[Samba] Regular users can't log in to Samba AD DC from Windows

Rowland Penny rpenny at samba.org
Mon Feb 6 09:48:29 UTC 2017

On Mon, 6 Feb 2017 11:11:09 +0200
Alnis Morics via samba <samba at lists.samba.org> wrote:

> Thank you, Rowland, for the reply.

> And the nss tests as per Wiki seem to pass:

> # getent passwd Administrator
> RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin
> # getent passwd user1
> RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin

The above is interesting, you don't have a template homedir line in
smb.conf but you have '/home/username' instead of '/home/RW/username'

> # getent group "Domain Users"
> RW\domain users:x:20
> # touch testfile
> # ll testfile
> -rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
> # chown user1:"domain users" testfile
> # ll testfile
> -rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile
> Only I would expect that a regular users' GID numbers are not within 
> 0-1000, but I don't know.

On a Samba AD DC, 'Domain Users' should be mapped to the users group
(on Debian anyway, could be a different group on freebsd), but your
example seems to show that it is mapped to the group 'staff'.

Here is the big thing that people seem to find hard to understand, when
asking for the users info with 'getent passwd' the users 'gidNumber
attribute is ignored, in fact, the user doesn't need to have a
gidNumber. In AD, all users are members of 'Domain Users' and this group
is used as the Unix users primary group.


More information about the samba mailing list