[Samba] samba 4 member server in WIn 2008 domain, wbinfo fails

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Dec 23 14:47:06 MST 2014

I have started tinkering with samba 4.

I have a  Windows 2008 active directory domain  controller.  It is also 
the main DNS server but is not the wins server.   The DNS server does 
NOT allow DNS registration by client machines.

I have a fedora core 19 linux machine with samba 4.1.13  (bundled with 

smb.conf includes

         security = ads
         realm = MYDOMAIN.COM
         password server = pdc.mydomain.com
         passdb backend = tdbsam
         encrypt passwords = yes
           winbind enum users = yes
           winbind enum groups = yes

krb5.conf includes

    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = MYDOMAIN.COM
    default_ccache_name = KEYRING:persistent:%{uid}

      EXAMPLE.COM = {
       kdc = kerberos.example.com
       admin_server = kerberos.example.com
       kdc =pdc.mydomain.com
       admin_server = pdc.mydomain.com
       kpasswd_server =pdc.mydomain.com
       default_domain = mydomain.com

      .mydomain.com = MYDOMAIN.COM
      mydomain.com = MYDOMAIN.COM

The "kinit someuser at MYDOMAIN" command works

I have not set up idmapping yet.   I want to make sure "wbinfo -u" works 

I have winbind running.  I don't think I need nmbd running.

I temporarily disabled the linux firewall and selinux.

Joined domain

        [root at penguin ~]#  net ads join -U Administrator
        Enter Administrator's password:
        Using short domain name -- MYDOMAIN
        Joined 'PENGUIN' to dns domain 'mydomain.com'
        DNS Update for penguin.mydomain.com failed: ERROR_DNS_GSS_ERROR
        DNS update failed: NT_STATUS_UNSUCCESSFUL
        [root at penguin ~]#

        [root at penguin]# net ads testjoin
        Join is OK
        [root at penguin]#

On the Win 2008 DC, AD U&C shows the linux machine.

wbinfo -u (and any wbinfo command) fails

        [root at penguin /]# wbinfo -u
        Error looking up domain users
        [root at penguin /]# wbinfo -t
        checking the trust secret for domain -not available- via RPC
        calls failed
        failed to call wbcCheckTrustCredentials: WBC_ERR_NOT_IMPLEMENTED
        Could not check secret
        [root at penguin /]# wbinfo -g
        failed to call wbcListGroups: WBC_ERR_NOT_IMPLEMENTED
        Error looking up domain groups
        [root at penguin /]#

The winbind logs show kerberos activity happening.  I don't see any 
obvious errors.  I see the following but I don't think it is an actual 

        [2014/12/23 15:38:40.325491,  5]
           We are checking against an old Samba version -

Any advice?


More information about the samba mailing list