[Samba] Usage of the machine account for ldapsearch

Matthias Kühne | Ellerhold Aktiengesellschaft matthias.kuehne at ellerhold.de
Wed Feb 4 12:44:09 UTC 2026 

Hallo Rowland,

sadly my ldbsearch has no "-P" switch. Looking through the files on my 
domain member I cant find any *.ldb files. These are only available on a DC.

This works on a DC:

# ldbsearch -H 
/var/lib/samba/private/sam.ldb.d/DC=AD,DC=ELLERHOLD,DC=LAN.ldb -a

But I had hopes to use the machine account on a domain member.

Using "groups <USER>" is out too, because if a user hasnt logged in 
awhile, then his group membership is just Domain Users and nothing more.

Thanks and have a nice day.

Am 04.02.26 um 08:15 schrieb Rowland Penny via samba:
> On Wed, 4 Feb 2026 07:45:48 +0100
> Matthias Kühne | Ellerhold Aktiengesellschaft via samba
> <samba at lists.samba.org> wrote:
>
>> Hallo lovely samba-people,
>>
>> we've got some script that automate some tasks like Creation of
>> direction for samba users based on their AD groups. So we need to
>> query the complete group list of AD-Users in a bash or python script
>> regularly.
>>
>> ATM we're creating a new user for this, exporting his keytab and
>> using kinit and ldapsearch -Y GSSAPI for this.
>>
>> These scripts run on domain-joined debian servers. So they have a
>> machine account for winbind to get the same data. Can we use this
>> machine account to query the group membership of users somehow? "net
>> ads keytab list" shows a lot of principals:
>>
>> Vno  Type                                        Principal
>>     1  aes256-cts-hmac-sha1-96  TEST-SERVER$@AD.ELLERHOLD.LAN
>>     1  aes128-cts-hmac-sha1-96  TEST-SERVER$@AD.ELLERHOLD.LAN
>>     1  arcfour-hmac-md5 TEST-SERVER$@AD.ELLERHOLD.LAN
>>     1  aes256-cts-hmac-sha1-96
>>    HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>>     1  aes128-cts-hmac-sha1-96
>>    HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>>     1  arcfour-hmac-md5
>> HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
>> aes256-cts-hmac-sha1-96
>> RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
>> aes128-cts-hmac-sha1-96
>> RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
>> arcfour-hmac-md5
>> RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
>> aes256-cts-hmac-sha1-96  HOST/TEST-SERVER at AD.ELLERHOLD.LAN 1
>> aes128-cts-hmac-sha1-96  HOST/TEST-SERVER at AD.ELLERHOLD.LAN 1
>> arcfour-hmac-md5 HOST/TEST-SERVER at AD.ELLERHOLD.LAN 1
>> aes256-cts-hmac-sha1-96 RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
>>     1  aes128-cts-hmac-sha1-96
>>    RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
>>     1  arcfour-hmac-md5 RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
>>     1  aes256-cts-hmac-sha1-96
>>    host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>>     1  aes128-cts-hmac-sha1-96
>>    host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
>>     1  arcfour-hmac-md5
>> host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN 1
>> aes256-cts-hmac-sha1-96  host/TEST-SERVER at AD.ELLERHOLD.LAN 1
>> aes128-cts-hmac-sha1-96  host/TEST-SERVER at AD.ELLERHOLD.LAN 1
>> arcfour-hmac-md5 host/TEST-SERVER at AD.ELLERHOLD.LAN
>>
>> I can run kinit 'TEST-SERVER$@AD.ELLERHOLD.LAN' and it prompts me for
>> a PW. There must be a keytab somewhere on this server that I can use,
>> right?
>>
>> Alternativly can I query winbind directly via bash / python? I guess
>> I could always run "groups <User>" to get the groups...
>>
>> Thanks in advance and have a nice day!
>>
> You could use ldbsearch with the -P switch instead of ldapsearch.
>
> Rowland
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: https://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: https://www.ellerhold.de/datenschutz/

More information about the samba mailing list