Samba 4: getent passwd does not show Active Directory users, but wbinfo -u works fine

Written by - 1 comments

Published on March 31st 2021 - last updated on July 8th 2021 - Listed in Linux Windows Samba


While testing an Active Directory environment using Samba 4 as Domain Controller, I also created an additional Samba machine as domain member. This second Samba server should be used as file server.

But in order to assign user and group ownerships to files and directories on the file system, the getent command must be able to retrieve users and groups from Active Directory. But it didn't. Only local users from this Ubuntu machine were shown.

root@ubuntu:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
pdns:x:107:111:PowerDNS,,,:/var/spool/powerdns:/bin/false
postgres:x:108:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
messagebus:x:109:114::/var/run/dbus:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
ntp:x:111:118::/home/ntp:/bin/false

Single user listing does not work either:

root@ubuntu:~# getent passwd "EXAMPLE\claudio.kuenzler"

Interestingly however if that the Active Directory users are correctly listed using wbinfo -u:

root@ubuntu:~# wbinfo -u
guest
claudio.kuenzler
administrator
krbtgt

This means Active Directory can be listed - but why not with getent?

Here are a couple of reasons and solutions why getent is unable to show any users or groups from Active Directory.

Is Winbind running?

A simple check to see whether the winbind daemon responds, is to use wbinfo with the ping parameter:

root@ubuntu:~# wbinfo -p
Ping to winbindd succeeded

With the -t parameter, RPC calls to the domain controller are verified:

root@ubuntu:~# wbinfo -t
checking the trust secret for domain EXAMPLE via RPC calls succeeded

Also the fact that wbinfo -u is able to list users shows that the winbind daemon must definitely be running. 

If winbind is not running and you can't spot any winbindd processes (ps aux|grep winbind), try to (re-)start the service using systemctl restart winbind.

Does Kerberos authentication work?

To test a Kerberos based authentication, use wbinfo -K and use the credentials in the following way: username%password.

root@ubuntu:~# wbinfo -K claudio.kuenzler%Very-Secret-99
plaintext kerberos password authentication for [claudio.kuenzler%Very-Secret-99] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

Also verify that a Kerberos ticket can be retrieved by using kinit

root@ubuntu:~# kinit claudio.kuenzler
Password for claudio.kuenzler@EXAMPLE.COM: [entered password]
Warning: Your password will expire in 41 days on Tue 11 May 2021 01:23:57 PM UTC

root@ubuntu:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: claudio.kuenzler@EXAMPLE.COM

Valid starting       Expires              Service principal
03/30/2021 19:02:57  03/31/2021 05:02:57  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 03/31/2021 19:02:50

If kinit and klist commands are not available, install the krb5-user package:

root@ubuntu:~# apt-get install krb5-user

Control /etc/nsswitch.conf

Some Linux distributions have the following defaults for passwd and groups set in /etc/nsswitch.conf:

ckadm@mint ~ $ cat /etc/nsswitch.conf | egrep "(^passwd|^group)"
passwd:         compat systemd
group:          compat systemd

In order to retrieve users and groups from Active Directory, this needs to be changed. Appending winbind is one thing - changing compat to files is another. I'm actually not sure if this is required or not but most winbind guides and howtos mention files instead of compat.

root@ubuntu:~# cat /etc/nsswitch.conf | egrep "(^passwd|^group)"
passwd:         files systemd winbind
group:          files systemd winbind

libnss and libpam

Even though winbind is installed and running, this does not forcibly mean that additional winbind packages were installed. To correctly implement winbind with NSS and PAM for authentication, install the following packages:

root@ubuntu:~# apt-get install libnss-winbind libpam-winbind

PAM configuration

This is not forcibly needed to make getent work, however if you want that AD users are able to authenticate on your Windows machine (especially when using Samba shares with AD users), launch pam-auth-update and enable Winbind NT/Active Directory authentication.

Control winbind config

Is the winbind config in /etc/samba/smb.conf correct? These are the settings how winbind will retrieve and map the users and groups from Active Directory. The following (working) example uses the rid backend for users and groups from Active Directory with a range starting from 10000 to 99999:

  winbind use default domain = yes
  winbind nss info = template

  winbind enum users = yes
  winbind enum groups = yes


  idmap config * : backend = tdb
  idmap config * : range = 3000-7999

  idmap config EXAMPLE : backend = rid
  idmap config EXAMPLE : range = 10000-99999


  template homedir = /home/%U
  template shell = /bin/bash

Important here are also winbind enum users and winbind enum groups. This will retrieve all the users and groups from AD. A lot of guides mention to not define these options as the Samba performance will suffer. But for debugging purposes and for small Active Directory setups these two parameters are very helpful.

Changed Samba config? Make a clean sweep!

If Samba started after the installation and was then configured to join a domain, or if domain related settings (such as winbind) have changed, this might have messed up Samba's internal database (stored in tdb and ldb files). In this case a clean sweep is your last resort but this can work wonders!

Remove this Samba server from the domain computers, either by using the Windows RSAT (Remote Server Administration Tools) or the following command:

root@dc01 # samba-tool computer delete ubuntu

Where "ubuntu" is the name of your Samba file server having issues with getent.

Then stop Samba's daemons:

root@ubuntu:~# systemctl stop smbd
root@ubuntu:~# systemctl stop nmbd
root@ubuntu:~# systemctl stop winbind

Make sure the processes are all stopped:

root@ubuntu:~# ps ax | egrep "samba|smbd|nmbd|winbindd"
31197 ?        S+     0:00 grep -E --color=auto samba|smbd|nmbd|winbindd

Then delete all the *tdb and *ldb from the different Samba directories. You can list them using the following command:

root@ubuntu:~# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
   LOCKDIR: /var/run/samba
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/cache/samba
   PRIVATE_DIR: /var/lib/samba/private

And to delete them:

root@ubuntu:~# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | awk '{print $2}'| while read directory; do rm -f $directory/*.ldb; done
root@ubuntu:~# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | awk '{print $2}'| while read directory; do rm -f $directory/*.tdb; done

Now verify your /etc/samba/smb.conf again. The following is a full smb.conf file, joining the domain EXAMPLE:

root@ubuntu:~# cat /etc/samba/smb.conf
[global]
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  security = ADS

  log level = 1 winbind:5

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  winbind use default domain = yes
  winbind nss info = template

  winbind enum users = yes
  winbind enum groups = yes

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999

  idmap config EXAMPLE : backend = rid
  idmap config EXAMPLE : range = 10000-99999

  template homedir = /home/%U
  template shell = /bin/bash

  # Mapping domain Administrator to local root
  username map = /etc/samba/user.map

Then join the domain using net:

root@ubuntu:~# net ads join -U administrator
Enter administrator's password: [entered password]
Using short domain name -- EXAMPLE
Joined 'XENIAL' to dns domain 'example.com'

Note: The current Samba documentation Setting up Samba as a Domain Member mentions that joining a domain must not be done using samba-tool but by the net command instead. I am not sure if this is outdated or still valid.

Now start the Samba services again:

root@ubuntu:~# systemctl start smbd
root@ubuntu:~# systemctl start nmbd
root@ubuntu:~# systemctl start winbind

And finally, getent is able to retrieve the users from Active Directory:

root@ubuntu:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
pdns:x:107:111:PowerDNS,,,:/var/spool/powerdns:/bin/false
postgres:x:108:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
messagebus:x:109:114::/var/run/dbus:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
ntp:x:111:118::/home/ntp:/bin/false
guest:*:10501:10514:Guest:/home/guest:/bin/bash
claudio.kuenzler:*:11104:10513:Claudio Kuenzler:/home/claudio.kuenzler:/bin/bash
administrator:*:10500:10513:Administrator:/home/administrator:/bin/bash
krbtgt:*:10502:10513:krbtgt:/home/krbtgt:/bin/bash



Add a comment

Show form to leave a comment

Comments (newest first)

Reinhold from wrote on Apr 8th, 2021:

Thank you, that was very very helpful!