Rowland Penny
2025-May-25 11:14 UTC
[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working
On Sun, 25 May 2025 11:39:19 +0200 Paul Leiber via samba <samba at lists.samba.org> wrote:> Meanwhile (with both DC1 and the formerly missing DC2 online), I > unjoined the domain, stopped samba on the member, deleted samba .tdb > cache files, and rejoined using net ads join --no-dns-updates -U > administrator, then I started samba services. > > The output of the attempt to join showed different errors this time: > > gensec_gse_client_prepare_ccache: Kinit for > MEMBER$@SAMDOM.EXAMPLE.COM to access ldap/DC1.SAMDOM.EXAMPLE.COM > failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE > gensec_gse_client_prepare_ccache: Kinit for > MEMBER$@SAMDOM.EXAMPLE.COM to access cifs/DC1.SAMDOM.EXAMPLE.COM > failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILUREUnless you have pre-created the required records in AD, those errors are to be expected if you use '--no-dns-updates'.> Using short domain name -- SAMDOM > Joined 'MEMBER' to dns domain 'SAMDOM.EXAMPLE.COM' > > I still am not getting information on domain users with getent > passwd. wbinfo -u shows all domain users.For getent to show users & groups, a few things need to be configured: The computer needs to be joined to the AD domain, this appears to be correct. You need to have a correctly configured smb.conf, this appears to be correct. You need to have libnss-winbind & libpam-winbind installed, these appear to be installed. The 'passwd' & 'group' lines in /etc/nsswitch.conf need to contain 'winbind', which they do. Finally this leaves, because you are using the 'ad' idmap config backend, the rfc2307 attributes in AD. Every user, you want visible to Unix, must have a uidNumber attribute containing a number inside the range set in your smb.conf (in your case 10000-999999), any uidNumber attributes outside that range will be ignored. Every group, you want visible to Unix, must have a gidNumber attribute containing a number inside the same range, again, any gidNumber attribute outside the range will be ignored. It is very important that Domain Users has a gidNumber, without that gidNumber, all AD users & groups will be invisible to Unix. There is an easy way to check the connection to AD, change 'idmap config INTERNAL:backend = ad' to 'idmap config INTERNAL:backend = rid' and restart Samba. If you then get a response from 'getent passwd USERNAME', then it is a problem with the rfc2307 attributes in AD, if you still get nothing then you may have connection problems (firewall etc). Rowland
Paul Leiber
2025-May-28 07:49 UTC
[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working
Am 25.05.2025 um 13:14 schrieb Rowland Penny via samba:> On Sun, 25 May 2025 11:39:19 +0200 > Paul Leiber via samba <samba at lists.samba.org> wrote: > > >> Meanwhile (with both DC1 and the formerly missing DC2 online), I >> unjoined the domain, stopped samba on the member, deleted samba .tdb >> cache files, and rejoined using net ads join --no-dns-updates -U >> administrator, then I started samba services. >> >> The output of the attempt to join showed different errors this time: >> >> gensec_gse_client_prepare_ccache: Kinit for >> MEMBER$@SAMDOM.EXAMPLE.COM to access ldap/DC1.SAMDOM.EXAMPLE.COM >> failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE >> gensec_gse_client_prepare_ccache: Kinit for >> MEMBER$@SAMDOM.EXAMPLE.COM to access cifs/DC1.SAMDOM.EXAMPLE.COM >> failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE > > Unless you have pre-created the required records in AD, those errors > are to be expected if you use '--no-dns-updates'. > >> Using short domain name -- SAMDOM >> Joined 'MEMBER' to dns domain 'SAMDOM.EXAMPLE.COM' >> >> I still am not getting information on domain users with getent >> passwd. wbinfo -u shows all domain users. > > For getent to show users & groups, a few things need to be configured: > > The computer needs to be joined to the AD domain, this appears to be > correct. > You need to have a correctly configured smb.conf, this appears to be > correct. > You need to have libnss-winbind & libpam-winbind installed, these > appear to be installed. > The 'passwd' & 'group' lines in /etc/nsswitch.conf need to contain > 'winbind', which they do. > > Finally this leaves, because you are using the 'ad' idmap config > backend, the rfc2307 attributes in AD. Every user, you want visible > to Unix, must have a uidNumber attribute containing a number inside the > range set in your smb.conf (in your case 10000-999999), any uidNumber > attributes outside that range will be ignored. Every group, you want > visible to Unix, must have a gidNumber attribute containing a number > inside the same range, again, any gidNumber attribute outside the range > will be ignored. It is very important that Domain Users has a > gidNumber, without that gidNumber, all AD users & groups will be > invisible to Unix.Tested that (changing backend from ad to rid), no change.> There is an easy way to check the connection to AD, change 'idmap > config INTERNAL:backend = ad' to 'idmap config INTERNAL:backend = rid' > and restart Samba. If you then get a response from 'getent passwd > USERNAME', then it is a problem with the rfc2307 attributes in AD, if > you still get nothing then you may have connection problems (firewall > etc).Success! I switched from a wireless connection to a wired connection, and now getent passwd gives the correct output. Now I need to figure out why this laptop has issues with the wireless connection. (Windows systems inlcuding this same laptop connect just fine to AD on the same SSID, and I even think that a linux installation on the same laptop didn't have this issue in a previous installation, that's why I didn't check a wired connection earlier.) I suspect some NetworkManager configuration plays a role. I'll put an update to the list once I know more. Thanks for the hints so far, and for pointing out where I went wrong! Paul