Michael Tokarev
2022-Oct-31 12:28 UTC
[Samba] samba domain member: local account for a domain user is required??
While setting up a new samba domain member server and failing to setup winbind configuration properly, I found the following lines in smbd.log: [2022/10/31 15:23:58.372900, 0] ../../source3/auth/auth_util.c:1933(check_account) check_account: Failed to find local account with UID 1006 for SID S-1-5-21-411424318-379842365-2075518510-1010 (dom_user[TLS\mjt]) (repeated many times). Yes, nss lookup (getpwuid) fails due to mistake in my config. Which is really easy to make, btw. But this error message strongly suggest to create a local account for this very user, with userid 1006. And it is too easy to conclude that local account are *required* for domain users! Is it not the right conclusion? If it is not, I guess this error message must be changed to something more accurate. But why do samba *ever* wants to perform getpwuid() lookup to begin with? Thanks, /mjt
Rowland Penny
2022-Oct-31 12:52 UTC
[Samba] samba domain member: local account for a domain user is required??
On 31/10/2022 12:28, Michael Tokarev via samba wrote:> While setting up a new samba domain member server and failing to setup > winbind configuration properly, I found the following lines in smbd.log: > > [2022/10/31 15:23:58.372900,? 0] > ../../source3/auth/auth_util.c:1933(check_account) > ? check_account: Failed to find local account with UID 1006 for SID > S-1-5-21-411424318-379842365-2075518510-1010 (dom_user[TLS\mjt]) > > (repeated many times). > > Yes, nss lookup (getpwuid) fails due to mistake in my config.? Which is > really easy to make, btw. > > But this error message strongly suggest to create a local account for > this very user, with userid 1006. And it is too easy to conclude that > local account are *required* for domain users! > > Is it not the right conclusion?No you shouldn't have a local Unix user in /etc/passwd with the same username as a an AD user, this can lead to confusion because the local user will be used before the AD user. There is also no need to do this because on a domain joined machine, Samba will make AD users into Unix users: rowland at devstation:~$ getent passwd rowland rowland:*:11104:10513::/home/rowland:/bin/bash rowland at devstation:~$ grep 'rowland' /etc/passwd rowland at devstation:~$ If it is not, I guess this error message> must be changed to something more accurate.This is probably one of those things that will need to be fixed when SMBv1 is finally removed, you need local users on standalone servers and PDC's etc, but you shouldn't have local users if using AD.> > But why do samba *ever* wants to perform getpwuid() lookup to begin with?Easy way to find users ??????? Rowland