[Samba] Adding non samba user to a samba-ad-dc

Rowland penny rpenny at samba.org
Mon Mar 22 16:08:46 UTC 2021 

On 22/03/2021 15:46, Robert Steinmetz via samba wrote:
> I sent this a before but don't see it on the list and didn't get a 
> bounce. Trying again.
>
> I have been attempting to understand the samba-ad-dc setup and I've 
> set up a AD DC using samba-tool.
> I've added a user to the AD DC using samba-tool.
> I decided I needed to add a local Linux user to the DC and used
>
>> sudo useradd <username>
>
> Which ran as expected and created an entry for <username> in 
> /etc/passwd, /etc/group and /etc/shadow.
> The entry in /etc/shadow has a '!' where the password hash would 
> normally be. I understand that indicates a Kerberos passwd.
> I then decided I need to create a password for that user and used
>
>> $sudo  passwd <username>
>> Current Kerberos password:
>> Current Kerberos password:
>> passwd: Authentication token manipulation error
>
> I want to add this user as a Linux only local user not as a Samba AD 
> user.
>
> My questions are:
>
> 1. Can I simply edit /etc/shadow and remove the '!' so I can enter a 
> password and have that control this local user?
> 2. How can I set or reset the 'Current Kerberos passwd'? I don't 
> recall setting one when I set up the samba-ad-dc using samba-tool and 
> if I did I don't know what it is.
>
> I also found a reference to the kpasswd command but running that 
> command results in:
>
>> sudo kpasswd <username>
>> kpasswd: Cannot find KDC for requested realm getting initial ticket
>
> I tried to su to the username
>
>> # su <username>
>> $ passwd
>> Current Kerberos password:<cr>
>> Changing password for <username>
>> Current password:<cr>
>> passwd: Authentication token manipulation error
>> passwd: password unchanged


I think I understand what is going on here, you have installed 
libpam-winbind, libnss-winbind and libpam-krb5 and have lines that contain:

pam_krb5.so minimum_uid=1000

in:

/etc/pam.d/common-auth
/etc/pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive

Add either a '0' to the '1000' (in each file) or replace the '1000' with 
the DOMAIN low range used in any Unix domain members smb.conf files you 
may have.

Rowland

More information about the samba mailing list