[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working
Rowland Penny
rpenny at samba.org
Tue Apr 15 08:16:00 UTC 2025
On Mon, 14 Apr 2025 23:13:25 +0200
Paul Leiber via samba <samba at lists.samba.org> wrote:
> Am 14.04.2025 um 21:11 schrieb Rowland Penny via samba:
> > On Mon, 14 Apr 2025 15:50:50 +0200
> > Paul Leiber via samba <samba at lists.samba.org> wrote:
> >
> >> Dear Samba list,
> >>
> >> I am pulling my hair out over one linux machine (a laptop) joined
> >> to my Samba AD domain. On this machine, I can't use domain users to
> >> login. wbinfo -u shows AD users, getent passwd doesn't (no output
> >> is given). From other linux and windows machines, I can login with
> >> AD credentials and getent is working, so I assume that the issue
> >> is with that specific member.
> >>
> >> I can issue kerberos tickets on this machine for domain members.
> >>
> >> If I use wbinfo --verbose -K INTERNAL\\user%password, the output is
> >> the following:
> >> plaintext kerberos password authentication for [INTERNAL\user]
> >> failed (requesting cctype: FILE)
> >> wbcLogonUser(INTERNAL\user): error code was NT_STATUS_LOGON_FAILURE
> >> (0xc000006d)
> >> error message was: The attempted logon is invalid. This is either
> >> due to a bad username or authentication information.
> >> Could not authenticate user [INTERNAL\user%password] with Kerberos
> >> (ccache: FILE)
> >>
> >> You can find the sanitized samba info collected with the script
> >> samba-collect-debug-info.sh below. I changed a lot of stuff while
> >> trying to fix this issue, the smb.conf therefore looks a bit
> >> messy. I tried it with a copy of a smb.conf from a working domain
> >> member, but that didn't help.
> >>
> >
> > I haven't seen the output from that script for a very long time,
> > but it all appears to be what is expected, so my first thought, is
> > there a firewall getting in the way ?
>
> Yeah, I spotted the link to the script in one of Louis' old posts
> related to my issue and thought that it looks handy...
>
> There is no firewall active on the DC. There is no firewall installed
> on the member. There is a firewall on my router.
>
> If the WiFi connection is somehow botched due to NetworkManager (or
> my limited understanding of NetworkManager, to be fair), it could be
> possible that the firewall is blocking some traffic. However, I don't
> expect that the wired connection could also be blocked by the
> firewall. I'll check anyway.
>
> 1. Could a firewall explain that wbinfo and getent behave
> differently? Are different ports used for either program?
> 2. Are there specific port(s) that I should monitor on the DC for
> traffic from/to the member?
I have looked at the output of that script again and everything looks
okay, even the time is correct, there should be no reason for 'getent
passwd <USERNAME>' not to provide output if 'wbinfo -u | grep
<USERNAME' does, unless either the Domain Users group doesn't have a
gidNumber inside the 10000-999999 range or the user doesn't have a
uidNumber inside the same range.
What does 'wbinfo -i <USERNAME>' produce ?
Otherwise, if you have other clients running the same OS etc that work,
then I suggest you compare things until you find what the difference is.
Rowland
More information about the samba
mailing list