Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 06-07-2011, 09:06 PM   #1
LQ Newbie
Registered: Jun 2011
Posts: 1

Rep: Reputation: Disabled
AD Authentication - wbinfo Works, getent Doesn't work, Can't Login

Hi all,
I'm trying to bring up a RHEL5.6 server and have SSH users authenticate against Windows 2008r2 AD. As I noted in the subject, I can retrieve AD information using both wbinfo -u and wbinfo -g. All kerberos tests seem to run fine, but when I try getent passwd or group I only see local information, nothing from AD. I also cannot SSH in as an AD user, but I think I should be able to get getent working before I worry about that?

I turned up the log level on samba to 10, but about the only issue I can see at the moment is in /var/log/samba/winbindd.log
[2011/06/07 22:03:32.896639, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22
[2011/06/07 22:03:32.896736, 2] winbindd/winbindd.c:819(winbind_client_request_read)
Could not read client request from fd 22: Input/output error

Anything I might be able to try would be greatly appreciated. Thanks!

I currently have installed:
samba3x.x86_64 3.5.4-0.70.el5_6.1
samba3x-client.x86_64 3.5.4-0.70.el5_6.1
samba3x-common.x86_64 3.5.4-0.70.el5_6.1
samba3x-winbind.x86_64 3.5.4-0.70.el5_6.1

/etc/nsswitch.conf (partial):
passwd: files winbind
shadow: files winbind
group: files winbind

/etc/samba/smb.conf (partial):
workgroup = MYDOMAIN
password server =
encrypt passwords = Yes
security = ADS
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
Old 06-30-2011, 03:59 PM   #2
LQ Newbie
Registered: Mar 2010
Location: Pittsburgh
Distribution: Debian 6
Posts: 28

Rep: Reputation: 17
when wbinfo -u (wbinfo -g) works, but getent passwd (getent group) doesn't

My Debian v5 (aka Lenny) file server was that way (even after successfully joining the domain and like you, wbinfo commands showed AD users and groups); went back into the samba config file and uncommented the winbind enum lines (note: comments stated "was the default behavior" but now not because "it might induce performance issues in large organizations", as was in my case); stopped winbind, restarted samba, started winbind, and poof (okay, took a few moments to get the results), getent showed ids for the various groups and users!

sudo pico /etc/samba/smb.conf
uncomment (i.e. remove the leading semi-colon):
winbind enum users = yes
winbind enum groups = yes
Ctrl (aka control) and "x", "y", Enter
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start
getent group

But wait, you seem to show that your enum lines are uncommented; wonder if you have a firewall issue (e.g. for me, I use iptables, so something like "sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP DROP:" before "sudo iptables -A INPUT -p udp -j DROP" and then "dmesg" after trying the getent commands to see if dropped traffic is getting logged). I also left my "shadow: compat" in my /etc/nsswitch.conf, and I "sudo ln -s /lib/ /lib/" just in case. Hope this helps.

Last edited by hunter3740; 06-30-2011 at 04:18 PM.
Old 09-29-2016, 09:45 AM   #3
LQ Newbie
Registered: Mar 2010
Location: Pittsburgh
Distribution: Debian 6
Posts: 28

Rep: Reputation: 17
note for smb and winbind 4 (deb 8)

you'll need to add "winbind expand groups = 1" to your /etc/samba/smb.conf (if you want to see members of a group with "getent group namehere")
also, idmap lines have changed their syntax:
idmap config *:backend = rid
idmap config *:range = 10000-1000000

and because I'm part of large org:
winbind enum users = no
winbind enum groups = no

and I noticed haste makes waste in my previous restarting of smb and winbind services, should be stop smb, restart winbind, start samba:
sudo /etc/init.d/samba stop; sudo /etc/init.d/winbind restart; sudo /etc/init.d/samba start

Last edited by hunter3740; 09-29-2016 at 09:48 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
getent shadow works but getent passwd does not??? shiv_softengg Linux - Networking 1 04-04-2011 08:06 AM
OpenLDAP - ldapsearch works; getent and finger doesn't fukawi2 Linux - Server 4 03-26-2010 05:39 AM
getent passwd only pulls local info - getent group works? epoh Linux - Server 2 03-14-2008 07:56 AM
Samba problem Getent differs from wbinfo baslemmens Linux - Networking 2 10-19-2006 03:45 AM
Echo /devPrinting doesn't work, echo /usb/lp0 works, Testpage works, Printing doesn't Hegemon Linux - General 3 08-15-2002 01:13 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:18 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration