[Samba] CentOS 5 client in W2K3 AD Domain, getent only shows local info

Lemire, David d.lemire at anassoc.com
Tue Feb 19 14:03:20 GMT 2008

> Try comparing what you did to these articles.  They worked very well for 
> me on a W2K AD domain.
> To me, they're more easily understood than the official docs.
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1

They pretty much describe what I'd done to this point, +/- a couple of 
details (which I do realize may be important).  One question they bring 
up for me is this:  In describing krb5.conf, I've seen the 
[domain_realms] section shown two or three different ways:

         .kerberos.server = DOMAIN.NET

         .mydomain.domain = DOMAIN.NET

         .mydomain.domain = DOMAIN.NET
         mydomain.domain = DOMAIN.NET

The example on MIT kerberos site would seem to indicate that the third 
one of those is right (see 
but I've definitely seen both of the others used as example configurations.

The other thing I came across after posting my question to this list was 
a entry in Scott Lowe's block about problems w/CentOS 5 and Active 
Directory integration 
  OTOH, he was having problems getting the machine to join the domain, 
whereas my roadblocks are a step or two beyond that.  Still, it makes me 
wonder if I shouldn't just one or more pieces of this puzzle (starting 

I need to double-check my samba build include the DOMAIN2HOSTLIST 
component; I can't check at the moment, but IIRC, that might not have 
been in the list when I checked before.  Would missing that account for 
my winbind / getent disparity?


> Lemire, David wrote:
>> I'm trying to integrate a Linux machine into our
>> Win2K3 ADS-based network.  The machine must
>> primarily serve as a user workstation (i.e., a
>> Samba Client), although it also needs to serve at
>> least one share for backup purposes.  I'd like to
>> emulate the behavior of our WinXP machines in that
>> any user in our small company can login to any
>> computer in the domain based on network
>> username/password.
>> I've been following the information in the
>> "Samba3-By Example" guide (the on-line, PDF
>> version, 28 Jan 2008), section 7.3.4.  I've had
>> success joining the network and accessing a share
>> on a server, but then run into a snag where
>> getent doesn't return equivalent information to
>> wbinfo for users and groups. I've done scads of
>> web searching, reading, tinkering with conf files,
>> and have scanned about six months of this list's
>> archive without finding a resolution, although my
>> problem doesn't seem to be uncommon. 
>> Before I post conf files with specifics I'd like
>> to ask a couple of basic questions:
>> 1) Need I care that getent won't return equivalent
>> results as wbinfo?  The guide describes this is
>> "to validate the full identity resolution is
>> functional as required", so I've been taking it as
>> gospel that I shouldn't tackle PAM until getent
>> works.
>> 2) Active Directory Configuration:  Is it a
>> requirement that I either make configuration
>> changes in AD or install Microsoft Services for
>> UNIX to accomplish what I want?  The By-Example
>> guide seems to indicate that I don't have to (1st
>> page of 7.3.4), but at least one write-up I've
>> found on-line states that AD mods are necessary
>> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
>> details/>
>> it is from Dec 2005, so could be out-of-date?).
>> 3) My software versions are:
>> *   PDC and BDC are running Active Directory on
>>           Windows Server 2003 SP2 *   Linux machine is running CentOS 
>> 5 with current updates *   Samba software is 3.0.25b (supplied 
>> w/CentOS) *   krb5 software is 1.6.1-17 (supplied w/CentOS) *   nss is 
>> 3,11,7 (supplied w/CentOS) *   nss_ldap is 253- 5 (supplied w/CentOS)
>> Do I need to upgrade to newer versions?  I've read
>> of problems with Samba 3.0.23c on Red Hat, but
>> nothing I've seen indicates a problem with
>> 3.0.25b.  If upgrading is recommended, I'd
>> appreciate a pointer to an appropriate source of
>> RPMs, as these are newest version in the CentOS
>> Repositories, and I'm not too comfortable with building
>> >From source yet.
>> 4)  If nsswitch.conf is configured for winbind, do
>> I need to worry at all about LDAP configuration?
>> 5)  I've seen mention about letter case being a
>> problem in configuring Kerberos and Samba. On our
>> AD server, the domain appears as "DOMAIN.local",
>> with the letter case as shown, so the FQDN of the
>> server is SERVER.DOMAIN.local.  Is this somehow
>> causing me a problem?  In the krb5.conf  and
>> smb5.conf files, I've identified the realm as
>> 6)  One oddity:  when I started working on this,
>> after the machine joined the domain, wbinfo showed
>> results as DOMAIN+username but somewhere along the
>> line that change to just the username.  Is that
>> indicative of something I've misconfigured?
>> Thanks for any insight.  My gut tells me I'm not
>> far off, but I've exceeded my "solve it myself"
>> frustration level!
>> Dave Lemire

More information about the samba mailing list