[Samba] Regular users can't log in to Samba AD DC from Windows
alnis.moritz at gmail.com
Mon Feb 6 10:57:19 UTC 2017
On 02/06/2017 11:48, Rowland Penny via samba wrote:
> On Mon, 6 Feb 2017 11:11:09 +0200
> Alnis Morics via samba <samba at lists.samba.org> wrote:
>> Thank you, Rowland, for the reply.
>> And the nss tests as per Wiki seem to pass:
>> # getent passwd Administrator
>> # getent passwd user1
>> RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin
> The above is interesting, you don't have a template homedir line in
> smb.conf but you have '/home/username' instead of '/home/RW/username'
Oh, yes, didn't notice that. But the directory doesn't actually exist. I
guess it would be created on first logon which has not yet occurred ?)
And I can't login with it locally (I would need PAM configured for it,
Although, when I create a FreeBSD user ("pw useradd testuser -m
/home/testuser"), the home directory is immediately created without
I tried now to create a user explicitly telling the home directory:
samba-tool user create user2 Pa$$w0rd --surname=Tester2
--given-name=User2 --mail-address=user2 at rw.lan
getent passwd user2
But otherwise nothing changes: directory isn't created, and I can't
login from Windows. And the logs repeat the same thing.
>> # getent group "Domain Users"
>> RW\domain users:x:20
>> # touch testfile
>> # ll testfile
>> -rw-r--r-- 1 root wheel 0 Jan 28 19:25 testfile
>> # chown user1:"domain users" testfile
>> # ll testfile
>> -rw-r--r-- 1 RW\user1 staff 0 Jan 28 19:25 testfile
>> Only I would expect that a regular users' GID numbers are not within
>> 0-1000, but I don't know.
> On a Samba AD DC, 'Domain Users' should be mapped to the users group
> (on Debian anyway, could be a different group on freebsd), but your
> example seems to show that it is mapped to the group 'staff'.
Yes, there's a group "staff" in /etc/group with GID number 20. Ok, so
that shouldn't be a problem.
> Here is the big thing that people seem to find hard to understand, when
> asking for the users info with 'getent passwd' the users 'gidNumber
> attribute is ignored, in fact, the user doesn't need to have a
> gidNumber. In AD, all users are members of 'Domain Users' and this group
> is used as the Unix users primary group.
More information about the samba