samba - Feb 2013 - Security: ads - "net ads user" works, "wbinfo -u" does not

Hi,

I have Debian Squeeze running Samba being a member of the domain (PDC
and BDC are Windows servers) and it's users are authenticated against
AD using winbind for years.

Now there is a need to setup another virtual Debian box exactly like
that. So the name of the first is STUDENT, I named the virtual
STUDENT2. I'm trying to set up the virtual box exactly the same, using
exactly the same configs (smb.conf, krb5.conf) as on the working box,
but this is what I get:

STUDENT2, I can:
- create kerberos tickets (kinit Administrator at FOO.LOCAL)
- list kerberos tickets (klist)
- join the domain (net ads join -U Administrator)
  Here I get next output:
    Using short domain name -- FOO
    Joined 'STUDENT2' to realm 'FOO.Local'
    DNS update failed!
  But as I understand the last message is not something to worry about.
- (here I start samba, then winbind)

And at this point strange thing happen. I cannot get domain users
using wbinfo (wbinfo -u returns nothing) but I get them all using "net
ads user -U Administrator". Of course, "getent passwd" lists only
local users too.

I believe my winbind is not working properly. Here are the questions:

1). How to effectively debug why wbinfo is acting this way?
2). Could the problem be because of 2 machines conflicting because of
one letter difference (STUDENT vs STUDENT2)?

I can't delete the first box from domain in order to test it as it's
in production.

STUDENT2 details:
- Debian Squeeze up-to-date (6.0.6)
- standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep
^ii
  ii  samba                              2:3.5.6~dfsg-3squeeze9
  ii  samba-common                       2:3.5.6~dfsg-3squeeze9
  ii  samba-common-bin                   2:3.5.6~dfsg-3squeeze9
  ii  winbind                            2:3.5.6~dfsg-3squeeze9
- # wbinfo -p
Ping to winbindd succeeded

PDC and BDCs are running Windows Server 2008 R2.

I can post the configs in case it helps. However I feel like I have
tried all the possible variations of the configs (from so many good
howto's) with no effect at all.

P. S. One more (possibly important) detail. When I was playing with
different configs I sometimes was getting different output from
'wbinfo -u', which looked like this:

STUDENT2+joe
STUDENT2+nobody

This looked very strange to me as my domain is 'FOO.LOCAL', not
'STUDENT2' (the latter is a hostname of the new box) and these 2 users
are local users.

Thanks in advance,

dimir

On 4 February 2013 21:38, Vladimir Levijev <vladimir.levijev at gmail.com>
wrote:
> I have Debian Squeeze running Samba being a member of the domain (PDC
> and BDC are Windows servers) and it's users are authenticated against
> AD using winbind for years.
>
> Now there is a need to setup another virtual Debian box exactly like
> that. So the name of the first is STUDENT, I named the virtual
> STUDENT2. I'm trying to set up the virtual box exactly the same, using
> exactly the same configs (smb.conf, krb5.conf) as on the working box,
> but this is what I get:
>
> STUDENT2, I can:
> - create kerberos tickets (kinit Administrator at FOO.LOCAL)
> - list kerberos tickets (klist)
> - join the domain (net ads join -U Administrator)
>   Here I get next output:
>     Using short domain name -- FOO
>     Joined 'STUDENT2' to realm 'FOO.Local'
>     DNS update failed!
>   But as I understand the last message is not something to worry about.
> - (here I start samba, then winbind)
>
> And at this point strange thing happen. I cannot get domain users
> using wbinfo (wbinfo -u returns nothing) but I get them all using "net
> ads user -U Administrator". Of course, "getent passwd" lists
only
> local users too.
>
> I believe my winbind is not working properly. Here are the questions:
>
> 1). How to effectively debug why wbinfo is acting this way?
> 2). Could the problem be because of 2 machines conflicting because of
> one letter difference (STUDENT vs STUDENT2)?
>
> I can't delete the first box from domain in order to test it as
it's
> in production.
>
> STUDENT2 details:
> - Debian Squeeze up-to-date (6.0.6)
> - standard repo packages: # dpkg -l '*samba*' '*winbind*' |
grep ^ii
>   ii  samba                              2:3.5.6~dfsg-3squeeze9
>   ii  samba-common                       2:3.5.6~dfsg-3squeeze9
>   ii  samba-common-bin                   2:3.5.6~dfsg-3squeeze9
>   ii  winbind                            2:3.5.6~dfsg-3squeeze9
> - # wbinfo -p
> Ping to winbindd succeeded
>
> PDC and BDCs are running Windows Server 2008 R2.
>
> I can post the configs in case it helps. However I feel like I have
> tried all the possible variations of the configs (from so many good
> howto's) with no effect at all.
More info.

STUDENT:
# wbinfo -D foo
Name              : FOO
Alt_Name          : FOO.Local
SID               : S-1-5-21-831812219-1424057545-2139100090
Active Directory  : Yes
Native            : Yes
Primary           : Yes

STUDENT2:
# wbinfo -D foo
Name              : FOO
Alt_Name          : FOO.LOCAL
SID               : S-1-5-21-831812219-1424057545-2139100090
Active Directory  : No
Native            : No
Primary           : Yes

Firstly, why is Alt_Name different (both boxes have identical configs)
and where does it come from exactly?
And secondly, what do "Active Directory", "Native" and
"Primary" mean?

Cheers,

dimir