[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working

Peter Milesson miles at atmos.eu
Tue Apr 15 07:35:46 UTC 2025 


On 14.04.2025 23:13, Paul Leiber via samba wrote:
> Am 14.04.2025 um 21:11 schrieb Rowland Penny via samba:
>> On Mon, 14 Apr 2025 15:50:50 +0200
>> Paul Leiber via samba <samba at lists.samba.org> wrote:
>>
>>> Dear Samba list,
>>>
>>> I am pulling my hair out over one linux machine (a laptop) joined to
>>> my Samba AD domain. On this machine, I can't use domain users to
>>> login. wbinfo -u shows AD users, getent passwd doesn't (no output is
>>> given). From other linux and windows machines, I can login with AD
>>> credentials and getent is working, so I assume that the issue is with
>>> that specific member.
>>>
>>> I can issue kerberos tickets on this machine for domain members.
>>>
>>> If I use wbinfo --verbose -K INTERNAL\\user%password, the output is
>>> the following:
>>> plaintext kerberos password authentication for [INTERNAL\user] failed
>>> (requesting cctype: FILE)
>>> wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE
>>> (0xc000006d)
>>> error message was: The attempted logon is invalid. This is either due
>>> to a bad username or authentication information.
>>> Could not authenticate user [INTERNAL\user%password] with Kerberos
>>> (ccache: FILE)
>>>
>>> You can find the sanitized samba info collected with the script
>>> samba-collect-debug-info.sh below. I changed a lot of stuff while
>>> trying to fix this issue, the smb.conf therefore looks a bit messy. I
>>> tried it with a copy of a smb.conf from a working domain member, but
>>> that didn't help.
>>>
>>
>> I haven't seen the output from that script for a very long time, but it
>> all appears to be what is expected, so my first thought, is there a
>> firewall getting in the way ?
>
> Yeah, I spotted the link to the script in one of Louis' old posts 
> related to my issue and thought that it looks handy...
>
> There is no firewall active on the DC. There is no firewall installed 
> on the member. There is a firewall on my router.
>
> If the WiFi connection is somehow botched due to NetworkManager (or my 
> limited understanding of NetworkManager, to be fair), it could be 
> possible that the firewall is blocking some traffic. However, I don't 
> expect that the wired connection could also be blocked by the 
> firewall. I'll check anyway.
>
> 1. Could a firewall explain that wbinfo and getent behave differently? 
> Are different ports used for either program?
> 2. Are there specific port(s) that I should monitor on the DC for 
> traffic from/to the member?
>
> Paul
>
>
> Hi Paul,

Check if nscd is installed. If it is, uninstall it completely. It 
interferes with Samba.

Best regards,

Peter

More information about the samba mailing list