[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working

Rowland Penny rpenny at samba.org
Sun May 25 11:14:04 UTC 2025 

On Sun, 25 May 2025 11:39:19 +0200
Paul Leiber via samba <samba at lists.samba.org> wrote:


> Meanwhile (with both DC1 and the formerly missing DC2 online), I 
> unjoined the domain, stopped samba on the member, deleted samba .tdb 
> cache files, and rejoined using net ads join --no-dns-updates -U 
> administrator, then I started samba services.
> 
> The output of the attempt to join showed different errors this time:
> 
> gensec_gse_client_prepare_ccache: Kinit for
> MEMBER$@SAMDOM.EXAMPLE.COM to access ldap/DC1.SAMDOM.EXAMPLE.COM
> failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE
> gensec_gse_client_prepare_ccache: Kinit for
> MEMBER$@SAMDOM.EXAMPLE.COM to access cifs/DC1.SAMDOM.EXAMPLE.COM
> failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE

Unless you have pre-created the required records in AD, those errors
are to be expected if you use '--no-dns-updates'.

> Using short domain name -- SAMDOM
> Joined 'MEMBER' to dns domain 'SAMDOM.EXAMPLE.COM'
> 
> I still am not getting information on domain users with getent
> passwd. wbinfo -u shows all domain users.

For getent to show users & groups, a few things need to be configured:

The computer needs to be joined to the AD domain, this appears to be
correct.
You need to have a correctly configured smb.conf, this appears to be
correct.
You need to have libnss-winbind & libpam-winbind installed, these
appear to be installed.
The 'passwd' & 'group' lines in /etc/nsswitch.conf need to contain
'winbind', which they do.

Finally this leaves, because you are using the 'ad' idmap config
backend, the rfc2307 attributes in AD. Every user, you want visible
to Unix, must have a uidNumber attribute containing a number inside the
range set in your smb.conf (in your case 10000-999999), any uidNumber
attributes outside that range will be ignored. Every group, you want
visible to Unix, must have a gidNumber attribute containing a number
inside the same range, again, any gidNumber attribute outside the range
will be ignored. It is very important that Domain Users has a
gidNumber, without that gidNumber, all AD users & groups will be
invisible to Unix.

There is an easy way to check the connection to AD, change 'idmap
config INTERNAL:backend = ad' to 'idmap config INTERNAL:backend = rid'
and restart Samba. If you then get a response from 'getent passwd
USERNAME', then it is a problem with the rfc2307 attributes in AD, if
you still get nothing then you may have connection problems (firewall
etc).

Rowland

More information about the samba mailing list