Hi all,
I'm trying to bring up a RHEL5.6 server and have SSH users authenticate against Windows 2008r2 AD. As I noted in the subject, I can retrieve AD information using both wbinfo -u and wbinfo -g. All kerberos tests seem to run fine, but when I try getent passwd or group I only see local information, nothing from AD. I also cannot SSH in as an AD user, but I think I should be able to get getent working before I worry about that?

I turned up the log level on samba to 10, but about the only issue I can see at the moment is in /var/log/samba/winbindd.log
[2011/06/07 22:03:32.896639, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22
[2011/06/07 22:03:32.896736, 2] winbindd/winbindd.c:819(winbind_client_request_read)
Could not read client request from fd 22: Input/output error

Anything I might be able to try would be greatly appreciated. Thanks!

I currently have installed:
samba3x.x86_64 3.5.4-0.70.el5_6.1
samba3x-client.x86_64 3.5.4-0.70.el5_6.1
samba3x-common.x86_64 3.5.4-0.70.el5_6.1
samba3x-winbind.x86_64 3.5.4-0.70.el5_6.1

/etc/nsswitch.conf (partial):
passwd: files winbind
shadow: files winbind
group: files winbind

/etc/samba/smb.conf (partial):
workgroup = MYDOMAIN
password server = 10.1.60.10
encrypt passwords = Yes
realm = MYDOMAIN.COM
security = ADS
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes

My Debian v5 (aka Lenny) file server was that way (even after successfully joining the domain and like you, wbinfo commands showed AD users and groups); went back into the samba config file and uncommented the winbind enum lines (note: comments stated "was the default behavior" but now not because "it might induce performance issues in large organizations", as was in my case); stopped winbind, restarted samba, started winbind, and poof (okay, took a few moments to get the results), getent showed ids for the various groups and users!

sudo pico /etc/samba/smb.conf
uncomment (i.e. remove the leading semi-colon):
winbind enum users = yes
winbind enum groups = yes
Ctrl (aka control) and "x", "y", Enter
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start
getent group


But wait, you seem to show that your enum lines are uncommented; wonder if you have a firewall issue (e.g. for me, I use iptables, so something like "sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP DROP:" before "sudo iptables -A INPUT -p udp -j DROP" and then "dmesg" after trying the getent commands to see if dropped traffic is getting logged). I also left my "shadow: compat" in my /etc/nsswitch.conf, and I "sudo ln -s /lib/libnss_winbind.so.2 /lib/libnss_winbind.so" just in case. Hope this helps.