[Samba] Security: ads - "net ads user" works, "wbinfo -u" does not

Vladimir Levijev vladimir.levijev at gmail.com
Tue Feb 5 16:24:05 MST 2013 

On 4 February 2013 21:38, Vladimir Levijev <vladimir.levijev at gmail.com> wrote:

> I have Debian Squeeze running Samba being a member of the domain (PDC
> and BDC are Windows servers) and it's users are authenticated against
> AD using winbind for years.
>
> Now there is a need to setup another virtual Debian box exactly like
> that. So the name of the first is STUDENT, I named the virtual
> STUDENT2. I'm trying to set up the virtual box exactly the same, using
> exactly the same configs (smb.conf, krb5.conf) as on the working box,
> but this is what I get:
>
> STUDENT2, I can:
> - create kerberos tickets (kinit Administrator at FOO.LOCAL)
> - list kerberos tickets (klist)
> - join the domain (net ads join -U Administrator)
>   Here I get next output:
>     Using short domain name -- FOO
>     Joined 'STUDENT2' to realm 'FOO.Local'
>     DNS update failed!
>   But as I understand the last message is not something to worry about.
> - (here I start samba, then winbind)
>
> And at this point strange thing happen. I cannot get domain users
> using wbinfo (wbinfo -u returns nothing) but I get them all using "net
> ads user -U Administrator". Of course, "getent passwd" lists only
> local users too.
>
> I believe my winbind is not working properly. Here are the questions:
>
> 1). How to effectively debug why wbinfo is acting this way?
> 2). Could the problem be because of 2 machines conflicting because of
> one letter difference (STUDENT vs STUDENT2)?
>
> I can't delete the first box from domain in order to test it as it's
> in production.
>
> STUDENT2 details:
> - Debian Squeeze up-to-date (6.0.6)
> - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii
>   ii  samba                              2:3.5.6~dfsg-3squeeze9
>   ii  samba-common                       2:3.5.6~dfsg-3squeeze9
>   ii  samba-common-bin                   2:3.5.6~dfsg-3squeeze9
>   ii  winbind                            2:3.5.6~dfsg-3squeeze9
> - # wbinfo -p
> Ping to winbindd succeeded
>
> PDC and BDCs are running Windows Server 2008 R2.
>
> I can post the configs in case it helps. However I feel like I have
> tried all the possible variations of the configs (from so many good
> howto's) with no effect at all.

More info.

STUDENT:
# wbinfo -D foo
Name              : FOO
Alt_Name          : FOO.Local
SID               : S-1-5-21-831812219-1424057545-2139100090
Active Directory  : Yes
Native            : Yes
Primary           : Yes

STUDENT2:
# wbinfo -D foo
Name              : FOO
Alt_Name          : FOO.LOCAL
SID               : S-1-5-21-831812219-1424057545-2139100090
Active Directory  : No
Native            : No
Primary           : Yes

Firstly, why is Alt_Name different (both boxes have identical configs)
and where does it come from exactly?
And secondly, what do "Active Directory", "Native" and "Primary" mean?

Cheers,

dimir

More information about the samba mailing list