samba - Apr 2025 - Linux member joined to AD domain: No login with domain user possible, getent not working

Am 14.04.2025 um 21:11 schrieb Rowland Penny via samba:
> On Mon, 14 Apr 2025 15:50:50 +0200
> Paul Leiber via samba <samba at lists.samba.org> wrote:
> 
>> Dear Samba list,
>>
>> I am pulling my hair out over one linux machine (a laptop) joined to
>> my Samba AD domain. On this machine, I can't use domain users to
>> login. wbinfo -u shows AD users, getent passwd doesn't (no output
is
>> given). From other linux and windows machines, I can login with AD
>> credentials and getent is working, so I assume that the issue is with
>> that specific member.
>>
>> I can issue kerberos tickets on this machine for domain members.
>>
>> If I use wbinfo --verbose -K INTERNAL\\user%password, the output is
>> the following:
>> plaintext kerberos password authentication for [INTERNAL\user] failed
>> (requesting cctype: FILE)
>> wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE
>> (0xc000006d)
>> error message was: The attempted logon is invalid. This is either due
>> to a bad username or authentication information.
>> Could not authenticate user [INTERNAL\user%password] with Kerberos
>> (ccache: FILE)
>>
>> You can find the sanitized samba info collected with the script
>> samba-collect-debug-info.sh below. I changed a lot of stuff while
>> trying to fix this issue, the smb.conf therefore looks a bit messy. I
>> tried it with a copy of a smb.conf from a working domain member, but
>> that didn't help.
>>
> 
> I haven't seen the output from that script for a very long time, but it
> all appears to be what is expected, so my first thought, is there a
> firewall getting in the way ?
Yeah, I spotted the link to the script in one of Louis' old posts 
related to my issue and thought that it looks handy...

There is no firewall active on the DC. There is no firewall installed on 
the member. There is a firewall on my router.

If the WiFi connection is somehow botched due to NetworkManager (or my 
limited understanding of NetworkManager, to be fair), it could be 
possible that the firewall is blocking some traffic. However, I don't 
expect that the wired connection could also be blocked by the firewall. 
I'll check anyway.

1. Could a firewall explain that wbinfo and getent behave differently? 
Are different ports used for either program?
2. Are there specific port(s) that I should monitor on the DC for 
traffic from/to the member?

Paul

On 14.04.2025 23:13, Paul Leiber via samba wrote:
> Am 14.04.2025 um 21:11 schrieb Rowland Penny via samba:
>> On Mon, 14 Apr 2025 15:50:50 +0200
>> Paul Leiber via samba <samba at lists.samba.org> wrote:
>>
>>> Dear Samba list,
>>>
>>> I am pulling my hair out over one linux machine (a laptop) joined
to
>>> my Samba AD domain. On this machine, I can't use domain users
to
>>> login. wbinfo -u shows AD users, getent passwd doesn't (no
output is
>>> given). From other linux and windows machines, I can login with AD
>>> credentials and getent is working, so I assume that the issue is
with
>>> that specific member.
>>>
>>> I can issue kerberos tickets on this machine for domain members.
>>>
>>> If I use wbinfo --verbose -K INTERNAL\\user%password, the output is
>>> the following:
>>> plaintext kerberos password authentication for [INTERNAL\user]
failed
>>> (requesting cctype: FILE)
>>> wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE
>>> (0xc000006d)
>>> error message was: The attempted logon is invalid. This is either
due
>>> to a bad username or authentication information.
>>> Could not authenticate user [INTERNAL\user%password] with Kerberos
>>> (ccache: FILE)
>>>
>>> You can find the sanitized samba info collected with the script
>>> samba-collect-debug-info.sh below. I changed a lot of stuff while
>>> trying to fix this issue, the smb.conf therefore looks a bit messy.
I
>>> tried it with a copy of a smb.conf from a working domain member,
but
>>> that didn't help.
>>>
>>
>> I haven't seen the output from that script for a very long time,
but it
>> all appears to be what is expected, so my first thought, is there a
>> firewall getting in the way ?
>
> Yeah, I spotted the link to the script in one of Louis' old posts 
> related to my issue and thought that it looks handy...
>
> There is no firewall active on the DC. There is no firewall installed 
> on the member. There is a firewall on my router.
>
> If the WiFi connection is somehow botched due to NetworkManager (or my 
> limited understanding of NetworkManager, to be fair), it could be 
> possible that the firewall is blocking some traffic. However, I don't 
> expect that the wired connection could also be blocked by the 
> firewall. I'll check anyway.
>
> 1. Could a firewall explain that wbinfo and getent behave differently? 
> Are different ports used for either program?
> 2. Are there specific port(s) that I should monitor on the DC for 
> traffic from/to the member?
>
> Paul
>
>
> Hi Paul,
Check if nscd is installed. If it is, uninstall it completely. It 
interferes with Samba.

Best regards,

Peter

On Mon, 14 Apr 2025 23:13:25 +0200
Paul Leiber via samba <samba at lists.samba.org> wrote:
> Am 14.04.2025 um 21:11 schrieb Rowland Penny via samba:
> > On Mon, 14 Apr 2025 15:50:50 +0200
> > Paul Leiber via samba <samba at lists.samba.org> wrote:
> > 
> >> Dear Samba list,
> >>
> >> I am pulling my hair out over one linux machine (a laptop) joined
> >> to my Samba AD domain. On this machine, I can't use domain
users to
> >> login. wbinfo -u shows AD users, getent passwd doesn't (no
output
> >> is given). From other linux and windows machines, I can login with
> >> AD credentials and getent is working, so I assume that the issue
> >> is with that specific member.
> >>
> >> I can issue kerberos tickets on this machine for domain members.
> >>
> >> If I use wbinfo --verbose -K INTERNAL\\user%password, the output
is
> >> the following:
> >> plaintext kerberos password authentication for [INTERNAL\user]
> >> failed (requesting cctype: FILE)
> >> wbcLogonUser(INTERNAL\user): error code was
NT_STATUS_LOGON_FAILURE
> >> (0xc000006d)
> >> error message was: The attempted logon is invalid. This is either
> >> due to a bad username or authentication information.
> >> Could not authenticate user [INTERNAL\user%password] with Kerberos
> >> (ccache: FILE)
> >>
> >> You can find the sanitized samba info collected with the script
> >> samba-collect-debug-info.sh below. I changed a lot of stuff while
> >> trying to fix this issue, the smb.conf therefore looks a bit
> >> messy. I tried it with a copy of a smb.conf from a working domain
> >> member, but that didn't help.
> >>
> > 
> > I haven't seen the output from that script for a very long time,
> > but it all appears to be what is expected, so my first thought, is
> > there a firewall getting in the way ?
> 
> Yeah, I spotted the link to the script in one of Louis' old posts 
> related to my issue and thought that it looks handy...
> 
> There is no firewall active on the DC. There is no firewall installed
> on the member. There is a firewall on my router.
> 
> If the WiFi connection is somehow botched due to NetworkManager (or
> my limited understanding of NetworkManager, to be fair), it could be 
> possible that the firewall is blocking some traffic. However, I don't 
> expect that the wired connection could also be blocked by the
> firewall. I'll check anyway.
> 
> 1. Could a firewall explain that wbinfo and getent behave
> differently? Are different ports used for either program?
> 2. Are there specific port(s) that I should monitor on the DC for 
> traffic from/to the member?
I have looked at the output of that script again and everything looks
okay, even the time is correct, there should be no reason for 'getent
passwd <USERNAME>' not to provide output if 'wbinfo -u | grep
<USERNAME' does, unless either the Domain Users group doesn't have a
gidNumber inside the 10000-999999 range or the user doesn't have a
uidNumber inside the same range.

What does 'wbinfo -i <USERNAME>' produce ?

Otherwise, if you have other clients running the same OS etc that work,
then I suggest you compare things until you find what the difference is.

Rowland