[Samba] wbinfo works, getent and check via smbclient not

Karsten Römke k.roemke at gmx.de
Thu Mar 4 04:25:51 MST 2010

Hi Grant,
< ... delete old text ...
you wrote
> Your join is just fine. That err is the same as happens when I join and
> mine works excellently otherwise. The join is ok is the important part.
> There are various tests you can do to see if things are working:
> kinit usernamewithadminprivileges
> like:
> kinit karsten
> should ask for a password
> klist
> should return a tciket cache for the user just authenticated
> kdestroy
> should make it so when you do klist agin there are no more tickets cached

I don't know.
I'm confused, I thought I need winbind to connect to the windows server.
I thought that my pam configuration maybe is wrong.

So my question: Do I need winbind or ldap or both.
There are any modification needed to my pam.d directory?
I found a file named samba there.


> use ldapsearch like:
> ldapsearch -x -D 'cn=yourldapuserthatyouusetoauthenticate,ou=veryspeicifou,ou=users,ou=yourou,dc=yourad,dc=yourdomain,dc=yourtld' -H ldaps://ldap.yourad.yourdomain.yourtld -W -b 'ou=yourou,dc=yourad,dc=yourdomain,dc=likecom'
> you don't have to be quite that specific but you get the idea. It
> returns all the users in your ou.
> you need to set your /etc/ldap.conf  and /etc/ldap/ladp.conf (might be
> /etc/openldap/ldap.conf depending on your OS)
> to look at the right places, fer instance:
> /etc/ldap.conf
> ssl on
> port 636
> ldap_version 3
> tls_checkpeer no
> uri ldaps://ldap.yourldapurl
> # limit the base to your departmental OU, wider scopes can affect the output time and entries to be displayed
> binddn CN=yourkerberosldapaccount,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> #password for the AD user account used to bind to AD LDAP
> bindpw yourldapuserpassword
> base OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup group
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uidNumber uidNumber
> nss_map_attribute gidNumber gidNumber
> nss_map_attribute cn sAMAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute uniqueMember member
> nss_map_attribute loginShell loginShell
> nss_map_attribute shadowLastChange pwdLastSet
> pam_login_attribute sAMAccountName
> pam_filter objectclass=user
> and fer the odder wun:
> #/etc/ldap/ldap.conf or /etc/openldap/ldap.conf on some OS 
> #Secure LDAP URI/Server 
> uri ldaps://ldap.yourldapurl
> # restrict to your ou
> BASE OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> # set to the cn for the kerberos user used for authenticating
> BINDDN cn=yourkerberosuser,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> # during testing switch off ssl cert checking, later you should install the certs from your ldap server and set this always
> TLS_REQCERT never 
> if those tests are working and you have set up the ldap conf files right
> and  nsswitch.conf as well you should get back the users/groups from
> your ou when you do
> getent passwd.
> or getent group
> You might try nsswitch.conf settings like
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
> there's some description here:
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
> but you might also google for more.
> Have fun!
> Grant 

More information about the samba mailing list