[Samba] Cannot retrieve user/group information

Ryan Hardy rh87 at duke.edu
Fri Nov 20 11:04:00 MST 2009

Thanks for your response, Adam.

On Nov 20, 2009, at 12:51 AM, Adam Nielsen wrote:

>> password server    = foo.bar.baz
> Do you really need to specify a password server?<snip>

I don't know that it is necessary; I had a feeling it was cruft, but  
I've tried both ways without any difference.  I'll leave it out of the  
config from now on.

> Given that the error message reports it can't find the login server,
> that would seem to indicate that either your DNS isn't set up properly
> for the domain, the machine can't resolve it properly, or there's some
> sort of firewall blocking some or all of the communication with the AD
> servers.

General DNS is working.  I've disabled iptables for all of these  
tests, and there shouldn't be any firewall interruption between these  
hosts.  As far as I am told, the DNS for the domain is delegated to  
the domain itself.  Adding the DCs into resolv.conf explicitly doesn't  
seem to change the behavior.

> Can you run Wireshark/tcpdump while the problems are happening to see
> where the box is trying to connect to, and if it's receiving any  
> responses?

I've done so.  I see a few oddities, but nothing excruciatingly  
obvious.  I see a couple DNS requests for SRV _kerberos- 
master._udp.FOO.BAR.BAZ coming back with "No such name" responses, but  
I'm not sure if those are just resolution order normalities or not.   
The LDAP saslbind seems fine.  I see the request for the attributes on  
the user going out, but only 3 of the requested 4 attribues come back  
(gecos is missing).  I also see a request go out for SRV  
_ldap._tcp.dc._msdcs.* to DNS coming back with "No such name" responses.

One thing I notice is that the first time "wbinfo -i <user>" fails, it  
takes a few seconds to do so.  However, any further runs of the  
command for some period of time (5 minutes in my approximation), it  
fails instantly.  Might just be expected caching behavior, but it  
seemed like it might be relevant.  It seems to be the same behavior I  
experience trying to connect: The first time I try to connect (via a  
Mac SMB client), it seems to time out.  If I try immediately after, it  
seems to work (for some value of work).  Perhaps this is just the LDAP  
bind occurring, though.

Any of that point to anything?

Thanks for your consideration,

Ryan Hardy <ryan.hardy at duke.edu>

More information about the samba mailing list