[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)
Steffen Dettmer
steffen.dettmer+samba at gmail.com
Sun Mar 17 10:36:51 UTC 2024
On Sat, Mar 16, 2024 at 9:45 PM Rowland Penny via samba wrote:
> On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba wrote:
> > getent passwd 'DMYDOM\a-sdettmer'
> > [nothing]
> Have you installed libpam-winbind & libnss-winbind ?
Thank you for your quick response again!
Yes, I have libpam-winbind and libnss-winbind.
I just today noticed (due to a typo in my test yesterday :() that some
accounts do work! Apparently mine, which are in a special group in AD
are not showing up. Apparently roughly half gets returned by getent,
half does not.
I looked at the output of win powershell "Get-ADUser -Identity user
-Properties * > user.txt", but I don't see a pattern between example
users that show up and others that don't. Maybe it is a condition like
"field surname must exist and contain letters only" or such?
How do I find who (possible libnss-winbind?) rejects some of the AD
users? Enable some PAM debug? /var/log/samba and journalctl revealed
nothing to my eyes.
Steffen
Diagnostics:
# apt install -y libpam-winbind libnss-winbind
libpam-winbind is already the newest version (2:4.17.12+dfsg-0+deb12u1).
libnss-winbind is already the newest version (2:4.17.12+dfsg-0+deb12u1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
It appears in PAM:
root at a2samba2:~# grep winbind /etc/pam.d/*
/etc/pam.d/common-account:account [success=1
new_authtok_reqd=done default=ignore] pam_winbind.so
/etc/pam.d/common-auth:auth [success=1 default=ignore]
pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
try_first_pass
/etc/pam.d/common-password:password [success=1 default=ignore]
pam_winbind.so try_authtok try_first_pass
/etc/pam.d/common-session:session optional
pam_winbind.so
/etc/pam.d/common-session-noninteractive:session optional
pam_winbind.so
root at a2samba2:~#
More information about the samba
mailing list