[Samba] Winbind does not read uidNumber

Lars Hanke debian at lhanke.de
Mon Jun 30 12:39:44 MDT 2014

Hi steve,

the checklist is a great tool ... I tuned quite some things. Most of 
them didn't seem to change the behavior in any way.

 >> 3. Database check:
>> no gidNumber here, add gidNumber: 10000
>> retried on the client, still no users
> No. This is not within your domain range.

Okay, that probably was the culprit. After changing the client's 
smb.conf to extend the range the user appeared, while Administrator is 
still missing. This is what Rowland's usermap is for, I guess.

Since there is nothing in the logs about this rejection, it may be the 
first thing to check if 'wbinfo -u' has the users, but 'getent passwd' 
does not have them.

>> 4. check for local user
>> getent passwd | grep -i mgr has no hits on either machine. But to check
>> for local entries probably
>> grep -i user /etc/passwd
>> is more appropriate.
> However you wish. Just make sure there is a unique domain user.

The differece is that getent will report the non local users as well, 
i.e. it will report the user, if winbind happens to work properly and 
may therefore confuse people working with your checklist.

>> 5. keytab (double numbering!)
>> klist -k doesn't work, since Heimdal klist has no option -k. This is MIT
>> syntax, if I recall correctly.
> OK. Remove the keytab and recreate it.

The Heimdal syntax is 'ktutil -k /path/to/keytab list'. This worked fine 
on /srv/files/private/secrets.keytab. I linked that to /etc/krb5.keytab, 
i.e. didn't recreate anything. Don't know if that was necessary, since 
we found kerberos working in earlier discussions.

I walked through the other items as well and corrected /etc/hostname of 
the server. For some reason Debian 'hostname' returns 'hostname -s'. So 
probably just state the results of the fully qualified commands in the 

I learned a lot in the recent discussion with Rowland and you.

Great work - thanks,
  - lars.

More information about the samba mailing list