[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working

Paul Leiber paul at onlineschubla.de
Mon Apr 14 21:13:25 UTC 2025 

Am 14.04.2025 um 21:11 schrieb Rowland Penny via samba:
> On Mon, 14 Apr 2025 15:50:50 +0200
> Paul Leiber via samba <samba at lists.samba.org> wrote:
> 
>> Dear Samba list,
>>
>> I am pulling my hair out over one linux machine (a laptop) joined to
>> my Samba AD domain. On this machine, I can't use domain users to
>> login. wbinfo -u shows AD users, getent passwd doesn't (no output is
>> given). From other linux and windows machines, I can login with AD
>> credentials and getent is working, so I assume that the issue is with
>> that specific member.
>>
>> I can issue kerberos tickets on this machine for domain members.
>>
>> If I use wbinfo --verbose -K INTERNAL\\user%password, the output is
>> the following:
>> plaintext kerberos password authentication for [INTERNAL\user] failed
>> (requesting cctype: FILE)
>> wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE
>> (0xc000006d)
>> error message was: The attempted logon is invalid. This is either due
>> to a bad username or authentication information.
>> Could not authenticate user [INTERNAL\user%password] with Kerberos
>> (ccache: FILE)
>>
>> You can find the sanitized samba info collected with the script
>> samba-collect-debug-info.sh below. I changed a lot of stuff while
>> trying to fix this issue, the smb.conf therefore looks a bit messy. I
>> tried it with a copy of a smb.conf from a working domain member, but
>> that didn't help.
>>
> 
> I haven't seen the output from that script for a very long time, but it
> all appears to be what is expected, so my first thought, is there a
> firewall getting in the way ?

Yeah, I spotted the link to the script in one of Louis' old posts 
related to my issue and thought that it looks handy...

There is no firewall active on the DC. There is no firewall installed on 
the member. There is a firewall on my router.

If the WiFi connection is somehow botched due to NetworkManager (or my 
limited understanding of NetworkManager, to be fair), it could be 
possible that the firewall is blocking some traffic. However, I don't 
expect that the wired connection could also be blocked by the firewall. 
I'll check anyway.

1. Could a firewall explain that wbinfo and getent behave differently? 
Are different ports used for either program?
2. Are there specific port(s) that I should monitor on the DC for 
traffic from/to the member?

Paul

More information about the samba mailing list