[Samba] Automatic creation of local users
Rowland Penny
rpenny at samba.org
Mon Dec 19 23:01:21 UTC 2016
On Mon, 19 Dec 2016 21:46:21 +0000 (UTC)
dadoo dadoo via samba <samba at lists.samba.org> wrote:
>
> I’ve actually found a solution to my problem, but I wanted to post it
> here, since someone else might have the problem in the future, and I
> think it would be nice if I could spare them the week of Googling I
> needed.
>
> Basically, I have an AD member server, running Samba 4.2.10 (on
> Centos 7.2.1511). Here’s my smb.conf:
>
> [global]
> workgroup = SUBDOMAIN
> server string = Samba Server Version %v
> netbios name = SERVER
> server signing = mandatory
> client signing = mandatory
> log file = /var/log/samba/log.%m
> max log size = 50
> log level = idmap:10 auth:10
> security = ADS
> realm = SUBDOMAIN.MYDOMAIN.COM
> encrypt passwords = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind normalize names = yes
> guest account = pcguest
> idmap config *:backend = tdb
> idmap config *:range = 30000 - 40000
> idmap config SUBDOMAIN:backend = ad
> idmap config SUBDOMAIN:schema_mode = rfc2307
> idmap config SUBDOMAIN:range = 1000 - 20000
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> preferred master = no
> name resolve order = bcast host lmhosts
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> wide links = yes
> unix extensions = no
> [images]
> comment = Images
> path = /u1/images
> writable = yes
> read only = no
> case sensitive = True
> default case = lower
> preserve case = no
> short preserve case = no
> wide links = yes
> create mask = 664
> directory mask = 775
>
> (I’m guessing some of that is unnecessary, since this is actually a
> hacked-up Samba 3 configuration I carried over from an earlier
> server.)
>
> When I tried to map a drive, I’d get a username/password prompt from
> Windows, even though I was logged in as a valid domain user. In the
> Samba logs, I’d get:
>
> [2016/12/16 13:24:21.264668, 5, pid=19073, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:378(load_auth_module)
> load_auth_module: Attempting to find an auth method to match ntdomain
> [2016/12/16 13:24:21.264673, 5, pid=19073, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:403(load_auth_module)
> load_auth_module: auth method ntdomain has a valid init [2016/12/16
> 13:24:21.264679, 5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:403(load_auth_module)
> load_auth_module: auth method winbind has a valid init [2016/12/16
> 13:24:21.391184, 3, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
> [2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0,
> 0),
> class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
> Domain is [SUBDOMAIN] (using PAC) [2016/12/16 13:24:22.630245, 3,
> pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username SUBDOMAIN\myuser is invalid on this system
>
> It occurred to me that the username I was using didn’t exist on this
> system, yet, since I hadn’t connected to it before, so I tried
> creating the user manually (using “useradd” on the Samba server).
> Then, I was able to connect. I didn’t believe Samba wouldn’t
> automatically create the users for you, so I kept looking, and
> finally came across this post:
>
> https://lists.samba.org/archive/samba/2013-February/171720.html
>
> When I commented out the “idmap config SUBDOMAIN:range = 1000 –
> 20000” line, I was able to connect, even with a username that didn’t
> already exist on the Samba server.
>
>
My guess is that, even though you have set up the domain member to use
the winbind 'ad' backend, you haven't given your users a uidNumber
inside '1000-20000' and/or given Domain Users a gidNumber inside the
same range. If your domain user doesn't seem to exist on the domain
member, it is down to a misconfiguration, when you removed the line,
your user got mapped by 'idmap config *:range = 30000 - 40000' and
please note that any user that is in AD, shouldn't exist in /etc/passwd
as well.
Rowland
More information about the samba
mailing list