[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
Rowland Penny
rpenny at samba.org
Sat Mar 16 20:44:35 UTC 2024
On Sat, 16 Mar 2024 21:33:59 +0100
Steffen Dettmer via samba <samba at lists.samba.org> wrote:
> Hi,
>
> after I setup one working Samba today, I tried to do exactly the same
> in another domain.
> I created a privileged debian12 container and installed samba.
> I have a MS Win driven AD (3 DCs). First I had not all in upper case
> in krb.conf. I learnt uppercase is needed and fixed it. To go sure I
> left domain, killed the container and started again from scratch (hope
> nothing is stored anywhere).
>
> I don't get getent passwd working:
>
> getent passwd 'DMYDOM\a-sdettmer'
>
> it returns just nothing. wbinfo -u works. Before starting from
> scratch, I tried many things I found with Google but I had no success.
>
> Could please someone take a look and enlighten me? Probably I forgot
> something or configured something wrong, but I just fail to find it
> since many hours. :(
>
> Any help appreciated!
>
> Steffen
>
> Some Diagnostics.
>
> First the two config files that I changed:
>
> -----[ /etc/krb5.conf BEGIN ]----
> [libdefaults]
> default_realm = DMYDOM.INT
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> DMYDOM.INT = {
> default_domain = dom.local
> }
>
> [domain_realm]
> A2NAS = DMYDOM.INT
> -----[ /etc/krb5.conf END ]----
>
> -----[ /etc/samba/smb.conf BEGIN ]----
> [global]
> security = ADS
> workgroup = DMYDOM
> realm = DMYDOM.INT
>
> log file = /var/log/samba/log.%m
> max log size = 1000
> logging = file
> panic action = /usr/share/samba/panic-action %d
> obey pam restrictions = yes
> pam password change = yes
> winbind use default domain = yes
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DMYDOM : backend = rid
> idmap config DMYDOM : range = 10000-99999
> template shell = /bin/bash
> template homedir = /home/%U
> usershare allow guests = yes
> disable netbios = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
>
> [homes]
> comment = Home Directories
> browseable = no
> read only = no
> create mask = 0700
> directory mask = 0700
> valid users = %S
> -----[ /etc/samba/smb.conf END ]----
>
> Some commands I tried as diagnosis (after $) and their output:
>
> $ wbinfo -p
> Ping to winbindd succeeded
>
> $ wbinfo --ping-dc
> checking the NETLOGON for domain[DMYDOM] dc connection to
> "a2-dc2.DMYDOM.int" succeeded
>
> $ wbinfo -t
> checking the trust secret for domain DMYDOM via RPC calls succeeded
>
> $ wbinfo -u | grep dett
> a-sdettmer
> sdettmer
> $ wbinfo -u | wc -l
> 723
>
> $ getent passwd 'DMYDOM\a-sdettmer'
>
> $ grep winbind /etc/nsswitch.conf
> passwd: files systemd winbind
> group: files systemd winbind
>
> $ getent passwd | wc -l
> 24
>
> $ cat /etc/passwd | wc -l
> 24
>
> $ wbinfo -K 'DMYDOM\a-sdettmer'
> Enter DMYDOM\a-sdettmer's password:
> plaintext kerberos password authentication for [DMYDOM\a-sdettmer]
> succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_0
>
> $ kinit a-sdettmer
> Password for a-sdettmer at DMYDOM.INT:
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: a-sdettmer at DMYDOM.INT
>
> Valid starting Expires Service principal
> 03/16/2024 21:24:02 03/17/2024 07:24:02 krbtgt/DMYDOM.INT at DMYDOM.INT
> renew until 03/17/2024 21:24:00
>
Have you installed libpam-winbind & libnss-winbind ?
Rowland
More information about the samba
mailing list