[Samba] 3.0.4: winbind not working with windows 2003?

Andreas andreas at conectiva.com.br
Tue May 11 19:26:18 GMT 2004 

I hope this is just one of those issues where just after hitting the
send button I figure out what is wrong. Client is 3.0.4 (also tried with
3.0.3) and server is windows 2003 with all patches as of today applied via
windows update.

Short summary: wbinfo -u doesn't work and wbinfo -g lists just a BUILTIN
domain.

I have done this lots of times, but now winbind seems to be not working anymore.

 From the beggining:

- grab a ticket:
[root at pandora root]# kinit -p Administrator
Password for Administrator at DISTRO.CONECTIVA: 

- join the win2k3 domain:
[root at pandora root]# net ads join
[2004/05/11 16:20:55, 0] libads/ldap.c:ads_add_machine_acct(1006)
  Host account for pandora already exists - modifying old account
  Using short domain name -- DISTRO
  Joined 'PANDORA' to realm 'DISTRO.CONECTIVA'

- test:
[root at pandora root]# net ads testjoin
Join is OK

- list tickets ("expandora" is the win2k3 kdc/pdc):
[root at pandora root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DISTRO.CONECTIVA

Valid starting     Expires            Service principal
05/11/04 16:20:51  05/12/04 02:20:01  krbtgt/DISTRO.CONECTIVA at DISTRO.CONECTIVA
        renew until 05/12/04 16:20:51
05/11/04 16:20:03  05/12/04 02:20:01  expandora$@DISTRO.CONECTIVA
        renew until 05/12/04 16:20:51
05/11/04 16:20:03  05/11/04 16:22:03  kadmin/changepw at DISTRO.CONECTIVA
        renew until 05/11/04 16:22:03

- after winbindd is up, check secret:
[root at pandora root]# wbinfo -t
checking the trust secret via RPC calls succeeded

- list users:
[root at pandora root]# wbinfo -u
Error looking up domain users

Uhoh...

- list groups:
[root at pandora root]# wbinfo -g
BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
(...)

"BUILTIN"?

/etc/nsswitch.conf:
[root at pandora root]# grep winbind /etc/nsswitch.conf 
passwd:     files nisplus winbind
group:      files nisplus winbind

"getent group" lists the same BUILTIN groups...

What is wrong?

More information about the samba mailing list