[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Rowland Penny rpenny at samba.org
Wed Apr 26 17:54:45 UTC 2023

On 26/04/2023 18:27, Gary Dale via samba wrote:

> No. I am running the tests suggested by the various Samba wiki pages. I 
> can do a getent passwd <local account> on my workstation and on my file 
> & print server but I can't do a getent passwd <domain account> except on 
> my DC. I explicitly showed that in the message before the one you 
> replied to. I also showed how I can't do a login to a domain account 
> except on the DC.
> This failure to get domain account information seems likely to be at the 
> heart of the problems I'm having.

So you are running 'getent passwd gary' and getting no output, this is 
usually caused by libpam-winbind and libnss-winbind not being installed, 
or /etc/nsswitch.conf not being configured correctly, the relevant lines 
from mine look like this:

passwd:         files winbind
group:          files winbind

Or pam-auth-update is configured correctly, again these are the lines 
from mine:

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group ...
[*] Create home directory on login

Or you are using the 'ad' idmap backend on a Unix domain member and 
haven't added a uidNumber attribute to the users and added a gidNumber 
attribute to the Domain Users group. The numbers you use in these 
attributes have to be unique, though you can use the same range for 
users and groups, that is 'gary' could have the ID 10000 and Domain 
Users could also the same ID 10000. Whatever numbers you use, the Domain 
idmap config line in smb.conf must enclose those numbers e.g.
idmap config DOMAIN : range = 10000-999999

You may have done all of these, if so I will have another think.


More information about the samba mailing list