[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working
Paul Leiber
paul at onlineschubla.de
Mon Apr 14 13:50:50 UTC 2025
Dear Samba list,
I am pulling my hair out over one linux machine (a laptop) joined to my
Samba AD domain. On this machine, I can't use domain users to login.
wbinfo -u shows AD users, getent passwd doesn't (no output is given).
From other linux and windows machines, I can login with AD credentials
and getent is working, so I assume that the issue is with that specific
member.
I can issue kerberos tickets on this machine for domain members.
If I use wbinfo --verbose -K INTERNAL\\user%password, the output is the
following:
plaintext kerberos password authentication for [INTERNAL\user] failed
(requesting cctype: FILE)
wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE
(0xc000006d)
error message was: The attempted logon is invalid. This is either due to
a bad username or authentication information.
Could not authenticate user [INTERNAL\user%password] with Kerberos
(ccache: FILE)
You can find the sanitized samba info collected with the script
samba-collect-debug-info.sh below. I changed a lot of stuff while trying
to fix this issue, the smb.conf therefore looks a bit messy. I tried it
with a copy of a smb.conf from a working domain member, but that didn't
help.
As this is a laptop, NetworkManager is active to provide WiFi access. I
don't know NetworkManager very well, I usually prefer the traditional
way with /etc/network/interfaces, but in this case, it seemed the right
thing to do. I tested a wired ethernet connection as well, with the same
results.I am mentioning this because I can't rule out network issues,
although I don't think this is the cause.
I don't know what to do anymore. Any hints and advice for
troubleshooting are appreciated.
Thanks in advance and best regards,
Paul
Config collected --- 2025-04-14-13:41 -----------
Hostname: member
DNS Domain: internal.domain.tld
Realm: INTERNAL.DOMAIN.TLD
FQDN: member.internal.domain.tld
ipaddress: 192.168.178.51
-----------
This computer is running Debian trixie/sid x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host noprefixroute
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
link/ether ff:ff:ff:ff:ff:ffbrd ff:ff:ff:ff:ff:ff permaddr
ff:ff:ff:ff:ff:ff
altname wlx4c82a94cd259
inet 192.168.178.51/8 brd 10.255.255.255 scope global noprefixroute
wlp1s0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.178.51 member.internal.domain.tld member
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search internal.domain.tld
nameserver 192.168.178.2
-----------
Kerberos SRV _kerberos._tcp.internal.domain.tld record(s) verified ok,
sample output:
Server: 192.168.178.2
Address: 192.168.178.2#53
_kerberos._tcp.internal.domain.tld service = 0 100 88
dc1.internal.domain.tld.
_kerberos._tcp.internal.domain.tld service = 0 100 88
dc2.internal.domain.tld.
-----------
'kinit Administrator' checked successfully.
-----------
Samba is running as a Unix domain member
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = INTERNAL.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_KDC = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
#hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns
hosts: files dns
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
security = ADS
workgroup = INTERNAL
realm = INTERNAL.DOMAIN.TLD
server role = member server
min domain uid = 0
#bind interfaces only = YES
#interfaces = lo wlp1s0
winbind nss info = template
#winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/%m.log
log level = 3
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a domain backend configuration
# idmap config for the SAMDOM domain
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 10000-999999
idmap config INTERNAL:unix_nss_info = yes
winbind refresh tickets = YES
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/user.map
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/user.map
!root = INTERNAL\Administrator INTERNAL\administrator Administrator
administrator
Server Role is set to : member server
-----------
This Unix domain member is using 'winbind' in /etc/nsswitch.conf.
-----------
Time on the DC with PDC Emulator role is: 2025-04-14T13:41:13
Time on this computer is: 2025-04-14T13:41:13
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii acl 2.3.2-2+b1 amd64 access control
list - utilities
ii attr 1:2.5.2-3 amd64 utilities for
manipulating filesystem extended attributes
ii fonts-quicksand 0.2016-2.1 all
sans-serif font with round attributes
ii kde-spectacle 4:6.3.4-1 amd64
Screenshot capture utility
ii krb5-config 2.7 all
Configuration files for Kerberos Version 5
ii krb5-user 1.21.3-5 amd64 basic
programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.3.2-2+b1 amd64 access
control list - shared library
ii libattr1:amd64 1:2.5.2-3 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.21.3-5 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.21.3-5 amd64 MIT
Kerberos runtime libraries
ii libkrb5support0:amd64 1.21.3-5 amd64
MIT Kerberos runtime libraries - Support library
ii libldb2:amd64 2:2.11.0+samba4.22.0+dfsg-3 amd64
LDAP-like embedded database - shared library
ii libnss-winbind:amd64 2:4.22.0+dfsg-3 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.22.0+dfsg-3 amd64
Windows domain authentication integration plugin
ii libsmbclient0:amd64 2:4.22.0+dfsg-3 amd64
shared library for communication with SMB/CIFS servers
ii libtalloc2:amd64 2:2.4.3+samba4.22.0+dfsg-3 amd64
hierarchical pool based memory allocator
ii libtdb1:amd64 2:1.4.13+samba4.22.0+dfsg-3 amd64 Trivial
Database - shared library
ii libtevent0t64:amd64 2:0.16.2+samba4.22.0+dfsg-3 amd64
talloc-based event loop library - shared library
ii libwbclient0:amd64 2:4.22.0+dfsg-3 amd64
Samba winbind client library
ii python3-ldb 2:2.11.0+samba4.22.0+dfsg-3 amd64 Python 3
bindings for LDB
ii python3-pylibacl:amd64 0.7.2-1+b1 amd64
module for manipulating POSIX.1e ACLs (Python3 version)
ii python3-pyxattr:amd64 0.8.1-1+b6 amd64
module for manipulating filesystem extended attributes (Python3)
ii python3-samba 2:4.22.0+dfsg-3 amd64 Python 3
bindings for Samba
ii python3-talloc:amd64 2:2.4.3+samba4.22.0+dfsg-3 amd64
hierarchical pool based memory allocator - Python3 bindings
ii python3-tdb 2:1.4.13+samba4.22.0+dfsg-3 amd64 Python3
bindings for TDB
ii samba 2:4.22.0+dfsg-3 amd64 SMB/CIFS file,
print, and login server for Unix
ii samba-ad-dc 2:4.22.0+dfsg-3 amd64 Samba
control files to run AD Domain Controller
ii samba-ad-provision 2:4.22.0+dfsg-3 all
Samba files needed for AD domain provision
ii samba-common 2:4.22.0+dfsg-3 all common
files used by both the Samba server and client
ii samba-common-bin 2:4.22.0+dfsg-3 amd64 Samba
common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.22.0+dfsg-3
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.22.0+dfsg-3 amd64 Samba
core libraries
ii smbclient 2:4.22.0+dfsg-3 amd64 command-line
SMB/CIFS clients for Unix
ii tdb-tools 2:1.4.13+samba4.22.0+dfsg-3 amd64 Trivial
Database - bundled binaries
ii winbind 2:4.22.0+dfsg-3 amd64 service to
resolve user and group information from Windows NT servers
-----------
More information about the samba
mailing list