[Samba] Problems with winbind and AD using Ubuntu 9.10

Mike Leone turgon at mike-leone.com
Sat Mar 27 17:22:19 MDT 2010

Greetings! I am having a bit of an issue using Ubuntu 9.10 and AD 2003.

AD domain = dacrib.local
AD server = dim-2300.dacrib.local
IP =

Samba server = workhorse.dacrib.local
IP =

I have been following 
<https://help.ubuntu.com/community/Samba/Kerberos>, and my Kerberos 
seems set up properly, as I can get a ticket.

root at workhorse:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at DACRIB.LOCAL

Valid starting     Expires            Service principal
03/27/10 18:36:58  03/28/10 04:37:05  krbtgt/DACRIB.LOCAL at DACRIB.LOCAL
         renew until 03/28/10 18:36:58

Then, following 
I set up my Samba server, and was able to join it to the domain.

root at workhorse:/etc/samba# net ads info
LDAP server:
LDAP server name: dim-win2300.DaCrib.local
Bind Path: dc=DACRIB,dc=LOCAL
LDAP port: 389
Server time: Sat, 27 Mar 2010 19:09:28 EDT
KDC server:
Server time offset: 0

I can see my server in AD. Other domain members can browse to 
\\, and see the defined shares, and access the files in there. 
So it appears to be properly joined to the domain, and sharing.

What's not working is winbind. I do *not* see any domain users or 
groups, from "wbinfo -u" or "wbinfo -g". "wbinfo --all-domains" does 
know about the AD domain, however:

root at workhorse:/etc/samba# wbinfo --all-domains

I did edit nsswitch.conf:
root at workhorse:/etc/samba# more /etc/nsswitch.conf
# /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

At this point, I'm a bit lost. My eventual goal is to have any Linux 
user authenticate against the AD domain, but before I can get that far, 
I need winbind to work.

Any thoughts? Where do I go from here, to troubleshoot winbind not 
returning any users or groups?


         workgroup = DACRIB
         realm = DACRIB.LOCAL
         server string = %h server (Samba)
         security = ADS
         map to guest = Bad User

         client use spnego = true
         client ntlmv2 auth = yes

         eventlog list = Application System Security SyslogLinux

         encrypt passwords = Yes
         obey pam restrictions = Yes
         pam password change = true
         password server = dim-win2300.DaCrib.local
         passdb backend = tdbsam
         pam password change = Yes
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
         unix password sync = Yes

         log level = 2
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000

         preferred master = No
         domain master = No
         local master  = No
         os level = 31
         browse list = Yes

         dns proxy = No
         usershare allow guests = Yes
         panic action = /usr/share/samba/panic-action %d

         idmap backend = ad
         idmap uid = 10000-20000
         idmap gid = 10000-20000

         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nested groups = Yes
         winbind refresh tickets = true
         winbind nss info = rfc2307

         invalid users = root
         create mask = 0700
         directory mask = 0775
         writable = Yes
         enable privileges = Yes
         restrict anonymous = 2

         comment = All Printers
         path = /var/spool/samba
         printable = Yes
         browseable = No

         comment = Printer Drivers
         path = /var/lib/samba/printers

         comment = The Old Home Folder
         read only = No
         path = /OldHome

More information about the samba mailing list