[Samba] Regular users can't log in to Samba AD DC from Windows

Alnis Morics alnis.moritz at gmail.com
Mon Feb 6 10:57:19 UTC 2017

On 02/06/2017 11:48, Rowland Penny via samba wrote:
> On Mon, 6 Feb 2017 11:11:09 +0200
> Alnis Morics via samba <samba at lists.samba.org> wrote:
>> Thank you, Rowland, for the reply.
>> And the nss tests as per Wiki seem to pass:
>> # getent passwd Administrator
>> RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin
>> # getent passwd user1
>> RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin
> The above is interesting, you don't have a template homedir line in
> smb.conf but you have '/home/username' instead of '/home/RW/username'

Oh, yes, didn't notice that. But the directory doesn't actually exist. I 
guess it would be created on first logon which has not yet occurred ?) 
And I can't login with it locally (I would need PAM configured for it, 

Although, when I create a FreeBSD user ("pw useradd testuser -m 
/home/testuser"), the home directory is immediately created without 
loging in.

I tried now to create a user explicitly telling the home directory:
samba-tool user create user2 Pa$$w0rd --surname=Tester2 
--given-name=User2 --mail-address=user2 at rw.lan 

getent passwd user2
RW\user2:*:3000020:20:User2 Tester2:/home/RW/user2:/usr/sbin/nologin

But otherwise nothing changes: directory isn't created, and I can't 
login from Windows. And the logs repeat the same thing.

>> # getent group "Domain Users"
>> RW\domain users:x:20
>> # touch testfile
>> # ll testfile
>> -rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
>> # chown user1:"domain users" testfile
>> # ll testfile
>> -rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile
>> Only I would expect that a regular users' GID numbers are not within
>> 0-1000, but I don't know.
> On a Samba AD DC, 'Domain Users' should be mapped to the users group
> (on Debian anyway, could be a different group on freebsd), but your
> example seems to show that it is mapped to the group 'staff'.

Yes, there's a group "staff" in /etc/group with GID number 20. Ok, so 
that shouldn't be a problem.

> Here is the big thing that people seem to find hard to understand, when
> asking for the users info with 'getent passwd' the users 'gidNumber
> attribute is ignored, in fact, the user doesn't need to have a
> gidNumber. In AD, all users are members of 'Domain Users' and this group
> is used as the Unix users primary group.
> Rowland

More information about the samba mailing list