[Samba] Adding non samba user to a samba-ad-dc

Robert Steinmetz rob at steinmetznet.com
Mon Mar 22 15:46:34 UTC 2021

I sent this a before but don't see it on the list and didn't get a 
bounce. Trying again.

I have been attempting to understand the samba-ad-dc setup and I've set 
up a AD DC using samba-tool.
I've added a user to the AD DC using samba-tool.
I decided I needed to add a local Linux user to the DC and used

> sudo useradd <username>

Which ran as expected and created an entry for <username> in 
/etc/passwd, /etc/group and /etc/shadow.
The entry in /etc/shadow has a '!' where the password hash would 
normally be. I understand that indicates a Kerberos passwd.
I then decided I need to create a password for that user and used

> $sudo  passwd <username>
> Current Kerberos password:
> Current Kerberos password:
> passwd: Authentication token manipulation error

I want to add this user as a Linux only local user not as a Samba AD user.

My questions are:

1. Can I simply edit /etc/shadow and remove the '!' so I can enter a 
password and have that control this local user?
2. How can I set or reset the 'Current Kerberos passwd'? I don't recall 
setting one when I set up the samba-ad-dc using samba-tool and if I did 
I don't know what it is.

I also found a reference to the kpasswd command but running that command 
results in:

> sudo kpasswd <username>
> kpasswd: Cannot find KDC for requested realm getting initial ticket

I tried to su to the username

> # su <username>
> $ passwd
> Current Kerberos password:<cr>
> Changing password for <username>
> Current password:<cr>
> passwd: Authentication token manipulation error
> passwd: password unchanged

More information about the samba mailing list