[Samba] wbinfo -u does not listed trusted users, wbinfo -n works

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Dec 13 14:51:39 UTC 2016

Running a mix of samba versions (3.6.25 and 4.5.1)  in two domains-  one 
"classic" (with samba domain controllers) and one AD (with windows 
domain controllers.)   The eventual goal is to drop the classic domain 
in favor of the AD domain.   Also trying to move from samba 3.x to 4.x 
since Samba 3 is EOL'd.

the "wbinfo -u" command will list users in the servers domain but not 
trusted domains.   However the "wbinfo -n" comand (e.g. "wbinfo -n 
TRUSTEDDOMAIN\username") does return the user's SID, and "getent passwd" 
may be able to show the trusted user (depending on idmap config.)

Typical winbind settings are

  # testparm -v | grep winbind

         winbind separator = \
         winbind cache time = 300
         winbind reconnect delay = 30
         winbind max clients = 200
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = No
         winbind trusted domains only = No
         winbind nested groups = Yes
         winbind expand groups = 1
         winbind nss info = template
         winbind refresh tickets = No
         winbind offline logon = No
         winbind normalize names = No
         winbind rpc only = No
         winbind max domain connections = 1

Changing "winbind use default domain" or "winbind trusted domains only" 
to yes will change the how the own domain users are displayed 
("MYDOMAIN\username" vs "username")

Logs show errors about winbind not being able to to connect to either 
the own or trusted domains when I restart the winbind svc.    It seems 
like winbind has issues when it starts but then future "wbinfo -n" 
lookups do connect.   "wbinfo -D TRUSTDOMAIN" works.

I used to run just samba 3.6.25 in classic domain.  Trusts with AD 
domains were fine uninstall the various BADLOCK related patches came out 
for windows.    Samba 3.6.25 with backported badlock patches seemed to 
fix trusts issues with domains BUT broke windows client logins.       I 
think I just need to get away from samba 3 (and classic domains) or I 
will continue to have issues with the latest versions of windows.


More information about the samba mailing list