[Samba] Automatic creation of local users

Rowland Penny rpenny at samba.org
Mon Dec 19 23:01:21 UTC 2016 

On Mon, 19 Dec 2016 21:46:21 +0000 (UTC)
dadoo dadoo via samba <samba at lists.samba.org> wrote:

> 
> I’ve actually found a solution to my problem, but I wanted to post it
> here, since someone else might have the problem in the future, and I
> think it would be nice if I could spare them the week of Googling I
> needed.
> 
> Basically, I have an AD member server, running Samba 4.2.10 (on
> Centos 7.2.1511). Here’s my smb.conf:
> 
> [global]
>         workgroup = SUBDOMAIN
>         server string = Samba Server Version %v
>         netbios name = SERVER
>         server signing = mandatory
>        client signing = mandatory
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         log level = idmap:10 auth:10
>         security = ADS
>         realm = SUBDOMAIN.MYDOMAIN.COM
>         encrypt passwords = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind normalize names = yes
>         guest account = pcguest
>         idmap config *:backend = tdb
>         idmap config *:range = 30000 - 40000
>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>        idmap config SUBDOMAIN:range = 1000 - 20000
>         winbind nss info = rfc2307
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         preferred master = no
>         name resolve order = bcast host lmhosts
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>         wide links = yes
>         unix extensions = no
> [images]
>         comment = Images
>         path = /u1/images
>         writable = yes
>         read only = no
>         case sensitive = True
>         default case = lower
>         preserve case = no
>         short preserve case = no
>         wide links = yes
>         create mask = 664
>         directory mask = 775
> 
> (I’m guessing some of that is unnecessary, since this is actually a
> hacked-up Samba 3 configuration I carried over from an earlier
> server.)
> 
> When I tried to map a drive, I’d get a username/password prompt from
> Windows, even though I was logged in as a valid domain user. In the
> Samba logs, I’d get:
> 
> [2016/12/16 13:24:21.264668,  5, pid=19073, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:378(load_auth_module)
> load_auth_module: Attempting to find an auth method to match ntdomain
> [2016/12/16 13:24:21.264673,  5, pid=19073, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:403(load_auth_module)
> load_auth_module: auth method ntdomain has a valid init [2016/12/16
> 13:24:21.264679,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:403(load_auth_module)
> load_auth_module: auth method winbind has a valid init [2016/12/16
> 13:24:21.391184,  3, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
> [2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0,
> 0),
> class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
> Domain is [SUBDOMAIN] (using PAC) [2016/12/16 13:24:22.630245,  3,
> pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username SUBDOMAIN\myuser is invalid on this system
> 
> It occurred to me that the username I was using didn’t exist on this
> system, yet, since I hadn’t connected to it before, so I tried
> creating the user manually (using “useradd” on the Samba server).
> Then, I was able to connect. I didn’t believe Samba wouldn’t
> automatically create the users for you, so I kept looking, and
> finally came across this post:
> 
> https://lists.samba.org/archive/samba/2013-February/171720.html
> 
> When I commented out the “idmap config SUBDOMAIN:range = 1000 –
> 20000” line, I was able to connect, even with a username that didn’t
> already exist on the Samba server.
> 
> 

My guess is that, even though you have set up the domain member to use
the winbind 'ad' backend, you haven't given your users a uidNumber
inside '1000-20000' and/or given Domain Users a gidNumber inside the
same range. If your domain user doesn't seem to exist on the domain
member, it is down to a misconfiguration, when you removed the line,
your user got mapped by 'idmap config *:range = 30000 - 40000' and
please note that any user that is in AD, shouldn't exist in /etc/passwd
as well.

Rowland

More information about the samba mailing list