[Samba] Linux member joined to AD domain: No login with domain user possible, getent not working

Wed May 28 07:49:49 UTC 2025

Am 25.05.2025 um 13:14 schrieb Rowland Penny via samba:
> On Sun, 25 May 2025 11:39:19 +0200
> Paul Leiber via samba <samba at lists.samba.org> wrote:
> 
> 
>> Meanwhile (with both DC1 and the formerly missing DC2 online), I
>> unjoined the domain, stopped samba on the member, deleted samba .tdb
>> cache files, and rejoined using net ads join --no-dns-updates -U
>> administrator, then I started samba services.
>>
>> The output of the attempt to join showed different errors this time:
>>
>> gensec_gse_client_prepare_ccache: Kinit for
>> MEMBER$@SAMDOM.EXAMPLE.COM to access ldap/DC1.SAMDOM.EXAMPLE.COM
>> failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE
>> gensec_gse_client_prepare_ccache: Kinit for
>> MEMBER$@SAMDOM.EXAMPLE.COM to access cifs/DC1.SAMDOM.EXAMPLE.COM
>> failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE
> 
> Unless you have pre-created the required records in AD, those errors
> are to be expected if you use '--no-dns-updates'.
> 
>> Using short domain name -- SAMDOM
>> Joined 'MEMBER' to dns domain 'SAMDOM.EXAMPLE.COM'
>>
>> I still am not getting information on domain users with getent
>> passwd. wbinfo -u shows all domain users.
> 
> For getent to show users & groups, a few things need to be configured:
> 
> The computer needs to be joined to the AD domain, this appears to be
> correct.
> You need to have a correctly configured smb.conf, this appears to be
> correct.
> You need to have libnss-winbind & libpam-winbind installed, these
> appear to be installed.
> The 'passwd' & 'group' lines in /etc/nsswitch.conf need to contain
> 'winbind', which they do.
> 
> Finally this leaves, because you are using the 'ad' idmap config
> backend, the rfc2307 attributes in AD. Every user, you want visible
> to Unix, must have a uidNumber attribute containing a number inside the
> range set in your smb.conf (in your case 10000-999999), any uidNumber
> attributes outside that range will be ignored. Every group, you want
> visible to Unix, must have a gidNumber attribute containing a number
> inside the same range, again, any gidNumber attribute outside the range
> will be ignored. It is very important that Domain Users has a
> gidNumber, without that gidNumber, all AD users & groups will be
> invisible to Unix.

Tested that (changing backend from ad to rid), no change.

> There is an easy way to check the connection to AD, change 'idmap
> config INTERNAL:backend = ad' to 'idmap config INTERNAL:backend = rid'
> and restart Samba. If you then get a response from 'getent passwd
> USERNAME', then it is a problem with the rfc2307 attributes in AD, if
> you still get nothing then you may have connection problems (firewall
> etc).

Success! I switched from a wireless connection to a wired connection, 
and now getent passwd gives the correct output. Now I need to figure out 
why this laptop has issues with the wireless connection. (Windows 
systems inlcuding this same laptop connect just fine to AD on the same 
SSID, and I even think that a linux installation on the same laptop 
didn't have this issue in a previous installation, that's why I didn't 
check a wired connection earlier.) I suspect some NetworkManager 
configuration plays a role. I'll put an update to the list once I know more.

Thanks for the hints so far, and for pointing out where I went wrong!

Paul