Wbinfo -u does not show AD users (is empty)

kerberossamba4ubuntu-14.04winbindwindows-server-2008-r2

We have a problem on a Ubuntu Server 14.04 (fileserver) connected to AD on a Windows Server 2008 R2 using Samba (version 4.3.8)/WinBind and Kerberos. The problem is that users do not have writing permissions in their personal folders.

We also noted that when using wbinfo -u, the output does not give an error but produces an empty list and it does not even show local users. However, wbinfo -g correctly shows the AD groups.

This setup worked fine until yesterday. We set up another fresh Ubuntu server configured identically and it produced the same problem.

Joining and trust with AD works fine:

net ads join -U administrator
Enter administrator's password:
Using short domain name -- NTB
Joined 'UBUNTUTEST' to dns domain 'NTB.local'

Any idea what the problem may be or how we can troubleshoot it further?

Best Answer

Try to add the following line to your smb.conf:

client ldap sasl wrapping = plain

It seems as this has caused some trouble lately.

Related Solutions

Samba: AD authentication for local users

Make sure the winbind service is running.

Set up in your /etc/pam.d/samba:

account     [default=bad success=ok user_unknown=ignore]  pam_winbind.so
account     required      pam_permit.so

password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
session     required      pam_limits.so

auth       required pam_nologin.so
auth sufficient pam_winbind.so use_first_pass
auth required   pam_deny.so

Pam changes sometimes require a winbind restart. Shouldn't, but practical experience says do it anyway.

In smb.conf you also need:

realm = YOURKERBEROSREALMNAME
password server = the host or IP of your ADC
idmap backend = rid:DOMAIN=5000-100000000
idmap uid = 10000-10000000
idmap gid = 10000-10000000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes

Where DOMAIN is your workgroup or domain name and realm matches what is in your krb5.conf

Restart samba services after the changes in smb.conf

Linux Winbind – Linux Nested Groups with Winbind

Looks like it is a very specific issue inside our AD setup, "Read group membership" is checked for authenticated users for users it currently works and unchecked for those it doesn't. Adding this right fixes the issue (though winbind takes a substantial amount of time to pick up on the change).

security panel

Best Answer

Related Solutions

Samba: AD authentication for local users

Linux Winbind – Linux Nested Groups with Winbind

Related Topic