Re: [Samba] Regular users can't log in to Samba AD DC from Windows
- Date: Mon, 6 Feb 2017 12:57:19 +0200
- From: Alnis Morics via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Regular users can't log in to Samba AD DC from Windows
On 02/06/2017 11:48, Rowland Penny via samba wrote:
On Mon, 6 Feb 2017 11:11:09 +0200
Alnis Morics via samba <samba@xxxxxxxxxxxxxxx> wrote:
Thank you, Rowland, for the reply.
And the nss tests as per Wiki seem to pass:
# getent passwd Administrator
# getent passwd user1
The above is interesting, you don't have a template homedir line in
smb.conf but you have '/home/username' instead of '/home/RW/username'
Oh, yes, didn't notice that. But the directory doesn't actually exist. I
guess it would be created on first logon which has not yet occurred ?)
And I can't login with it locally (I would need PAM configured for it,
Although, when I create a FreeBSD user ("pw useradd testuser -m
/home/testuser"), the home directory is immediately created without
I tried now to create a user explicitly telling the home directory:
samba-tool user create user2 Pa$$w0rd --surname=Tester2
getent passwd user2
But otherwise nothing changes: directory isn't created, and I can't
login from Windows. And the logs repeat the same thing.
# getent group "Domain Users"
# touch testfile
# ll testfile
-rw-r--r-- 1 root wheel 0 Jan 28 19:25 testfile
# chown user1:"domain users" testfile
# ll testfile
-rw-r--r-- 1 RW\user1 staff 0 Jan 28 19:25 testfile
Only I would expect that a regular users' GID numbers are not within
0-1000, but I don't know.
On a Samba AD DC, 'Domain Users' should be mapped to the users group
(on Debian anyway, could be a different group on freebsd), but your
example seems to show that it is mapped to the group 'staff'.
Yes, there's a group "staff" in /etc/group with GID number 20. Ok, so
that shouldn't be a problem.
Here is the big thing that people seem to find hard to understand, when
asking for the users info with 'getent passwd' the users 'gidNumber
attribute is ignored, in fact, the user doesn't need to have a
gidNumber. In AD, all users are members of 'Domain Users' and this group
is used as the Unix users primary group.
To unsubscribe from this list go to the following URL and read the