have system users or groups that use an ID in the range
11-1000, they will conflict with the Windows well known SIDs.

You can have local Unix users & groups, you can have AD domain users &
groups, you can make an AD domain user or group into a Unix user or
group by adding RFC2307 attributes, but what you cannot do, is to have
the same user or group name in both /etc/passwd or /etc/group and AD
i.e. www-data can exist in /etc/passwd but it cannot be in AD at the
same time.

To use kerberos, you need an SPN or UPN, this (as far as a Samba AD DC
is concerned) needs to be stored in AD, so if the user isn't in AD, it
cannot use kerberos.


More information about the samba mailing list