[Samba] "getent group" shows AD groups; "getent passwd" only shows local users

Tomasz Chmielewski mangoo at wpkg.org
Fri Jan 23 09:17:20 GMT 2009

Brian Gregorcy schrieb:

>> In log.winbindd I can see errors like:
>> [2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696)
>>   ads_do_paged_search_args: 
>> ldap_search_with_timeout((objectCategory=user)) -> Operations error
>> [2009/01/22 10:44:55, 3] 
>> libads/ldap_utils.c:ads_do_search_retry_internal(76)
>>   Reopening ads connection to realm 'GEORGIANUT.COM' after error 
>> Operations error
>> [2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677)
>>   sitename_fetch: Returning sitename for georgianut.com: 
>> "Default-First-Site-Name"
>> [2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294)
>>   ads_find_dc: looking for realm 'georgianut.com'
>> [2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626)
>>   get_sorted_dc_list: attempting lookup for name georgianut.com 
>> (sitename Default-First-Site-Name) using [ads]
> check that your clock on the linux box matches the clock on the DC.

Just being curios: what time difference is acceptable? I.e. up to 5 
seconds, 5 minutes? That being said, the clocks are in sync.

When I use tcpdump to see what happens when doing "getent passwd", I can 
see such error message:


Google suggest such causes for this error:

i.e. LDAP troubleshooting 

Cause: The DN specified in the User Search tab is incorrect, wrong, or 
incorrectly formatted.

Cause: User could not be found. Most likely due to DN settings in the 
User Search tab or the suffix or prefix fields in the Settings tab.

Cause: Most likely caused by a bad username or password. Common cause of 
this error is a user trying to login with DOMAIN\login instead of just 

However, this doesn't explain why "getent group" works, and "getent 
passwd" doesn't.

Tomasz Chmielewski

More information about the samba mailing list