[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Rowland Penny rpenny at samba.org
Tue Apr 25 16:01:33 UTC 2023

On 25/04/2023 16:34, Gary Dale via samba wrote:
> On 2023-04-25 07:30, Rowland Penny via samba wrote:
>> On 25/04/2023 04:56, Gary Dale via samba wrote:
>>> which is owned by root:Domain Admins. This shows up in Linux as:
>>> root at TheLibrarian:~# ls -l /srv/
>>> total 4
>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes
>> Why is the group being shown as a number rather than by name (which 
>> ends in '512' so is probably Domain Admins, which shouldn't have a 
>> gidNumber, it breaks sysvol when using the 'ad idmap backend)
>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and 
>> libnss-winbind installed ?
>> Rowland
> Both are installed from backports (version 4.17.7).
> /etc/nsswitch.conf reads:
> passwd:         db files winbind systemd
> group:          db files winbind systemd

I had to look up what 'db' was, never come across it before, I do not 
know who put it there, but I would remove every mention of it from 

> shadow:         files
> hosts:          files wins mdns4_minimal [NOTFOUND=return] dns mdns4 

How did 'wins get there ? AD does not use it, so I would remove it, in 
fact, I would remove the mdns4 stuff as well, leaving just this

hosts:          files dns

> mymachines
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> I can't see any mention of any configuration for libpam-winbind.

You do not need to configure, just install it and ensure that 'winbind' 
is in the passwd and group lines.

  When I
> look at 
> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, 
> there isn't much there. Under Configuring PAM, it just lists the 
> utilities but doesn't say what you are supposed to do with them. It also 
> shows an example for enabling SSH authentication on a Red Hat system, 
> but I never use password authentication for SSH. I use certificates.

That is the problem, PAM is set up differently depending on the distro, 
so you have to refer to the distros documentation. However, Debian does 
most of the required modifications for you, run 'pam-auth-update' to see 
what is available and if it is already in use.

> The man page for pam-auth-update isn't helpful but looking at the 
> individual /etc/pam.dl files, they seem to have mention of winbind and 
> kerberos.
> I note that:
> root at TheLibrarian:~# net rpc group list -U Administrator  ## same 
> results from my workstation.
> Password for [HOME\Administrator]:
> Could not connect to server

It is trying to to connect to a non-existing server on localhost, you 
will need to use '-S <DC_hostname>'

> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> but the command(s) work on DC1. Both machines were joined to the domain 
> and both show in the list of domain computers.


More information about the samba mailing list