[Samba] Regular users can't log in to Samba AD DC from Windows

Rowland Penny rpenny at samba.org
Mon Feb 6 11:36:06 UTC 2017 

On Mon, 6 Feb 2017 12:57:19 +0200
Alnis Morics via samba <samba at lists.samba.org> wrote:

> 
> 
> On 02/06/2017 11:48, Rowland Penny via samba wrote:
> > On Mon, 6 Feb 2017 11:11:09 +0200
> > Alnis Morics via samba <samba at lists.samba.org> wrote:
> >
> >> Thank you, Rowland, for the reply.
> >>
> >
> >> And the nss tests as per Wiki seem to pass:
> >>
> >
> >>
> >> # getent passwd Administrator
> >> RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin
> >>
> >> # getent passwd user1
> >> RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin
> >
> > The above is interesting, you don't have a template homedir line in
> > smb.conf but you have '/home/username' instead of
> > '/home/RW/username'
> 
> Oh, yes, didn't notice that. But the directory doesn't actually
> exist. I guess it would be created on first logon which has not yet
> occurred ?) And I can't login with it locally (I would need PAM
> configured for it, right?)>

Yes, you need to get PAM to create the users homedir with pam_mkhomedir

> Although, when I create a FreeBSD user ("pw useradd testuser -m 
> /home/testuser"), the home directory is immediately created without 
> loging in.

That's because you are telling the command to create the homedir

> 
> I tried now to create a user explicitly telling the home directory:
> samba-tool user create user2 Pa$$w0rd --surname=Tester2 
> --given-name=User2 --mail-address=user2 at rw.lan 
> --home-directory=/home/RW/user2
> 
> getent passwd user2
> RW\user2:*:3000020:20:User2 Tester2:/home/RW/user2:/usr/sbin/nologin
> 
> But otherwise nothing changes: directory isn't created, and I can't 
> login from Windows. And the logs repeat the same thing.

samba-tool doesn't create the homedirs, it populates an attribute in AD
and PAM reads this and creates the home dir at first login.

> 
> >
> >>
> >> # getent group "Domain Users"
> >> RW\domain users:x:20
> >>
> >> # touch testfile
> >> # ll testfile
> >> -rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
> >> # chown user1:"domain users" testfile
> >> # ll testfile
> >> -rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile
> >>
> >> Only I would expect that a regular users' GID numbers are not
> >> within 0-1000, but I don't know.
> >>
> >
> > On a Samba AD DC, 'Domain Users' should be mapped to the users group
> > (on Debian anyway, could be a different group on freebsd), but your
> > example seems to show that it is mapped to the group 'staff'.
> 
> Yes, there's a group "staff" in /etc/group with GID number 20. Ok, so 
> that shouldn't be a problem.

On debian, 'Domain Users' is mapped to ID '100', this is the Unix group
'users', but there is also a Unix group called 'staff' with the ID '50'.
So, I think that if AD users get the same permissions as members of the
'staff' group, this shouldn't be a problem.

Rowland

More information about the samba mailing list