Rowland Penny
2024-Mar-16 20:44 UTC
[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba <samba at lists.samba.org> wrote:> Hi, > > after I setup one working Samba today, I tried to do exactly the same > in another domain. > I created a privileged debian12 container and installed samba. > I have a MS Win driven AD (3 DCs). First I had not all in upper case > in krb.conf. I learnt uppercase is needed and fixed it. To go sure I > left domain, killed the container and started again from scratch (hope > nothing is stored anywhere). > > I don't get getent passwd working: > > getent passwd 'DMYDOM\a-sdettmer' > > it returns just nothing. wbinfo -u works. Before starting from > scratch, I tried many things I found with Google but I had no success. > > Could please someone take a look and enlighten me? Probably I forgot > something or configured something wrong, but I just fail to find it > since many hours. :( > > Any help appreciated! > > Steffen > > Some Diagnostics. > > First the two config files that I changed: > > -----[ /etc/krb5.conf BEGIN ]---- > [libdefaults] > default_realm = DMYDOM.INT > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > DMYDOM.INT = { > default_domain = dom.local > } > > [domain_realm] > A2NAS = DMYDOM.INT > -----[ /etc/krb5.conf END ]---- > > -----[ /etc/samba/smb.conf BEGIN ]---- > [global] > security = ADS > workgroup = DMYDOM > realm = DMYDOM.INT > > log file = /var/log/samba/log.%m > max log size = 1000 > logging = file > panic action = /usr/share/samba/panic-action %d > obey pam restrictions = yes > pam password change = yes > winbind use default domain = yes > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config DMYDOM : backend = rid > idmap config DMYDOM : range = 10000-99999 > template shell = /bin/bash > template homedir = /home/%U > usershare allow guests = yes > disable netbios = yes > > vfs objects = acl_xattr > map acl inherit = yes > > [homes] > comment = Home Directories > browseable = no > read only = no > create mask = 0700 > directory mask = 0700 > valid users = %S > -----[ /etc/samba/smb.conf END ]---- > > Some commands I tried as diagnosis (after $) and their output: > > $ wbinfo -p > Ping to winbindd succeeded > > $ wbinfo --ping-dc > checking the NETLOGON for domain[DMYDOM] dc connection to > "a2-dc2.DMYDOM.int" succeeded > > $ wbinfo -t > checking the trust secret for domain DMYDOM via RPC calls succeeded > > $ wbinfo -u | grep dett > a-sdettmer > sdettmer > $ wbinfo -u | wc -l > 723 > > $ getent passwd 'DMYDOM\a-sdettmer' > > $ grep winbind /etc/nsswitch.conf > passwd: files systemd winbind > group: files systemd winbind > > $ getent passwd | wc -l > 24 > > $ cat /etc/passwd | wc -l > 24 > > $ wbinfo -K 'DMYDOM\a-sdettmer' > Enter DMYDOM\a-sdettmer's password: > plaintext kerberos password authentication for [DMYDOM\a-sdettmer] > succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > > $ kinit a-sdettmer > Password for a-sdettmer at DMYDOM.INT: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: a-sdettmer at DMYDOM.INT > > Valid starting Expires Service principal > 03/16/2024 21:24:02 03/17/2024 07:24:02 krbtgt/DMYDOM.INT at DMYDOM.INT > renew until 03/17/2024 21:24:00 >Have you installed libpam-winbind & libnss-winbind ? Rowland
Steffen Dettmer
2024-Mar-17 10:36 UTC
[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
On Sat, Mar 16, 2024 at 9:45?PM Rowland Penny via samba wrote:> On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba wrote: > > getent passwd 'DMYDOM\a-sdettmer' > > [nothing] > Have you installed libpam-winbind & libnss-winbind ?Thank you for your quick response again! Yes, I have libpam-winbind and libnss-winbind. I just today noticed (due to a typo in my test yesterday :() that some accounts do work! Apparently mine, which are in a special group in AD are not showing up. Apparently roughly half gets returned by getent, half does not. I looked at the output of win powershell "Get-ADUser -Identity user -Properties * > user.txt", but I don't see a pattern between example users that show up and others that don't. Maybe it is a condition like "field surname must exist and contain letters only" or such? How do I find who (possible libnss-winbind?) rejects some of the AD users? Enable some PAM debug? /var/log/samba and journalctl revealed nothing to my eyes. Steffen Diagnostics: # apt install -y libpam-winbind libnss-winbind libpam-winbind is already the newest version (2:4.17.12+dfsg-0+deb12u1). libnss-winbind is already the newest version (2:4.17.12+dfsg-0+deb12u1). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. It appears in PAM: root at a2samba2:~# grep winbind /etc/pam.d/* /etc/pam.d/common-account:account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass /etc/pam.d/common-password:password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass /etc/pam.d/common-session:session optional pam_winbind.so /etc/pam.d/common-session-noninteractive:session optional pam_winbind.so root at a2samba2:~#
Apparently Analagous Threads
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- Samba seem to work fine but "cannot find my workgroup"
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges