[Samba] Usage of the machine account for ldapsearch

[Rowland Penny]

On Wed, 4 Feb 2026 07:45:48 +0100
Matthias Kühne | Ellerhold Aktiengesellschaft via samba
<samba at lists.samba.org> wrote:

> Hallo lovely samba-people,
> 
> we've got some script that automate some tasks like Creation of 
> direction for samba users based on their AD groups. So we need to
> query the complete group list of AD-Users in a bash or python script
> regularly.
> 
> ATM we're creating a new user for this, exporting his keytab and
> using kinit and ldapsearch -Y GSSAPI for this.
> 
> These scripts run on domain-joined debian servers. So they have a 
> machine account for winbind to get the same data. Can we use this 
> machine account to query the group membership of users somehow? "net
> ads keytab list" shows a lot of principals:
> 
> Vno  Type                                        Principal
>    1  aes256-cts-hmac-sha1-96  TEST-SERVER$@AD.ELLERHOLD.LAN
>    1  aes128-cts-hmac-sha1-96  TEST-SERVER$@AD.ELLERHOLD.LAN
>    1  arcfour-hmac-md5 TEST-SERVER$@AD.ELLERHOLD.LAN
>    1  aes256-cts-hmac-sha1-96 
>   HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>    1  aes128-cts-hmac-sha1-96 
>   HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>    1  arcfour-hmac-md5
> HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
> aes256-cts-hmac-sha1-96
> RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
> aes128-cts-hmac-sha1-96
> RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
> arcfour-hmac-md5
> RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
> aes256-cts-hmac-sha1-96  HOST/TEST-SERVER at AD.ELLERHOLD.LAN 1
> aes128-cts-hmac-sha1-96  HOST/TEST-SERVER at AD.ELLERHOLD.LAN 1
> arcfour-hmac-md5 HOST/TEST-SERVER at AD.ELLERHOLD.LAN 1
> aes256-cts-hmac-sha1-96 RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
>    1  aes128-cts-hmac-sha1-96 
>   RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
>    1  arcfour-hmac-md5 RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
>    1  aes256-cts-hmac-sha1-96 
>   host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>    1  aes128-cts-hmac-sha1-96 
>   host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>    1  arcfour-hmac-md5
> host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
> aes256-cts-hmac-sha1-96  host/TEST-SERVER at AD.ELLERHOLD.LAN 1
> aes128-cts-hmac-sha1-96  host/TEST-SERVER at AD.ELLERHOLD.LAN 1
> arcfour-hmac-md5 host/TEST-SERVER at AD.ELLERHOLD.LAN
> 
> I can run kinit 'TEST-SERVER$@AD.ELLERHOLD.LAN' and it prompts me for
> a PW. There must be a keytab somewhere on this server that I can use,
> right?
> 
> Alternativly can I query winbind directly via bash / python? I guess
> I could always run "groups <User>" to get the groups...
> 
> Thanks in advance and have a nice day!
> 

You could use ldbsearch with the -P switch instead of ldapsearch.

Rowland