[Samba] getent passwd blank response

Bob Wooden bob at donelsontrophy.com
Mon Aug 17 11:44:55 UTC 2020

On 8/17/20 6:29 AM, L.P.H. van Belle via samba wrote:
> And run this one again for me:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
root at mbr04:~# ./samba-collect-debug-info.sh
Please wait, collecting debug info.

Password for Administrator at subdom.example.com:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.

The debug info about your system can be found in this file: 
Please check this and if required, sanitise it.
Then copy & paste it into an  email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
root at mbr04:~# cat /tmp/samba-debug-info.txt
Collected config  --- 2020-08-17-06:34 -----------

Hostname: mbr04
DNS Domain: subdom.example.com
FQDN: mbr04.subdom.example.com


Kerberos SRV _kerberos._tcp.subdom.example.com record verified ok, 
sample output:

_kerberos._tcp.subdom.example.com    service = 0 100 88 
_kerberos._tcp.subdom.example.com    service = 0 100 88 
Samba is running as a Unix domain member

        Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION="10 (buster)"


This computer is running Debian 10.5 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet scope host lo
     inet6 ::1/128 scope host
2: enp1s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether 00:25:90:0d:d2:02 brd ff:ff:ff:ff:ff:ff
3: enp1s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether 00:25:90:0d:d2:03 brd ff:ff:ff:ff:ff:ff
4: enp3s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether 00:25:90:39:1e:e4 brd ff:ff:ff:ff:ff:ff
5: enp3s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether 00:25:90:39:1e:e5 brd ff:ff:ff:ff:ff:ff
6: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP 
group default qlen 1000
     link/ether 00:02:c9:54:2a:e2 brd ff:ff:ff:ff:ff:ff
     inet brd scope global enp4s0
     inet6 fe80::202:c9ff:fe54:2ae2/64 scope link

        Checking file: /etc/hosts    localhost    mbr04.subdom.example.com    mbr04

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

fe80::202:c9ff:fe54:2ae2    mbr04.subdom.example.com    mbr04


        Checking file: /etc/resolv.conf

search subdom.example.com


        Checking file: /etc/krb5.conf

      default_realm = SUBDOM.EXAMPLE.COM
      dns_lookup_kdc = true
      dns_lookup_realm = false
  ;    forwardable = true
  ;    proxiable = true
  ;    ticket_lifetime = 24h
  ;    renew_lifetime = 7d
  ;    ccache_type = 4
  ; Enable this one if you have a tight setup where only the user can 
enter the user home dir.
  ; You might need it with cifs mounts, nfs mounts
  ;    ignore_k5login = true

  ; A note: This is not used for nfs4 but cifs uses it.
  ; for Windows 2003
  ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  ; for Windows 2008 with AES
      default_tgs_enctypes =  aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


        Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


        Checking file: /etc/samba/smb.conf

# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
log level = 4
log file = /var/log/samba/%m.log
max log size = 1000

# netbios name = By default this is "hostname -s" but in caps.
realm = subdom.example.com
workgroup = DOM
security = ADS

# set master browser for the network.
# preffered + domain master = yes = guarantee master browser ( man 
smb.conf )
# ! There can only be ONE master browser.
preferred master = no
domain master = no

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 3000-7000

## map ids from the domain  the range may not overlap !
idmap config DOM : backend = ad
idmap config DOM : schema_mode = rfc2307
idmap config DOM : range = 10000-999999
idmap config DOM : unix_nss_info = yes
idmap config DOM : unix_primary_group = yes    ##added per L email 

# Renew the kerberos tickets
winbind refresh tickets = yes

# Enable offline logins
winbind offline logon = yes

# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307

# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
##winbind trusted domains only = no

# Keep no in production, set yes when debugging, this slows down your samba.
winbind enum users  = yes
winbind enum groups = yes

# Check depth of nested groups, ! slows down you samba, if to much 
groups depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
winbind expand groups = 4

# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber 
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local 
UID 0 of the root user and thus the mapping fails.
username map = /etc/samba/samba_usermapping

# disable usershares creating, when set empty no error log messages.
usershare path =

# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes

# Included per Louis' member sacript
include = /etc/samba/smb-shares.conf

######## SHARE DEFINITIONS ################
##moved to /etc/samba/smb-shares.conf


Running as Unix domain member and user.map detected.

Contents of /etc/samba/samba_usermapping

!root = DOM\Administrator DOM\administrator

Server Role is set to :  auto


Installed packages:
ii  acl                            2.2.53-4 amd64        access control 
list - utilities
ii  attr                           1:2.4.48-4 amd64        utilities for 
manipulating filesystem extended attributes
ii  krb5-config                    2.6 all          Configuration files 
for Kerberos Version 5
ii  krb5-locales                   1.17-3 all          
internationalization support for MIT Kerberos
ii  krb5-user                      1.17-3 amd64        basic programs to 
authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-4 amd64        access control 
list - shared library
ii  libattr1:amd64                 1:2.4.48-4 amd64        extended 
attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.17-3 amd64        MIT Kerberos 
runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.17-3 amd64        MIT Kerberos 
runtime libraries
ii  libkrb5support0:amd64          1.17-3 amd64        MIT Kerberos 
runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.12.5+dfsg-2.1buster1 amd64        
Samba nameservice integration plugins
ii  libpam-krb5:amd64              4.8-2+deb10u1 amd64        PAM module 
for MIT Kerberos
ii  libpam-winbind:amd64           2:4.12.5+dfsg-2.1buster1 amd64        
Windows domain authentication integration plugin
ii  libsmbclient:amd64             2:4.12.5+dfsg-2.1buster1 amd64        
shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64             2:4.12.5+dfsg-2.1buster1 amd64        
Samba winbind client library
ii  python3-samba                  2:4.12.5+dfsg-2.1buster1 amd64        
Python 3 bindings for Samba
ii  samba                          2:4.12.5+dfsg-2.1buster1 amd64        
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.12.5+dfsg-2.1buster1 all          
common files used by both the Samba server and client
ii  samba-common-bin               2:4.12.5+dfsg-2.1buster1 amd64        
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.12.5+dfsg-2.1buster1 amd64        
Samba Directory Services Database
ii  samba-libs:amd64               2:4.12.5+dfsg-2.1buster1 amd64        
Samba core libraries
ii  samba-vfs-modules:amd64        2:4.12.5+dfsg-2.1buster1 amd64        
Samba Virtual FileSystem plugins
ii  smbclient                      2:4.12.5+dfsg-2.1buster1 amd64        
command-line SMB/CIFS clients for Unix
ii  winbind                        2:4.12.5+dfsg-2.1buster1 amd64        
service to resolve user and group information from Windows NT servers


(Sent from home location.)

Bob Wooden

More information about the samba mailing list