[Samba] samba domain member: local account for a domain user is required??
Rowland Penny
rpenny at samba.org
Mon Oct 31 12:52:05 UTC 2022
On 31/10/2022 12:28, Michael Tokarev via samba wrote:
> While setting up a new samba domain member server and failing to setup
> winbind configuration properly, I found the following lines in smbd.log:
>
> [2022/10/31 15:23:58.372900, 0]
> ../../source3/auth/auth_util.c:1933(check_account)
> check_account: Failed to find local account with UID 1006 for SID
> S-1-5-21-411424318-379842365-2075518510-1010 (dom_user[TLS\mjt])
>
> (repeated many times).
>
> Yes, nss lookup (getpwuid) fails due to mistake in my config. Which is
> really easy to make, btw.
>
> But this error message strongly suggest to create a local account for
> this very user, with userid 1006. And it is too easy to conclude that
> local account are *required* for domain users!
>
> Is it not the right conclusion?
No you shouldn't have a local Unix user in /etc/passwd with the same
username as a an AD user, this can lead to confusion because the local
user will be used before the AD user. There is also no need to do this
because on a domain joined machine, Samba will make AD users into Unix
users:
rowland at devstation:~$ getent passwd rowland
rowland:*:11104:10513::/home/rowland:/bin/bash
rowland at devstation:~$ grep 'rowland' /etc/passwd
rowland at devstation:~$
If it is not, I guess this error message
> must be changed to something more accurate.
This is probably one of those things that will need to be fixed when
SMBv1 is finally removed, you need local users on standalone servers and
PDC's etc, but you shouldn't have local users if using AD.
>
> But why do samba *ever* wants to perform getpwuid() lookup to begin with?
Easy way to find users ???????
Rowland
More information about the samba
mailing list