[Samba] ADS / Domain problems

Kelley, Tim Tim.Kelley at mms.gov
Wed May 24 12:20:59 GMT 2006

I have some serious problems with samba 3.0.21c ...

Samba is configured "security = ads" and I am also using winbind so that
the AD accounts also exist on the unix system.

"wbinfo -t" succeeds, and "wbinfo -m" gives a list of the trusted
domains. However, the only users this system knows about are the ones in
the primary domain, i.e., the one set by "workgroup = " in smb.conf.
"wbinfo -u --domain OTHER" does not work, where "OTHER" is a trusted
domain. (This worked fine with "security = domain", BTW). "password
server" is set to "*".

Wbinfo -u --domain OTHER returns "Error looking up domain users"

wbinfo --domain-info=OTHER returns "Could not get domain info"

All this works fine for the primary domain.

The ADS side is all windows; unix systems running samba are all either
domain members or ADS.

As far as I can tell, Kerberos works fine, and kinit
user at BLAH.SOME.OTHER.REALM works fine and I get a ticket.

Whenever a user from a foreign domain tries to access a share on the
samba server, I get:

[2006/05/23 14:13:43, 3] smbd/sesssetup.c:reply_spnego_kerberos(202)
  Ticket name is [someuser at SOME.OTHER.REALM]
[2006/05/23 14:13:43, 3] smbd/sesssetup.c:reply_spnego_kerberos(224)
  Ticket for foreign realm someuser at SOME.OTHER.REALM
[2006/05/23 14:13:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(303)
  Username OTHER+curranj is invalid on this system
[2006/05/23 14:13:43, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(308) cmd=115 (SMBsesssetupX)

I'm not sure what is wrong here ...

The output (sanitized) of testparm -v can be found at:


It should be there until June 24 06.

More information about the samba mailing list