[Samba] Security: ads - "net ads user" works, "wbinfo -u" does not

Vladimir Levijev vladimir.levijev at gmail.com
Mon Feb 4 12:38:15 MST 2013 

Hi,

I have Debian Squeeze running Samba being a member of the domain (PDC
and BDC are Windows servers) and it's users are authenticated against
AD using winbind for years.

Now there is a need to setup another virtual Debian box exactly like
that. So the name of the first is STUDENT, I named the virtual
STUDENT2. I'm trying to set up the virtual box exactly the same, using
exactly the same configs (smb.conf, krb5.conf) as on the working box,
but this is what I get:

STUDENT2, I can:
- create kerberos tickets (kinit Administrator at FOO.LOCAL)
- list kerberos tickets (klist)
- join the domain (net ads join -U Administrator)
  Here I get next output:
    Using short domain name -- FOO
    Joined 'STUDENT2' to realm 'FOO.Local'
    DNS update failed!
  But as I understand the last message is not something to worry about.
- (here I start samba, then winbind)

And at this point strange thing happen. I cannot get domain users
using wbinfo (wbinfo -u returns nothing) but I get them all using "net
ads user -U Administrator". Of course, "getent passwd" lists only
local users too.

I believe my winbind is not working properly. Here are the questions:

1). How to effectively debug why wbinfo is acting this way?
2). Could the problem be because of 2 machines conflicting because of
one letter difference (STUDENT vs STUDENT2)?

I can't delete the first box from domain in order to test it as it's
in production.

STUDENT2 details:
- Debian Squeeze up-to-date (6.0.6)
- standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii
  ii  samba                              2:3.5.6~dfsg-3squeeze9
  ii  samba-common                       2:3.5.6~dfsg-3squeeze9
  ii  samba-common-bin                   2:3.5.6~dfsg-3squeeze9
  ii  winbind                            2:3.5.6~dfsg-3squeeze9
- # wbinfo -p
Ping to winbindd succeeded

PDC and BDCs are running Windows Server 2008 R2.

I can post the configs in case it helps. However I feel like I have
tried all the possible variations of the configs (from so many good
howto's) with no effect at all.

P. S. One more (possibly important) detail. When I was playing with
different configs I sometimes was getting different output from
'wbinfo -u', which looked like this:

STUDENT2+joe
STUDENT2+nobody

This looked very strange to me as my domain is 'FOO.LOCAL', not
'STUDENT2' (the latter is a hostname of the new box) and these 2 users
are local users.

Thanks in advance,

dimir

More information about the samba mailing list