Steffen Dettmer
2024-Mar-16 20:33 UTC
[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
Hi, after I setup one working Samba today, I tried to do exactly the same in another domain. I created a privileged debian12 container and installed samba. I have a MS Win driven AD (3 DCs). First I had not all in upper case in krb.conf. I learnt uppercase is needed and fixed it. To go sure I left domain, killed the container and started again from scratch (hope nothing is stored anywhere). I don't get getent passwd working: getent passwd 'DMYDOM\a-sdettmer' it returns just nothing. wbinfo -u works. Before starting from scratch, I tried many things I found with Google but I had no success. Could please someone take a look and enlighten me? Probably I forgot something or configured something wrong, but I just fail to find it since many hours. :( Any help appreciated! Steffen Some Diagnostics. First the two config files that I changed: -----[ /etc/krb5.conf BEGIN ]---- [libdefaults] default_realm = DMYDOM.INT dns_lookup_realm = false dns_lookup_kdc = true [realms] DMYDOM.INT = { default_domain = dom.local } [domain_realm] A2NAS = DMYDOM.INT -----[ /etc/krb5.conf END ]---- -----[ /etc/samba/smb.conf BEGIN ]---- [global] security = ADS workgroup = DMYDOM realm = DMYDOM.INT log file = /var/log/samba/log.%m max log size = 1000 logging = file panic action = /usr/share/samba/panic-action %d obey pam restrictions = yes pam password change = yes winbind use default domain = yes idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DMYDOM : backend = rid idmap config DMYDOM : range = 10000-99999 template shell = /bin/bash template homedir = /home/%U usershare allow guests = yes disable netbios = yes vfs objects = acl_xattr map acl inherit = yes [homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %S -----[ /etc/samba/smb.conf END ]---- Some commands I tried as diagnosis (after $) and their output: $ wbinfo -p Ping to winbindd succeeded $ wbinfo --ping-dc checking the NETLOGON for domain[DMYDOM] dc connection to "a2-dc2.DMYDOM.int" succeeded $ wbinfo -t checking the trust secret for domain DMYDOM via RPC calls succeeded $ wbinfo -u | grep dett a-sdettmer sdettmer $ wbinfo -u | wc -l 723 $ getent passwd 'DMYDOM\a-sdettmer' $ grep winbind /etc/nsswitch.conf passwd: files systemd winbind group: files systemd winbind $ getent passwd | wc -l 24 $ cat /etc/passwd | wc -l 24 $ wbinfo -K 'DMYDOM\a-sdettmer' Enter DMYDOM\a-sdettmer's password: plaintext kerberos password authentication for [DMYDOM\a-sdettmer] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 $ kinit a-sdettmer Password for a-sdettmer at DMYDOM.INT: $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: a-sdettmer at DMYDOM.INT Valid starting Expires Service principal 03/16/2024 21:24:02 03/17/2024 07:24:02 krbtgt/DMYDOM.INT at DMYDOM.INT renew until 03/17/2024 21:24:00
Rowland Penny
2024-Mar-16 20:44 UTC
[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba <samba at lists.samba.org> wrote:> Hi, > > after I setup one working Samba today, I tried to do exactly the same > in another domain. > I created a privileged debian12 container and installed samba. > I have a MS Win driven AD (3 DCs). First I had not all in upper case > in krb.conf. I learnt uppercase is needed and fixed it. To go sure I > left domain, killed the container and started again from scratch (hope > nothing is stored anywhere). > > I don't get getent passwd working: > > getent passwd 'DMYDOM\a-sdettmer' > > it returns just nothing. wbinfo -u works. Before starting from > scratch, I tried many things I found with Google but I had no success. > > Could please someone take a look and enlighten me? Probably I forgot > something or configured something wrong, but I just fail to find it > since many hours. :( > > Any help appreciated! > > Steffen > > Some Diagnostics. > > First the two config files that I changed: > > -----[ /etc/krb5.conf BEGIN ]---- > [libdefaults] > default_realm = DMYDOM.INT > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > DMYDOM.INT = { > default_domain = dom.local > } > > [domain_realm] > A2NAS = DMYDOM.INT > -----[ /etc/krb5.conf END ]---- > > -----[ /etc/samba/smb.conf BEGIN ]---- > [global] > security = ADS > workgroup = DMYDOM > realm = DMYDOM.INT > > log file = /var/log/samba/log.%m > max log size = 1000 > logging = file > panic action = /usr/share/samba/panic-action %d > obey pam restrictions = yes > pam password change = yes > winbind use default domain = yes > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config DMYDOM : backend = rid > idmap config DMYDOM : range = 10000-99999 > template shell = /bin/bash > template homedir = /home/%U > usershare allow guests = yes > disable netbios = yes > > vfs objects = acl_xattr > map acl inherit = yes > > [homes] > comment = Home Directories > browseable = no > read only = no > create mask = 0700 > directory mask = 0700 > valid users = %S > -----[ /etc/samba/smb.conf END ]---- > > Some commands I tried as diagnosis (after $) and their output: > > $ wbinfo -p > Ping to winbindd succeeded > > $ wbinfo --ping-dc > checking the NETLOGON for domain[DMYDOM] dc connection to > "a2-dc2.DMYDOM.int" succeeded > > $ wbinfo -t > checking the trust secret for domain DMYDOM via RPC calls succeeded > > $ wbinfo -u | grep dett > a-sdettmer > sdettmer > $ wbinfo -u | wc -l > 723 > > $ getent passwd 'DMYDOM\a-sdettmer' > > $ grep winbind /etc/nsswitch.conf > passwd: files systemd winbind > group: files systemd winbind > > $ getent passwd | wc -l > 24 > > $ cat /etc/passwd | wc -l > 24 > > $ wbinfo -K 'DMYDOM\a-sdettmer' > Enter DMYDOM\a-sdettmer's password: > plaintext kerberos password authentication for [DMYDOM\a-sdettmer] > succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > > $ kinit a-sdettmer > Password for a-sdettmer at DMYDOM.INT: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: a-sdettmer at DMYDOM.INT > > Valid starting Expires Service principal > 03/16/2024 21:24:02 03/17/2024 07:24:02 krbtgt/DMYDOM.INT at DMYDOM.INT > renew until 03/17/2024 21:24:00 >Have you installed libpam-winbind & libnss-winbind ? Rowland
Apparently Analagous Threads
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- Samba seem to work fine but "cannot find my workgroup"
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges