Steffen Dettmer
2024-Mar-17 10:36 UTC
[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
On Sat, Mar 16, 2024 at 9:45?PM Rowland Penny via samba wrote:> On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba wrote: > > getent passwd 'DMYDOM\a-sdettmer' > > [nothing] > Have you installed libpam-winbind & libnss-winbind ?Thank you for your quick response again! Yes, I have libpam-winbind and libnss-winbind. I just today noticed (due to a typo in my test yesterday :() that some accounts do work! Apparently mine, which are in a special group in AD are not showing up. Apparently roughly half gets returned by getent, half does not. I looked at the output of win powershell "Get-ADUser -Identity user -Properties * > user.txt", but I don't see a pattern between example users that show up and others that don't. Maybe it is a condition like "field surname must exist and contain letters only" or such? How do I find who (possible libnss-winbind?) rejects some of the AD users? Enable some PAM debug? /var/log/samba and journalctl revealed nothing to my eyes. Steffen Diagnostics: # apt install -y libpam-winbind libnss-winbind libpam-winbind is already the newest version (2:4.17.12+dfsg-0+deb12u1). libnss-winbind is already the newest version (2:4.17.12+dfsg-0+deb12u1). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. It appears in PAM: root at a2samba2:~# grep winbind /etc/pam.d/* /etc/pam.d/common-account:account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass /etc/pam.d/common-password:password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass /etc/pam.d/common-session:session optional pam_winbind.so /etc/pam.d/common-session-noninteractive:session optional pam_winbind.so root at a2samba2:~#
Rowland Penny
2024-Mar-17 11:22 UTC
[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
On Sun, 17 Mar 2024 11:36:51 +0100 Steffen Dettmer <steffen.dettmer+samba at gmail.com> wrote:> On Sat, Mar 16, 2024 at 9:45?PM Rowland Penny via samba wrote: > > On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba wrote: > > > getent passwd 'DMYDOM\a-sdettmer' > > > [nothing] > > Have you installed libpam-winbind & libnss-winbind ? > > Thank you for your quick response again! > Yes, I have libpam-winbind and libnss-winbind. > > I just today noticed (due to a typo in my test yesterday :() that some > accounts do work! Apparently mine, which are in a special group in AD > are not showing up. Apparently roughly half gets returned by getent, > half does not. > > I looked at the output of win powershell "Get-ADUser -Identity user > -Properties * > user.txt", but I don't see a pattern between example > users that show up and others that don't. Maybe it is a condition like > "field surname must exist and contain letters only" or such? > > How do I find who (possible libnss-winbind?) rejects some of the AD > users? Enable some PAM debug? /var/log/samba and journalctl revealed > nothing to my eyes. > > Steffen > > > > Diagnostics: > > # apt install -y libpam-winbind libnss-winbind > libpam-winbind is already the newest version > (2:4.17.12+dfsg-0+deb12u1). libnss-winbind is already the newest > version (2:4.17.12+dfsg-0+deb12u1). 0 upgraded, 0 newly installed, 0 > to remove and 0 not upgraded.It isn't the newest version available, you can get 4.19.5 from bookworm-backports. Not that this has anything to do with your problem.> > It appears in PAM: >Pam is setup correctly From reading your first post again, in /etc/krb5.conf, you have these lines: default_realm = DMYDOM.INT ''''' default_domain = dom.local The latter should be the lowercase version of the former i.e. 'mydom.int' and not 'dom.local' (also I hope that '.local' is sanitisation for the real TLD). Other than that, everything you have posted appears to be correct. What could be happening is that the 'rid' backend is ignoring your users. The 'rid' backend works by obtaining the users RID and then calculates the Unix ID from that and the low range set in smb.conf ID = RID + low range start You are using '10000' as the low range start, so that becomes: ID = RID + 10000 So if the RID was 9999, the ID would be '19999', which is less than your high range end of '99999'. However, if the RID was '99999', the ID would be '109999', which is over your high range end and as a result, your user would be ignored. Quick test, change 'idmap config DMYDOM : range = 10000-99999' to 'idmap config DMYDOM : range = 10000-999999', reload the config with smbcontrol or restart Samba, Rowland
Apparently Analagous Threads
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- failing to get AD users (getent passwd DMYDOM\a-sdettmer)
- Samba seem to work fine but "cannot find my workgroup"
- Samba seem to work fine but "cannot find my workgroup"