[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
Steffen Dettmer
steffen.dettmer+samba at gmail.com
Sat Mar 16 20:33:59 UTC 2024
Hi,
after I setup one working Samba today, I tried to do exactly the same
in another domain.
I created a privileged debian12 container and installed samba.
I have a MS Win driven AD (3 DCs). First I had not all in upper case
in krb.conf. I learnt uppercase is needed and fixed it. To go sure I
left domain, killed the container and started again from scratch (hope
nothing is stored anywhere).
I don't get getent passwd working:
getent passwd 'DMYDOM\a-sdettmer'
it returns just nothing. wbinfo -u works. Before starting from
scratch, I tried many things I found with Google but I had no success.
Could please someone take a look and enlighten me? Probably I forgot
something or configured something wrong, but I just fail to find it
since many hours. :(
Any help appreciated!
Steffen
Some Diagnostics.
First the two config files that I changed:
-----[ /etc/krb5.conf BEGIN ]----
[libdefaults]
default_realm = DMYDOM.INT
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DMYDOM.INT = {
default_domain = dom.local
}
[domain_realm]
A2NAS = DMYDOM.INT
-----[ /etc/krb5.conf END ]----
-----[ /etc/samba/smb.conf BEGIN ]----
[global]
security = ADS
workgroup = DMYDOM
realm = DMYDOM.INT
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
pam password change = yes
winbind use default domain = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DMYDOM : backend = rid
idmap config DMYDOM : range = 10000-99999
template shell = /bin/bash
template homedir = /home/%U
usershare allow guests = yes
disable netbios = yes
vfs objects = acl_xattr
map acl inherit = yes
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
-----[ /etc/samba/smb.conf END ]----
Some commands I tried as diagnosis (after $) and their output:
$ wbinfo -p
Ping to winbindd succeeded
$ wbinfo --ping-dc
checking the NETLOGON for domain[DMYDOM] dc connection to
"a2-dc2.DMYDOM.int" succeeded
$ wbinfo -t
checking the trust secret for domain DMYDOM via RPC calls succeeded
$ wbinfo -u | grep dett
a-sdettmer
sdettmer
$ wbinfo -u | wc -l
723
$ getent passwd 'DMYDOM\a-sdettmer'
$ grep winbind /etc/nsswitch.conf
passwd: files systemd winbind
group: files systemd winbind
$ getent passwd | wc -l
24
$ cat /etc/passwd | wc -l
24
$ wbinfo -K 'DMYDOM\a-sdettmer'
Enter DMYDOM\a-sdettmer's password:
plaintext kerberos password authentication for [DMYDOM\a-sdettmer]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
$ kinit a-sdettmer
Password for a-sdettmer at DMYDOM.INT:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: a-sdettmer at DMYDOM.INT
Valid starting Expires Service principal
03/16/2024 21:24:02 03/17/2024 07:24:02 krbtgt/DMYDOM.INT at DMYDOM.INT
renew until 03/17/2024 21:24:00
More information about the samba
mailing list