[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all

Rowland Penny rpenny at samba.org
Sat Feb 18 20:17:12 UTC 2017

On Sat, 18 Feb 2017 19:12:39 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> I will set up debian in a VM and install the OS Samba packages and see
> if I have problems, bear with me ;-)

OK, back with the result and it works for me ;-)

Debian Jessie network install, no GUI, using DHCP to set ipaddress.

Only change I made before installing Samba, was to comment the
'' line in /etc/hosts

apt-get install samba acl attr quota fam
winbind libpam-winbind libpam-krb5 libnss-winbind krb5-config krb5-user
ntp dnsutils ldb-tools

service smbd stop
service nmbd stop
service winbind stop


    workgroup = SAMDOM
    security = ADS

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/SAMDOM/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes


!root = SAMDOM\Administrator SAMDOM\administrator Administrator

samba -V
Version 4.2.14-Debian


    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

chmod 644 /etc/krb5.conf

net ads join -U Administrator
Using short domain name -- SAMDOM
Joined 'DEBMEMBER' to dns domain 'samdom.example.com'

service smbd start
service nmbd start
service winbind start


Add 'winbind' to the passwd & group lines

'getent passwd' displays all users, local and AD

getent passwd rowland
rowland:*:11107:10513:Rowland Penny:/home/rowland:/bin/bash


More information about the samba mailing list