[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)

Rowland Penny rpenny at samba.org
Sun Mar 17 11:22:03 UTC 2024 

On Sun, 17 Mar 2024 11:36:51 +0100
Steffen Dettmer <steffen.dettmer+samba at gmail.com> wrote:

> On Sat, Mar 16, 2024 at 9:45 PM Rowland Penny via samba wrote:
> > On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba wrote:
> > >    getent passwd 'DMYDOM\a-sdettmer'
> > >    [nothing]
> > Have you installed libpam-winbind & libnss-winbind ?
> 
> Thank you for your quick response again!
> Yes, I have libpam-winbind and libnss-winbind.
> 
> I just today noticed (due to a typo in my test yesterday :() that some
> accounts do work! Apparently mine, which are in a special group in AD
> are not showing up. Apparently roughly half gets returned by getent,
> half does not.
> 
> I looked at the output of win powershell "Get-ADUser -Identity user
> -Properties * > user.txt", but I don't see a pattern between example
> users that show up and others that don't. Maybe it is a condition like
> "field surname must exist and contain letters only" or such?
> 
> How do I find who (possible libnss-winbind?) rejects some of the AD
> users? Enable some PAM debug? /var/log/samba and journalctl revealed
> nothing to my eyes.
> 
> Steffen
> 
> 
> 
> Diagnostics:
> 
> # apt install -y libpam-winbind libnss-winbind
> libpam-winbind is already the newest version
> (2:4.17.12+dfsg-0+deb12u1). libnss-winbind is already the newest
> version (2:4.17.12+dfsg-0+deb12u1). 0 upgraded, 0 newly installed, 0
> to remove and 0 not upgraded.

It isn't the newest version available, you can get 4.19.5 from
bookworm-backports. Not that this has anything to do with your problem.

> 
> It appears in PAM:
> 

Pam is setup correctly

From reading your first post again, in /etc/krb5.conf, you have these
lines:

default_realm = DMYDOM.INT
'''''
default_domain = dom.local

The latter should be the lowercase version of the former i.e.
'mydom.int' and not 'dom.local' (also I hope that '.local' is
sanitisation for the real TLD).

Other than that, everything you have posted appears to be correct.

What could be happening is that the 'rid' backend is ignoring your
users.

The 'rid' backend works by obtaining the users RID and then calculates
the Unix ID from that and the low range set in smb.conf

ID = RID + low range start

You are using '10000' as the low range start, so that becomes:

ID = RID + 10000

So if the RID was 9999, the ID would be '19999', which is less than
your high range end of '99999'.

However, if the RID was '99999', the ID would be '109999', which is
over your high range end and as a result, your user would be ignored.

Quick test, change 'idmap config DMYDOM : range = 10000-99999' to
'idmap config DMYDOM : range = 10000-999999', reload the config with
smbcontrol or restart Samba,

Rowland

More information about the samba mailing list