[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)

Sat Mar 16 20:44:35 UTC 2024

On Sat, 16 Mar 2024 21:33:59 +0100
Steffen Dettmer via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> after I setup one working Samba today, I tried to do exactly the same
> in another domain.
> I created a privileged debian12 container and installed samba.
> I have a MS Win driven AD (3 DCs). First I had not all in upper case
> in krb.conf. I learnt uppercase is needed and fixed it. To go sure I
> left domain, killed the container and started again from scratch (hope
> nothing is stored anywhere).
> 
> I don't get getent passwd working:
> 
>    getent passwd 'DMYDOM\a-sdettmer'
> 
> it returns just nothing. wbinfo -u works. Before starting from
> scratch, I tried many things I found with Google but I had no success.
> 
> Could please someone take a look and enlighten me? Probably I forgot
> something or configured something wrong, but I just fail to find it
> since many hours. :(
> 
> Any help appreciated!
> 
> Steffen
> 
> Some Diagnostics.
> 
> First the two config files that I changed:
> 
> -----[ /etc/krb5.conf BEGIN ]----
> [libdefaults]
>         default_realm = DMYDOM.INT
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> [realms]
>         DMYDOM.INT = {
>                 default_domain = dom.local
>         }
> 
> [domain_realm]
>         A2NAS = DMYDOM.INT
> -----[ /etc/krb5.conf END ]----
> 
> -----[ /etc/samba/smb.conf BEGIN ]----
> [global]
>      security = ADS
>      workgroup = DMYDOM
>      realm = DMYDOM.INT
> 
>      log file = /var/log/samba/log.%m
>      max log size = 1000
>      logging = file
>      panic action = /usr/share/samba/panic-action %d
>      obey pam restrictions = yes
>      pam password change = yes
>      winbind use default domain = yes
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-7999
>      idmap config DMYDOM : backend = rid
>      idmap config DMYDOM : range = 10000-99999
>      template shell = /bin/bash
>      template homedir = /home/%U
>      usershare allow guests = yes
>      disable netbios = yes
> 
>      vfs objects = acl_xattr
>      map acl inherit = yes
> 
> [homes]
>      comment = Home Directories
>      browseable = no
>      read only = no
>      create mask = 0700
>      directory mask = 0700
>      valid users = %S
> -----[ /etc/samba/smb.conf END ]----
> 
> Some commands I tried as diagnosis (after $) and their output:
> 
> $ wbinfo -p
> Ping to winbindd succeeded
> 
> $ wbinfo --ping-dc
> checking the NETLOGON for domain[DMYDOM] dc connection to
> "a2-dc2.DMYDOM.int" succeeded
> 
> $ wbinfo -t
> checking the trust secret for domain DMYDOM via RPC calls succeeded
> 
> $ wbinfo -u | grep dett
> a-sdettmer
> sdettmer
> $ wbinfo -u | wc -l
> 723
> 
> $ getent passwd 'DMYDOM\a-sdettmer'
> 
> $ grep winbind /etc/nsswitch.conf
> passwd:         files systemd winbind
> group:          files systemd winbind
> 
> $ getent passwd | wc -l
> 24
> 
> $ cat /etc/passwd | wc -l
> 24
> 
> $ wbinfo -K 'DMYDOM\a-sdettmer'
> Enter DMYDOM\a-sdettmer's password:
> plaintext kerberos password authentication for [DMYDOM\a-sdettmer]
> succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_0
> 
> $ kinit a-sdettmer
> Password for a-sdettmer at DMYDOM.INT:
> 
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: a-sdettmer at DMYDOM.INT
> 
> Valid starting       Expires              Service principal
> 03/16/2024 21:24:02  03/17/2024 07:24:02  krbtgt/DMYDOM.INT at DMYDOM.INT
>         renew until 03/17/2024 21:24:00
> 

Have you installed libpam-winbind & libnss-winbind ?

Rowland