[Samba] Automatic creation of local users

dadoo dadoo dadoo3002 at yahoo.com
Mon Dec 19 21:46:21 UTC 2016 

I’ve actually found a solution to my problem, but I wanted to post it here, since someone else might have the problem in the future, and I think it would be nice if I could spare them the week of Googling I needed.

Basically, I have an AD member server, running Samba 4.2.10 (on Centos 7.2.1511). Here’s my smb.conf:

[global]
        workgroup = SUBDOMAIN
        server string = Samba Server Version %v
        netbios name = SERVER
        server signing = mandatory
       client signing = mandatory
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = idmap:10 auth:10
        security = ADS
        realm = SUBDOMAIN.MYDOMAIN.COM
        encrypt passwords = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind normalize names = yes
        guest account = pcguest
        idmap config *:backend = tdb
        idmap config *:range = 30000 - 40000
        idmap config SUBDOMAIN:backend = ad
        idmap config SUBDOMAIN:schema_mode = rfc2307
       idmap config SUBDOMAIN:range = 1000 - 20000
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        preferred master = no
        name resolve order = bcast host lmhosts
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        wide links = yes
        unix extensions = no
[images]
        comment = Images
        path = /u1/images
        writable = yes
        read only = no
        case sensitive = True
        default case = lower
        preserve case = no
        short preserve case = no
        wide links = yes
        create mask = 664
        directory mask = 775

(I’m guessing some of that is unnecessary, since this is actually a hacked-up Samba 3 configuration I carried over from an earlier server.)

When I tried to map a drive, I’d get a username/password prompt from Windows, even though I was logged in as a valid domain user. In the Samba logs, I’d get:

[2016/12/16 13:24:21.264668,  5, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match ntdomain
[2016/12/16 13:24:21.264673,  5, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method ntdomain has a valid init
[2016/12/16 13:24:21.264679,  5, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2016/12/16 13:24:21.391184,  3, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
[2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
  Domain is [SUBDOMAIN] (using PAC)
[2016/12/16 13:24:22.630245,  3, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username SUBDOMAIN\myuser is invalid on this system

It occurred to me that the username I was using didn’t exist on this system, yet, since I hadn’t connected to it before, so I tried creating the user manually (using “useradd” on the Samba server). Then, I was able to connect. I didn’t believe Samba wouldn’t automatically create the users for you, so I kept looking, and finally came across this post:

https://lists.samba.org/archive/samba/2013-February/171720.html

When I commented out the “idmap config SUBDOMAIN:range = 1000 – 20000” line, I was able to connect, even with a username that didn’t already exist on the Samba server.

More information about the samba mailing list