[Samba] winbind and getent

John Stile john at stilen.com
Thu Jul 30 09:05:44 MDT 2009 

I wonder if that means that you didn't join the domain, or you aren't
joining with a domain admin account, or you aren't performing operations
using an the credentials of a domain user.

Check you have the libs.
smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.

Does /etc/krb5.conf look correct for your domain?

Check you have the libs.
smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.

Time must be (i think) within 15 min between kdc and client
net ads info          # Show AD info including time
date                  # Check time on local host

Test if the client has been joined to the domain.
net ads testjoin      # Shows join is ok

If you run the following command without specifying a valid domain
'--user=', or the password is incorrect, you will see this:  "...Client
not found in Kerberos database"
net  ads search '(objectCategory=group)'

If you try to run the following command with a valid user, you will see
a huge dump.
net --user=myuser ads search '(objectCategory=group)'

On Thu, 2009-07-30 at 09:26 -0500, Hoover, Tony wrote:
> Have you configured your /etc/krb5.conf file?
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------
> Tony Hoover, Network Administrator
> KSU - Salina, College of Technology and Aviation
> (785) 826-2660
> 
> "Don't Blend in..."
> ------------------------------------------------------------------------
>  
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Gabriel Petrescu
> Sent: Thursday, July 30, 2009 8:39 AM
> To: John Stile
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] winbind and getent
> 
> hi:)
> 
> in my case it's working:
> 
> > wbinfo Shows winbind is doing lookups from ADS
> >  wbinfo -u
> >  wbinfo -g
> >  wbinfo -a mydomain+myuser%mypassword
> 
> and i get an error here:
> 
>  kinit tests
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
> 
> 
> any advice here?
> 
> gabi
> 
> On Wed, Jul 29, 2009 at 6:58 PM, John Stile<john at stilen.com> wrote:
> > On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote:
> >> Hi Volker,
> >>
> >> Yes  in smb.conf i have:
> >>         winbind enum users = Yes
> >>         winbind enum groups = Yes
> >
> > getent Shows nsswitch is correct, to resolve ADS users and groups.
> >  getent passwd
> >  getent group
> >
> > wbinfo Shows winbind is doing lookups from ADS
> >  wbinfo -u
> >  wbinfo -g
> >  wbinfo -a mydomain+myuser%mypassword
> >
> > kinit tests if kerberose can authenticate
> >  kinit myuser
> >
> > If 'wbinfo -g' shows   MYDOMAIN+Domain Users,
> > maybe your share should have a line like:
> >  valid users = @"MYDOMAIN+Domain Users"
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

More information about the samba mailing list