[Samba] winbind problems

Dale Schroeder dale at BriannasSaladDressing.com
Fri Nov 6 17:51:46 UTC 2015

I had to move an existing member server to new hardware.  Using getent 
on this Debian Jessie system, I cannot get winbind to retrieve the 
domain users, except for administrator, guest, tsinternetuser, and krbtgt.

Although none of my other working systems have it, I added the 
"dedicated keytab", "kerberos method", and "winbind refresh tickets" 
parameters to match the wiki.

The only problem I have noticed is that installing libnss-winbind no 
longer creates the symbolic link between libnss_winbind.so.2 and 
libnss_winbind.so.  I had to do that manually.  Unlike the WIKI, the 
other directory to link does not exist on this system or the working 

net ads testjoin is OK.  The domain SID matches the other servers. 
wbinfo works.

I must have missed something, but I'm at a loss as to what it is. Can 
anyone see anything?


Samba version: 4.1.17+dfsg-2

Output of testparm -s

	workgroup = DOMAIN
	realm = DOMAIN.COM
	server string = Samba File Server
	#server role = member server
	security = ADS
	allow trusted domains = No
	map to guest = Bad User
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
	username map = /etc/samba/users.map
         dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	#map untrusted to domain = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	name resolve order = host, wins, bcast
	deadtime = 15
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	dns proxy = No
	wins server = 192.168.1.xyz
	ldap ssl = no
	panic action = /usr/share/samba/panic-action %d
	template homedir = /data/users/%U
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind refresh tickets = Yes
	winbind offline logon = Yes
	recycle:versions = Yes
	recycle:maxsize = 20971520
	recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj ~$* *.~??
	recycle:repository = /var/domain/trash/%U
	idmap config DOMAIN : range = 1000 - 2000
	idmap config DOMAIN : backend = rid
	idmap config * : range = 1000000 - 2000000
	idmap config * : backend = tdb
	admin users = root, DOMAIN\administrator
	hosts allow =
	ea support = Yes
	printing = bsd
	print command = lpr -r -P'%p' %s
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j
	veto files = /trash/
	veto oplock files = /*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/
	map archive = No
	map readonly = no
	store dos attributes = Yes
	vfs objects = recycle

#krb5.conf as per wiki
	default_realm = DOMAIN.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true

*resolv.conf per wiki

search domain.com
nameserver 192.168.1.abc


passwd:		compat winbind
group:		compat winbind
shadow:		compat
gshadow:	files

hosts:		fines dns wins
networks:	files dns

protocols:	db files
services:	db files
ethers:		db files
rpc:		db files

More information about the samba mailing list