samba - Mar 2021 - Adding non samba user to a samba-ad-dc

I sent this a before but don't see it on the list and didn't get a 
bounce. Trying again.

I have been attempting to understand the samba-ad-dc setup and I've set 
up a AD DC using samba-tool.
I've added a user to the AD DC using samba-tool.
I decided I needed to add a local Linux user to the DC and used
> sudo useradd <username>
Which ran as expected and created an entry for <username> in 
/etc/passwd, /etc/group and /etc/shadow.
The entry in /etc/shadow has a '!' where the password hash would 
normally be. I understand that indicates a Kerberos passwd.
I then decided I need to create a password for that user and used
> $sudo? passwd <username>
> Current Kerberos password:
> Current Kerberos password:
> passwd: Authentication token manipulation error
I want to add this user as a Linux only local user not as a Samba AD user.

My questions are:

1. Can I simply edit /etc/shadow and remove the '!' so I can enter a 
password and have that control this local user?
2. How can I set or reset the 'Current Kerberos passwd'? I don't
recall
setting one when I set up the samba-ad-dc using samba-tool and if I did 
I don't know what it is.

I also found a reference to the kpasswd command but running that command 
results in:
> sudo kpasswd <username>
> kpasswd: Cannot find KDC for requested realm getting initial ticket
I tried to su to the username
> # su <username>
> $ passwd
> Current Kerberos password:<cr>
> Changing password for <username>
> Current password:<cr>
> passwd: Authentication token manipulation error
> passwd: password unchanged

On 22/03/2021 15:46, Robert Steinmetz via samba wrote:
> I sent this a before but don't see it on the list and didn't get a 
> bounce. Trying again.
>
> I have been attempting to understand the samba-ad-dc setup and I've 
> set up a AD DC using samba-tool.
> I've added a user to the AD DC using samba-tool.
> I decided I needed to add a local Linux user to the DC and used
>
>> sudo useradd <username>
>
> Which ran as expected and created an entry for <username> in 
> /etc/passwd, /etc/group and /etc/shadow.
> The entry in /etc/shadow has a '!' where the password hash would 
> normally be. I understand that indicates a Kerberos passwd.
> I then decided I need to create a password for that user and used
>
>> $sudo? passwd <username>
>> Current Kerberos password:
>> Current Kerberos password:
>> passwd: Authentication token manipulation error
>
> I want to add this user as a Linux only local user not as a Samba AD 
> user.
>
> My questions are:
>
> 1. Can I simply edit /etc/shadow and remove the '!' so I can enter
a
> password and have that control this local user?
> 2. How can I set or reset the 'Current Kerberos passwd'? I
don't
> recall setting one when I set up the samba-ad-dc using samba-tool and 
> if I did I don't know what it is.
>
> I also found a reference to the kpasswd command but running that 
> command results in:
>
>> sudo kpasswd <username>
>> kpasswd: Cannot find KDC for requested realm getting initial ticket
>
> I tried to su to the username
>
>> # su <username>
>> $ passwd
>> Current Kerberos password:<cr>
>> Changing password for <username>
>> Current password:<cr>
>> passwd: Authentication token manipulation error
>> passwd: password unchanged

I think I understand what is going on here, you have installed 
libpam-winbind, libnss-winbind and libpam-krb5 and have lines that contain:

pam_krb5.so minimum_uid=1000

in:

/etc/pam.d/common-auth
/etc/pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive

Add either a '0' to the '1000' (in each file) or replace the
'1000' with
the DOMAIN low range used in any Unix domain members smb.conf files you 
may have.

Rowland