[Samba] Error looking up domain users

Michael Coburn mcoburn at jupiterimages.com
Mon Dec 4 22:55:06 GMT 2006

Hello, I'm trying to query one of my remote domains for users via 
"wbinfo -u --domain=EUROPE" and receiving "Error looking up domain 
users".  I have been successfully able to look up users in multiple 
domains i.e. "wbinfo -u --domain=UK".  My current domain is called 
NTDOMAIN in which I have my Ubuntu Dapper (6.06) box, running winbind 
3.0.22-1ubuntu3.1 and samba 3.0.22-1ubuntu3.1.  NTDOMAIN is hosted on a 
NT4 SP6a PDC, EUROPE is a Windows Server 2003 R2 SP1, and 2-way trusts 
are established.  I have winbind running as "winbind -d 100" for maximum 
logging.  Steps I've tried:

    * I have confirmed that the trust between NTDOMAIN <-> EUROPE
      validates (via Windows tools)
    * Tried using a user account with full domain privileges in the
      EUROPE domain via "wbinfo --set-auth=user=EUROPE/user%password"
      but no change.
    * Successfully logged in from one domain to another (i.e. an
      NTDOMAIN user logged in to a machine joined to the EUROPE domain,
      and vice versa)

While tailing the log /var/log/samba/ I see 
that the samba box successfully detects the PDC role server for the 
EUROPE domain and locates the correct IP address, the samba box tries to 
authenticate against the EUROPE domain using it's NTDOMAIN computer 
account, and negotiates security authentication mechanisms.  I then see 
this error in the log:

[2006/12/04 16:05:04, 4] nsswitch/winbindd_cm.c:cm_prepare_connection(305)
  authenticated session setup failed with No logon workstation trust account

I don't understand this, the samba box would not have a workstation 
account in the EUROPE domain, it is joined to the NTDOMAIN domain.

I've attached results of some wbinfo commands.
root at s-lnx003-50:~# wbinfo -m
root at s-lnx003-50:~# wbinfo --sequence:
UK : 4969
S-LNX003-50 : 1
NTDOMAIN : 34338
root at s-lnx003-50:~# wbinfo -D NTDOMAIN
Name              : NTDOMAIN
Alt_Name          :
SID               : <deleted>
Active Directory  : No
Native            : No
Primary           : Yes
Sequence          : 34338
root at s-lnx003-50:~# wbinfo -D EUROPE
Name              : EUROPE
Alt_Name          : europe.<deleted>
SID               : <deleted>
Active Directory  : Yes
Native            : No
Primary           : No
Sequence          : -1
root at s-lnx003-50:~# wbinfo -t
checking the trust secret via RPC calls succeeded
workgroup = NTDOMAIN
security = domain
password server = <deleted> <deleted>
winbind separator = /
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = no
winbind nested groups = yes

Any suggestions?  I'd be happy to provide more log or configuration file 
data. Thanks very much!
Michael Coburn
Enterprise Systems Adminstrator

More information about the samba mailing list