[Samba] AD and winbindd madness

Robert Gehr robert.gehr at baumann-gmbh.de
Wed Mar 18 10:52:40 GMT 2009

Hello all

I tried for a couple of days now to get our samba domain hooked up with
an AD controller. I followed these instructions: 

I've solved a couple of problems over the years but this is a hard nut
to crack.

The setup is as follows

AD runs the domain BAUMANN (realm: baumann.local)
samba runs the domain BAUMANN-GMBH
The trust relationship has been esatblished, at least so it seems.

What I can do when I fire up winbind on the samba PDC (baadm1)

wbinfo -u: works
wbinfo -g: works
wbinfo -m: works
wbind -t: never returns but spits out no errors

getent passwd/group show the users/groups of the AD BAUMANN domain

I can assign file/group ownership to users/groups from the BAUMANN

If I don't have winbindd running I can connect to a share located on the
PDC of the samba controlled BAUMANN-GMBH domain, but can not write to

If I run winbindd I can't connect to the share anymore. Same user, same
password. The error winbindd comes up with:

SCHANNEL: schannel_decode seq_num=13 data_len=32
SCHANNEL: schannel_decode seq_num=13 data_len=32
cli_pipe_validate_current_pdu: got pdu len 96, data_len 20, ss_len 12
rpc_api_pipe: got PDU len of 96 at offset 0
rpc_api_pipe: host baad1.baumann.local, pipe \NETLOGON, fnum 0x8006
returned 40 bytes.
    netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
        out: struct netr_LogonSamLogonEx
            validation               : *
                validation               : union netr_Validation(case 3)
                sam3                     : NULL
            authoritative            : *
                authoritative            : 0x01 (1)
            flags                    : *
                flags                    : 0x00000000 (0)
            result                   : NT_STATUS_LOGON_FAILURE
NTLM CRAP authentication for user [BAUMANN]\[gehr] returned

Here the relevant entries of smb.conf on the samba PDC

   dos charset = 850
   unix charset = ISO8859-1
   display charset = ISO8859-1
   workgroup = BAUMANN-GMBH
   server string = %h
   passdb backend = ldapsam:"ldap://baadm1.baumann-gmbh.de,
   username map = /usr/local/samba/lib/user.map
   lanman auth = No
   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   add user script = /usr/local/sbin/smbldap-useradd -m "%u"
   add group script = /usr/local/sbin/smbldap-groupadd -a -p "%g"
   add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
   delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
   set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%
   add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
   logon path =
   domain logons = Yes
   os level = 65
   domain master = Yes
   wins support = Yes
   kernel oplocks = No
   ldap admin dn = cn=ldap-admin,dc=baumann-gmbh,dc=de
   ldap group suffix = ou=groups
   ldap idmap suffix = ou=idmap
   ldap machine suffix = ou=computers
   ldap passwd sync = Yes
   ldap suffix = dc=baumann-gmbh,dc=de
   ldap ssl = start tls
   ldap user suffix = ou=people
   #idmap backend = ldap:ldap://baadm1.baumann-gmbh.de
   #idmap domains = BAUMANN-GMBH
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   ldapsam:trusted = yes
   idmap config BAUMANN-GMBH:ldap_url = ldap://baadm1.baumann-gmbh.de
   idmap config BAUMANN-GMBH:ldap_base_dn =
   idmap config BAUMANN-GMBH:backend = ldap
   idmap config BAUMANN-GMBH:default = yes

Here the conf winbindd gets started with:


workgroup = baumann
netbios name = baadm1

idmap uid = 30000-40000
idmap gid = 30000-40000
winbind enum users = yes
winbind enum groups = yes
#winbind separator = +

#winbind use default domain = Yes
security = ADS
domain master = No
encrypt passwords = yes
password server = baad1.baumann.local
client use spnego = yes
winbind trusted domains only = No

Help is greatly appreciated, for it is must that we get this thing

Thanks and regards


Success is going from failure to failure without loss of enthusiasm.
        ~ Winston Churchill

baumann GmbH
Oskar-von-Miller-Str. 7
92224 Amberg - Deutschland / Germany

GF / CEO: Dr. Georg Baumann, Rudi Neumann, Josef Konrad
HR: Amberg HRB 1067 

More information about the samba mailing list