While testing an Active Directory environment using Samba 4 as Primary Domain Controller, I also created an additional Samba machine as domain member. This second Samba server should be used as file server.
In order to assign user and group ownerships to files and directories on the file system, the getent command must be able to retrieve users and groups from Active Directory. But it didn't. Only local users from this Ubuntu machine were shown.
root@ubuntu:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
pdns:x:107:111:PowerDNS,,,:/var/spool/powerdns:/bin/false
postgres:x:108:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
messagebus:x:109:114::/var/run/dbus:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
ntp:x:111:118::/home/ntp:/bin/false
Single user listing does not work either:
root@ubuntu:~# getent passwd "EXAMPLE\claudio.kuenzler"
The Active Directory users are however correctly listed using wbinfo -u:
root@ubuntu:~# wbinfo -u
guest
claudio.kuenzler
administrator
krbtgt
This means Active Directory can be listed - but why not with getent?
Here are a couple of reasons and solutions why getent is unable to show any users or groups from Active Directory.
A simple check to see whether the winbind daemon responds, is to use wbinfo with the ping parameter:
root@ubuntu:~# wbinfo -p
Ping to winbindd succeeded
With the -t parameter, RPC calls to the domain controller are verified:
root@ubuntu:~# wbinfo -t
checking the trust secret for domain EXAMPLE via RPC calls succeeded
Also the fact that wbinfo -u is able to list users shows that the winbind daemon must definitely be running.
If winbind is not running and you can't spot any winbindd processes (ps aux|grep winbind), try to (re-)start the service using systemctl restart winbind.
To test a Kerberos based authentication, use wbinfo -K and use the credentials in the following way: username%password.
root@ubuntu:~# wbinfo -K claudio.kuenzler%Very-Secret-99
plaintext kerberos password authentication for [claudio.kuenzler%Very-Secret-99] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
Also verify that a Kerberos ticket can be retrieved by using kinit
root@ubuntu:~# kinit claudio.kuenzler
Password for claudio.kuenzler@EXAMPLE.COM: [entered password]
Warning: Your password will expire in 41 days on Tue 11 May 2021 01:23:57 PM UTC
root@ubuntu:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: claudio.kuenzler@EXAMPLE.COM
Valid starting Expires Service principal
03/30/2021 19:02:57 03/31/2021 05:02:57 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/31/2021 19:02:50
If kinit and klist commands are not available, install the krb5-user package:
root@ubuntu:~# apt-get install krb5-user
Some Linux distributions have the following defaults for passwd and groups set in /etc/nsswitch.conf:
ckadm@mint ~ $ cat /etc/nsswitch.conf | egrep "(^passwd|^group)"
passwd: compat systemd
group: compat systemd
In order to retrieve users and groups from Active Directory, this needs to be changed. Appending winbind is one thing - changing compat to files is another. I'm actually not sure if this is required or not but most winbind guides and howtos mention files instead of compat.
root@ubuntu:~# cat /etc/nsswitch.conf | egrep "(^passwd|^group)"
passwd: files systemd winbind
group: files systemd winbind
Even though winbind is installed and running, this does not forcibly mean that additional winbind packages were installed. To correctly implement winbind with NSS and PAM for authentication, install the following packages:
root@ubuntu:~# apt-get install libnss-winbind libpam-winbind
This is not forcibly needed to make getent work, however if you want that AD users are able to authenticate on your Windows machine (especially when using Samba shares with AD users), launch pam-auth-update and enable Winbind NT/Active Directory authentication.
Is the winbind config in /etc/samba/smb.conf correct? These are the settings how winbind will retrieve and map the users and groups from Active Directory. The following (working) example uses the rid backend for users and groups from Active Directory with a range starting from 10000 to 99999:
winbind use default domain = yes
winbind nss info = template
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-99999
template homedir = /home/%U
template shell = /bin/bash
Important here are also winbind enum users and winbind enum groups. This will retrieve all the users and groups from AD. A lot of guides mention to not define these options as the Samba performance will suffer. But for debugging purposes and for small Active Directory setups these two parameters are very helpful.
If Samba started after the installation and was then configured to join a domain, or if domain related settings (such as winbind) have changed, this might have messed up Samba's internal database (stored in tdb and ldb files). In this case a clean sweep is your last resort but this can work wonders!
Remove this Samba server from the domain computers, either by using the Windows RSAT (Remote Server Administration Tools) or the following command:
root@dc01 # samba-tool computer delete ubuntu
Where "ubuntu" is the name of your Samba file server having issues with getent.
Then stop Samba's daemons:
root@ubuntu:~# systemctl stop smbd
root@ubuntu:~# systemctl stop nmbd
root@ubuntu:~# systemctl stop winbind
Make sure the processes are all stopped:
root@ubuntu:~# ps ax | egrep "samba|smbd|nmbd|winbindd"
31197 ? S+ 0:00 grep -E --color=auto samba|smbd|nmbd|winbindd
Then delete all the *tdb and *ldb from the different Samba directories. You can list them using the following command:
root@ubuntu:~# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
LOCKDIR: /var/run/samba
STATEDIR: /var/lib/samba
CACHEDIR: /var/cache/samba
PRIVATE_DIR: /var/lib/samba/private
And to delete them:
root@ubuntu:~# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | awk '{print $2}'| while read directory; do rm -f $directory/*.ldb; done
root@ubuntu:~# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | awk '{print $2}'| while read directory; do rm -f $directory/*.tdb; done
Now verify your /etc/samba/smb.conf again. The following is a full smb.conf file, joining the domain EXAMPLE:
root@ubuntu:~# cat /etc/samba/smb.conf
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
log level = 1 winbind:5
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
winbind use default domain = yes
winbind nss info = template
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-99999
template homedir = /home/%U
template shell = /bin/bash
# Mapping domain Administrator to local root
username map = /etc/samba/user.map
Then join the domain using net:
root@ubuntu:~# net ads join -U administrator
Enter administrator's password: [entered password]
Using short domain name -- EXAMPLE
Joined 'XENIAL' to dns domain 'example.com'
Note: The current Samba documentation Setting up Samba as a Domain Member mentions that joining a domain must not be done using samba-tool but by the net command instead. I am not sure if this is outdated or still valid.
Now start the Samba services again:
root@ubuntu:~# systemctl start smbd
root@ubuntu:~# systemctl start nmbd
root@ubuntu:~# systemctl start winbind
And finally, getent is able to retrieve the users from Active Directory:
root@ubuntu:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
pdns:x:107:111:PowerDNS,,,:/var/spool/powerdns:/bin/false
postgres:x:108:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
messagebus:x:109:114::/var/run/dbus:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
ntp:x:111:118::/home/ntp:/bin/false
guest:*:10501:10514:Guest:/home/guest:/bin/bash
claudio.kuenzler:*:11104:10513:Claudio Kuenzler:/home/claudio.kuenzler:/bin/bash
administrator:*:10500:10513:Administrator:/home/administrator:/bin/bash
krbtgt:*:10502:10513:krbtgt:/home/krbtgt:/bin/bash
Max from Deutschland wrote on Jul 12th, 2023:
Hey Mate
thank you very much, I've been struggling for 2 hours to get this running
Rossi Gustavo from Buenos Aires, Argentina wrote on Sep 16th, 2022:
Hello Claudio,
Thanks to your work I can make it work, it is very well documented and it was very useful
Cheers
conloos from wrote on Jul 29th, 2022:
Hi Claudio,
thanks for your work. I had an other error: The default group "domain users" need the Attribute "gidNumber".
This behavior changed and worked without that in recent versions. It is described at: https://wiki.samba.org/index.php/Idmap_config_ad
I'm now on samba 4.15.5 (Ubuntu 22.04).
Thanks Frank
-
rf from wrote on Jun 13th, 2022:
thanks , helpful
Reinhold from wrote on Apr 8th, 2021:
Thank you, that was very very helpful!
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder