[Samba] wbinfo -u returns no domain users

Gregory Cushing ioudas at gmail.com
Tue Jun 3 14:19:14 MDT 2014

Carla, no worries we all have to start some where.

Here is my .02 from samba.

So imagine you are a windows domain controller. You have users represented
in a SID fashion IE S-1234

What winbind does is query the domain controller. Then handle the
translation from the SID into the PAM linux authentication module. The pam
module handles user logins for ssh/console etc. Winbind hooks into this
system to provide unix ID translation from SID id's on the domain

You will need to conf nsswitch, pam and smb.conf to do this. make sure
modules are defined and working and installed in the nsswitch confs and pam
module confs. Then you will have to verify id map settings

Here is a link with different id mapping:

Below is stuff done on debian. But the process is the same on AIX or debian
or Cent OS.  I also kinit to confirm kerberos status.

Here is an example from a spare box i have:


gregc2 at NRFVUTIL1:~$ cat /etc/samba/smb.conf
workgroup = NRFDIST
security = ads
realm = nrfdist.local
password server = nrfdc1.nrfdist.local
domain logons = no
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind refresh tickets = yes
domain master = no
local master = no
prefered master = no
os level = 0
idmap config *:backend = tdb
idmap config *:range = 11000-20000 (here you can use a RID backend or any
you choose)
printing = bsd
printcap name = /dev/null
    path = /shares/ADShareTest
    create mask = 0775
    read only = no
    valid users = NRFDIST\gregc3, "@Domain Admins""
    writeable = yes
    directory mask = 775
    path = /shares/ddreports
    create mask = 0775
    read only = no
    valid users = NRFDIST\nrfst, "@Domain Admins""
    writeable = yes
    directory mask = 775
    path = /shares/cadec
    create mask = 0775
    read only = no
    valid users = NRFDIST\nrfcadecservice, "@Domain Admins""
    writeable = yes
    directory mask = 775

gregc2 at NRFVUTIL1:~$ getent passwd

lists all users in the domain you have configured.

getent group lists group info found

wbinfo -a tests authentication
wbinfo -g lists winbinds cache of group info
wbinfo -u lists user info in cache

gregc2 at NRFVUTIL1:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

example of pam conf module change (this should be done by your distro, but
ive seen cent os not do this multiple times.

gregc2 at NRFVUTIL1:~$ cat /etc/pam.d/common-auth
# /etc/pam.d/common-auth - authentication settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

there are several other files.... that need to be confed correctly. I can
provide those files to you if needed.

If you have specific questions feel free to come chat on irc.freenode.net
#samba on an irc client. I am there as ioudas and can walk you through as


On Tue, Jun 3, 2014 at 3:48 PM, Carla Nurse <packethelp at gmail.com> wrote:

> Gregory,
> I should have mentioned that I am a novice when it comes to Samba. This is
> literally my first interaction. I'm not sure what winbind idmapping is. I
> will attach a copy of my smb.conf file though.
> smb.conf
> [global]
>  workgroup = CAVEHILL
> server string = %h
> security = ads
> passdb backend = tdbsam
> encrypt passwords = yes
> winbind use default domain = yes
> client NTLMv2 auth = yes
> preferred master = no
> domain master = no
> local master = no
> load printers = no
> log level = 1 winbind:5 auth:3
> winbind max clients = 750
> winbind max domain connections = 15
> I really am not sure what any of the other stuff is. Would you mind
> breaking it down for me?
> Carla

More information about the samba mailing list