samba - Apr 2025 - Linux member joined to AD domain: No login with domain user possible, getent not working

Dear Samba list,

I am pulling my hair out over one linux machine (a laptop) joined to my 
Samba AD domain. On this machine, I can't use domain users to login. 
wbinfo -u shows AD users, getent passwd doesn't (no output is given). 
 From other linux and windows machines, I can login with AD credentials 
and getent is working, so I assume that the issue is with that specific 
member.

I can issue kerberos tickets on this machine for domain members.

If I use wbinfo --verbose -K INTERNAL\\user%password, the output is the 
following:
plaintext kerberos password authentication for [INTERNAL\user] failed 
(requesting cctype: FILE)
wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE 
(0xc000006d)
error message was: The attempted logon is invalid. This is either due to 
a bad username or authentication information.
Could not authenticate user [INTERNAL\user%password] with Kerberos 
(ccache: FILE)

You can find the sanitized samba info collected with the script 
samba-collect-debug-info.sh below. I changed a lot of stuff while trying 
to fix this issue, the smb.conf therefore looks a bit messy. I tried it 
with a copy of a smb.conf from a working domain member, but that didn't 
help.

As this is a laptop, NetworkManager is active to provide WiFi access. I 
don't know NetworkManager very well, I usually prefer the traditional 
way with /etc/network/interfaces, but in this case, it seemed the right 
thing to do. I tested a wired ethernet connection as well, with the same 
results.I am mentioning this because I can't rule out network issues, 
although I don't think this is the cause.

I don't know what to do anymore. Any hints and advice for 
troubleshooting are appreciated.

Thanks in advance and best regards,

Paul



Config collected --- 2025-04-14-13:41 -----------

Hostname:?? member
DNS Domain: internal.domain.tld
Realm:????? INTERNAL.DOMAIN.TLD
FQDN:?????? member.internal.domain.tld
ipaddress:? 192.168.178.51

-----------

This computer is running Debian trixie/sid x86_64

-----------

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 ??? inet 127.0.0.1/8 scope host lo
 ??? inet6 ::1/128 scope host noprefixroute
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue 
state UP group default qlen 1000
 ??? link/ether ff:ff:ff:ff:ff:ffbrd ff:ff:ff:ff:ff:ff permaddr 
ff:ff:ff:ff:ff:ff
 ??? altname wlx4c82a94cd259
 ??? inet 192.168.178.51/8 brd 10.255.255.255 scope global noprefixroute 
wlp1s0

-----------

Checking file: /etc/hosts

127.0.0.1??? localhost
192.168.178.51??? member.internal.domain.tld member

# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

Checking file: /etc/resolv.conf

# Generated by NetworkManager
search internal.domain.tld
nameserver 192.168.178.2

-----------

Kerberos SRV _kerberos._tcp.internal.domain.tld record(s) verified ok, 
sample output:
Server:??????? 192.168.178.2
Address:??? 192.168.178.2#53

_kerberos._tcp.internal.domain.tld??? service = 0 100 88 
dc1.internal.domain.tld.
_kerberos._tcp.internal.domain.tld??? service = 0 100 88 
dc2.internal.domain.tld.

-----------

'kinit Administrator' checked successfully.

-----------

Samba is running as a Unix domain member

-----------

Checking file: /etc/krb5.conf

[libdefaults]
 ??? default_realm = INTERNAL.DOMAIN.TLD
 ??? dns_lookup_realm = false
 ??? dns_lookup_KDC = true

-----------

Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? files systemd winbind
group:????????? files systemd winbind
shadow:???????? files
gshadow:??????? files

#hosts:????????? files myhostname mdns4_minimal [NOTFOUND=return] dns
hosts:??????? files dns
networks:?????? files dns

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

Checking file: /etc/samba/smb.conf

[global]
security = ADS
workgroup = INTERNAL
realm = INTERNAL.DOMAIN.TLD

server role = member server

min domain uid = 0

#bind interfaces only = YES
#interfaces = lo wlp1s0

winbind nss info = template
#winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

log file = /var/log/samba/%m.log
log level = 3

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a domain backend configuration
# idmap config for the SAMDOM domain
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 10000-999999
idmap config INTERNAL:unix_nss_info = yes

winbind refresh tickets = YES
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

template shell??? = /bin/bash
template homedir? = /home/%U

username map = /etc/samba/user.map

-----------

Running as Unix domain member and user.map detected.

Contents of /etc/samba/user.map

!root = INTERNAL\Administrator INTERNAL\administrator Administrator 
administrator

Server Role is set to : member server

-----------

This Unix domain member is using 'winbind' in /etc/nsswitch.conf.


-----------


Time on the DC with PDC Emulator role is: 2025-04-14T13:41:13


Time on this computer is:???????????????? 2025-04-14T13:41:13


Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds

-----------

Installed packages:
ii? acl 2.3.2-2+b1?????????????????????? amd64??????? access control 
list - utilities
ii? attr 1:2.5.2-3??????????????????????? amd64??????? utilities for 
manipulating filesystem extended attributes
ii? fonts-quicksand 0.2016-2.1?????????????????????? all????????? 
sans-serif font with round attributes
ii? kde-spectacle 4:6.3.4-1??????????????????????? amd64??????? 
Screenshot capture utility
ii? krb5-config 2.7????????????????????????????? all????????? 
Configuration files for Kerberos Version 5
ii? krb5-user 1.21.3-5???????????????????????? amd64??????? basic 
programs to authenticate using MIT Kerberos
ii? libacl1:amd64 2.3.2-2+b1?????????????????????? amd64??????? access 
control list - shared library
ii? libattr1:amd64 1:2.5.2-3??????????????????????? amd64??????? 
extended attribute handling - shared library
ii? libgssapi-krb5-2:amd64 1.21.3-5???????????????????????? amd64??????? 
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-3:amd64 1.21.3-5???????????????????????? amd64??????? MIT 
Kerberos runtime libraries
ii? libkrb5support0:amd64 1.21.3-5???????????????????????? amd64??????? 
MIT Kerberos runtime libraries - Support library
ii? libldb2:amd64 2:2.11.0+samba4.22.0+dfsg-3????? amd64??????? 
LDAP-like embedded database - shared library
ii? libnss-winbind:amd64 2:4.22.0+dfsg-3????????????????? amd64??????? 
Samba nameservice integration plugins
ii? libpam-winbind:amd64 2:4.22.0+dfsg-3????????????????? amd64??????? 
Windows domain authentication integration plugin
ii? libsmbclient0:amd64 2:4.22.0+dfsg-3????????????????? amd64??????? 
shared library for communication with SMB/CIFS servers
ii? libtalloc2:amd64 2:2.4.3+samba4.22.0+dfsg-3?????? amd64??????? 
hierarchical pool based memory allocator
ii? libtdb1:amd64 2:1.4.13+samba4.22.0+dfsg-3????? amd64??????? Trivial 
Database - shared library
ii? libtevent0t64:amd64 2:0.16.2+samba4.22.0+dfsg-3????? amd64??????? 
talloc-based event loop library - shared library
ii? libwbclient0:amd64 2:4.22.0+dfsg-3????????????????? amd64??????? 
Samba winbind client library
ii? python3-ldb 2:2.11.0+samba4.22.0+dfsg-3????? amd64??????? Python 3 
bindings for LDB
ii? python3-pylibacl:amd64 0.7.2-1+b1?????????????????????? amd64??????? 
module for manipulating POSIX.1e ACLs (Python3 version)
ii? python3-pyxattr:amd64 0.8.1-1+b6?????????????????????? amd64??????? 
module for manipulating filesystem extended attributes (Python3)
ii? python3-samba 2:4.22.0+dfsg-3????????????????? amd64??????? Python 3 
bindings for Samba
ii? python3-talloc:amd64 2:2.4.3+samba4.22.0+dfsg-3?????? amd64??????? 
hierarchical pool based memory allocator - Python3 bindings
ii? python3-tdb 2:1.4.13+samba4.22.0+dfsg-3????? amd64??????? Python3 
bindings for TDB
ii? samba 2:4.22.0+dfsg-3????????????????? amd64??????? SMB/CIFS file, 
print, and login server for Unix
ii? samba-ad-dc 2:4.22.0+dfsg-3????????????????? amd64??????? Samba 
control files to run AD Domain Controller
ii? samba-ad-provision 2:4.22.0+dfsg-3????????????????? all????????? 
Samba files needed for AD domain provision
ii? samba-common 2:4.22.0+dfsg-3????????????????? all????????? common 
files used by both the Samba server and client
ii? samba-common-bin 2:4.22.0+dfsg-3????????????????? amd64??????? Samba 
common files used by both the server and the client
ii? samba-dsdb-modules:amd64 2:4.22.0+dfsg-3????????????????? 
amd64??????? Samba Directory Services Database
ii? samba-libs:amd64 2:4.22.0+dfsg-3????????????????? amd64??????? Samba 
core libraries
ii? smbclient 2:4.22.0+dfsg-3????????????????? amd64??????? command-line 
SMB/CIFS clients for Unix
ii? tdb-tools 2:1.4.13+samba4.22.0+dfsg-3????? amd64??????? Trivial 
Database - bundled binaries
ii? winbind 2:4.22.0+dfsg-3????????????????? amd64??????? service to 
resolve user and group information from Windows NT servers

-----------

On Mon, 14 Apr 2025 15:50:50 +0200
Paul Leiber via samba <samba at lists.samba.org> wrote:
> Dear Samba list,
> 
> I am pulling my hair out over one linux machine (a laptop) joined to
> my Samba AD domain. On this machine, I can't use domain users to
> login. wbinfo -u shows AD users, getent passwd doesn't (no output is
> given). From other linux and windows machines, I can login with AD
> credentials and getent is working, so I assume that the issue is with
> that specific member.
> 
> I can issue kerberos tickets on this machine for domain members.
> 
> If I use wbinfo --verbose -K INTERNAL\\user%password, the output is
> the following:
> plaintext kerberos password authentication for [INTERNAL\user] failed 
> (requesting cctype: FILE)
> wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE 
> (0xc000006d)
> error message was: The attempted logon is invalid. This is either due
> to a bad username or authentication information.
> Could not authenticate user [INTERNAL\user%password] with Kerberos 
> (ccache: FILE)
> 
> You can find the sanitized samba info collected with the script 
> samba-collect-debug-info.sh below. I changed a lot of stuff while
> trying to fix this issue, the smb.conf therefore looks a bit messy. I
> tried it with a copy of a smb.conf from a working domain member, but
> that didn't help.
> 
I haven't seen the output from that script for a very long time, but it
all appears to be what is expected, so my first thought, is there a
firewall getting in the way ?

Rowland

On 14/04/25 15:50, Paul Leiber via samba wrote:
> Dear Samba list,
>
> I am pulling my hair out over one linux machine (a laptop) joined to 
> my Samba AD domain. On this machine, I can't use domain users to 
> login. wbinfo -u shows AD users, getent passwd doesn't (no output is 
> given). From other linux and windows machines, I can login with AD 
> credentials and getent is working, so I assume that the issue is with 
> that specific member.
>
> I can issue kerberos tickets on this machine for domain members.
>
> If I use wbinfo --verbose -K INTERNAL\\user%password, the output is 
> the following:
> plaintext kerberos password authentication for [INTERNAL\user] failed 
> (requesting cctype: FILE)
> wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE 
> (0xc000006d)
> error message was: The attempted logon is invalid. This is either due 
> to a bad username or authentication information.
> Could not authenticate user [INTERNAL\user%password] with Kerberos 
> (ccache: FILE)
>
> You can find the sanitized samba info collected with the script 
> samba-collect-debug-info.sh below. I changed a lot of stuff while 
> trying to fix this issue, the smb.conf therefore looks a bit messy. I 
> tried it with a copy of a smb.conf from a working domain member, but 
> that didn't help.
>
> As this is a laptop, NetworkManager is active to provide WiFi access. 
> I don't know NetworkManager very well, I usually prefer the 
> traditional way with /etc/network/interfaces, but in this case, it 
> seemed the right thing to do. I tested a wired ethernet connection as 
> well, with the same results.I am mentioning this because I can't rule 
> out network issues, although I don't think this is the cause.
>
> I don't know what to do anymore. Any hints and advice for 
> troubleshooting are appreciated.
Hi Paul, what about the date/time on the laptop? Are you sure that the 
date/time is set correctly?

Piviul