[Samba] samba domain member: local account for a domain user is required??

Rowland Penny rpenny at samba.org
Mon Oct 31 12:52:05 UTC 2022

On 31/10/2022 12:28, Michael Tokarev via samba wrote:
> While setting up a new samba domain member server and failing to setup
> winbind configuration properly, I found the following lines in smbd.log:
> [2022/10/31 15:23:58.372900,  0] 
> ../../source3/auth/auth_util.c:1933(check_account)
>    check_account: Failed to find local account with UID 1006 for SID 
> S-1-5-21-411424318-379842365-2075518510-1010 (dom_user[TLS\mjt])
> (repeated many times).
> Yes, nss lookup (getpwuid) fails due to mistake in my config.  Which is
> really easy to make, btw.
> But this error message strongly suggest to create a local account for
> this very user, with userid 1006. And it is too easy to conclude that
> local account are *required* for domain users!
> Is it not the right conclusion? 

No you shouldn't have a local Unix user in /etc/passwd with the same 
username as a an AD user, this can lead to confusion because the local 
user will be used before the AD user. There is also no need to do this 
because on a domain joined machine, Samba will make AD users into Unix 

rowland at devstation:~$ getent passwd rowland
rowland at devstation:~$ grep 'rowland' /etc/passwd
rowland at devstation:~$

If it is not, I guess this error message
> must be changed to something more accurate.

This is probably one of those things that will need to be fixed when 
SMBv1 is finally removed, you need local users on standalone servers and 
PDC's etc, but you shouldn't have local users if using AD.

> But why do samba *ever* wants to perform getpwuid() lookup to begin with?

Easy way to find users ???????


More information about the samba mailing list