[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)

Sat Mar 16 20:33:59 UTC 2024

Hi,

after I setup one working Samba today, I tried to do exactly the same
in another domain.
I created a privileged debian12 container and installed samba.
I have a MS Win driven AD (3 DCs). First I had not all in upper case
in krb.conf. I learnt uppercase is needed and fixed it. To go sure I
left domain, killed the container and started again from scratch (hope
nothing is stored anywhere).

I don't get getent passwd working:

   getent passwd 'DMYDOM\a-sdettmer'

it returns just nothing. wbinfo -u works. Before starting from
scratch, I tried many things I found with Google but I had no success.

Could please someone take a look and enlighten me? Probably I forgot
something or configured something wrong, but I just fail to find it
since many hours. :(

Any help appreciated!

Steffen

Some Diagnostics.

First the two config files that I changed:

-----[ /etc/krb5.conf BEGIN ]----
[libdefaults]
        default_realm = DMYDOM.INT
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        DMYDOM.INT = {
                default_domain = dom.local
        }

[domain_realm]
        A2NAS = DMYDOM.INT
-----[ /etc/krb5.conf END ]----

-----[ /etc/samba/smb.conf BEGIN ]----
[global]
     security = ADS
     workgroup = DMYDOM
     realm = DMYDOM.INT

     log file = /var/log/samba/log.%m
     max log size = 1000
     logging = file
     panic action = /usr/share/samba/panic-action %d
     obey pam restrictions = yes
     pam password change = yes
     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 3000-7999
     idmap config DMYDOM : backend = rid
     idmap config DMYDOM : range = 10000-99999
     template shell = /bin/bash
     template homedir = /home/%U
     usershare allow guests = yes
     disable netbios = yes

     vfs objects = acl_xattr
     map acl inherit = yes

[homes]
     comment = Home Directories
     browseable = no
     read only = no
     create mask = 0700
     directory mask = 0700
     valid users = %S
-----[ /etc/samba/smb.conf END ]----

Some commands I tried as diagnosis (after $) and their output:

$ wbinfo -p
Ping to winbindd succeeded

$ wbinfo --ping-dc
checking the NETLOGON for domain[DMYDOM] dc connection to
"a2-dc2.DMYDOM.int" succeeded

$ wbinfo -t
checking the trust secret for domain DMYDOM via RPC calls succeeded

$ wbinfo -u | grep dett
a-sdettmer
sdettmer
$ wbinfo -u | wc -l
723

$ getent passwd 'DMYDOM\a-sdettmer'

$ grep winbind /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind

$ getent passwd | wc -l
24

$ cat /etc/passwd | wc -l
24

$ wbinfo -K 'DMYDOM\a-sdettmer'
Enter DMYDOM\a-sdettmer's password:
plaintext kerberos password authentication for [DMYDOM\a-sdettmer]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

$ kinit a-sdettmer
Password for a-sdettmer at DMYDOM.INT:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: a-sdettmer at DMYDOM.INT

Valid starting       Expires              Service principal
03/16/2024 21:24:02  03/17/2024 07:24:02  krbtgt/DMYDOM.INT at DMYDOM.INT
        renew until 03/17/2024 21:24:00