samba - Apr 2015 - Samba as AD member can not validate domain user

I am sorry for many P.S.
>> When domain user tries to access file server (samba4, member of AD
domain)
>> server logs such error:
>>
>> 2015/04/05 21:13:01.095178,  1]  
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username DOMAINwusername is invalid on this system
>>
>> [2015/04/05 21:13:01.095200,  1]  
>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>> Failed to map kerberos principal to system user
(NT_STATUS_LOGON_FAILURE)
>>
>> which, on one hand, is right - such UNIX user does not exist on the  
>> file server. If I try to access file server as user registered both  
>> in AD domain and file server's local passwd/shadow, I succed.
>>
>> Does it mean that I have to have all intended users to be  
>> registered as local UNIX users on file server, and, if I plan to  
>> manage share permissions using domain groups, I have to make  
>> "mirror" groups locally as well?
>
> quotation from another Rowland's e-mail:
> Are your users & groups uidNumber & gidNumber attributes inside the
> '10000=99999' range ?
>
> Does this question relates to the UIDs/GIDs on Samba AD DC (for  
> domain users/groups) or local UNIX accounts (on file server, for  
> example)?
getent group lists only local groups;
getent passwd shows list of local users, freezes for a while and exits;
id user shows user info if it exists locally.

Janis

On 05/04/15 19:42, jd at ionica.lv wrote:
> I am sorry for many P.S.
>
>>> When domain user tries to access file server (samba4, member of AD 
>>> domain)
>>> server logs such error:
>>>
>>> 2015/04/05 21:13:01.095178,  1] 
>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>> Username DOMAINwusername is invalid on this system
>>>
>>> [2015/04/05 21:13:01.095200,  1] 
>>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>>> Failed to map kerberos principal to system user 
>>> (NT_STATUS_LOGON_FAILURE)
>>>
>>> which, on one hand, is right - such UNIX user does not exist on the
>>> file server. If I try to access file server as user registered both
>>> in AD domain and file server's local passwd/shadow, I succed.
>>>
>>> Does it mean that I have to have all intended users to be
registered
>>> as local UNIX users on file server, and, if I plan to manage share 
>>> permissions using domain groups, I have to make "mirror"
groups
>>> locally as well?
>>
>> quotation from another Rowland's e-mail:
>> Are your users & groups uidNumber & gidNumber attributes inside
the
>> '10000=99999' range ?
>>
>> Does this question relates to the UIDs/GIDs on Samba AD DC (for 
>> domain users/groups) or local UNIX accounts (on file server, for 
>> example)?
>
> getent group lists only local groups;
'getent group' only shows local groups, whilst 'getent group
adgroup'
should show the info for the 'adgroup'
> getent passwd shows list of local users, freezes for a while and exits;
This is possibly because you may have (somehow) the same username in AD 
and /etc/passwd
> id user shows user info if it exists locally.
On an AD joined machine id should show user info if the user exists in 
AD and has the required rfc2307 attributes.

Rowland
>
> Janis
>

Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>> getent passwd shows list of local users, freezes for a while and exits;
>
> This is possibly because you may have (somehow) the same username in  
> AD and /etc/passwd
even with the "problematic" user removed behaviour is the same (with  
net ads leave, remove krb5 keytab and join +restart)
>
>> id user shows user info if it exists locally.
>
> On an AD joined machine id should show user info if the user exists  
> in AD and has the required rfc2307 attributes.
I re-checked what I have on AD DC:
1. getent passwd shows local + AD users (AD users having uids in the  
range of 30000XX)
2. getent group shows local + AD grous, AD groups having gids in the  
range of 30000XX, just Domain Users having gid 100
3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID
gidNumber
gives onlyObjectSID without gidNumber;

CFG files from fileserver:
===========krb5.conf
[libdefaults]
default = INTERNAL.DOMAIN.LV
dns_lookup_realm = false
dns_lookup_kdc = true

==========nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat files

hosts:          files dns
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files nisplus
publickey:      nisplus
============SMB.conf on fileserver
[global]
         security = ADS
         workgroup = INTERNAL
         acl group control = yes
         inherit acls = Yes
         map acl inherit = Yes
         realm = INTERNAL.DOMAIN.LV
         kerberos method = secrets and keytab
         idmap config internal:backend = ad
         idmap config internal:range = 10000-3001000
         idmap config internal:schema_mode = rfc2307
         idmap config *:range = 2000-9999
         idmap config *:backend = tdb
         dedicated keytab file = /etc/krb5.keytab
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind separator = \
         winbind refresh tickets = Yes
         winbind nss info = rfc2307
         winbind use default domain = yes
         winbind trusted domains only = yes
         utmp = yes
         wins server = sambadc.DOMAIN.lv
         wins support = yes
         dns proxy = no
         wins proxy = no
         wtmp directory = /var/log/wtmp
         preferred master = no
         log level = 4
         bind interfaces only = Yes
         interfaces = lo, eth1
         netbios name = FS2
         os level = 33
=====================smb.conf on AD DC
[global]
         wins support = yes
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
drepl, winbind, ntp_signd, kcc, dnsupdate
         winbind trusted domains only = yes
         os level = 65
         workgroup = INTERNAL
         realm = INTERNAL.DOMAIN.LV
         name resolve order = bcast wins host
         log level = 4
         idmap_ldb:use rfc2307 = yes
         preferred master = Yes
         map to guest = Bad Password
         security = user
         server role = active directory domain controller
         domain logons = Yes
         kerberos method = secrets and keytab
         server string = Samba AD DC Server %v
         domain master = Yes
         winbind use default domain = yes
         utmp = yes
         max log size = 5000
         netbios name = SAMBADC
         local master = Yes
         wtmp directory = /var/log/wtmp

I feel lost and I do not understand what else to read or how to detect  
what is wrong with cfg.

Janis