winbind must be running in order for wbinfo to work, and you need to be connected to your domain.

wbinfo -p
Ping to winbindd succeeded on fd 4

A simple ping test to see if your DC is alive

wbinfo -t
checking the trust secret via RPC calls succeeded

Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working. This is a good first step to make sure you can talk to your DC

wbinfo -u

This will list your domain users. Make sure the users you expect are there

wbinfo -a greg.cain%password

This is an easy way to check that your user can authenticate against the domain. However, I’d recommend against using it since it will show your password on the command line, in your history, and in the ps command if it’s executed at the right time (there are many other reasons, but those should be enough to dissuade you.) Use a dummy account if possible.

wbinfo -g

Show a list of domain groups. Again, make sure the groups you expect are present.

wbinfo -n greg.cain
S-1-5-21-XXXX789314-3545391909-2802175779-XXXX User (1)

This will get you the SID for the user you’ve specified (greg.cain in this case.)

wbinfo -s S-1-5-21-XXXX789314-3545391909-2802175779-XXXX
DOMAIN\greg.cain

Using the SID you just returned, let’s make sure the reverse mappings are correct.

wbinfo -r greg.cain
16XXX216
16XXX217
....

This will show a list of groups that the user greg.cain belongs to.

wbinfo -G 16XXX217
S-1-5-21-1540789314-3545391909-2802175779-YYY

This converts the GID to the SID.

wbinfo -Y S-1-5-21-1540789314-3545391909-2802175779-YYY
16XXX217

This is the reverse mapping of the SID to the GID

I use TextWrangler for all my limited coding needs. You should (emphasis on should) be able to do this for any other editor you want. This is what I had to do.

Edit /Applications/TextWrangler.app/Contents/Info.plist. Towards the top you’ll see a bunch of file extensions. I added vbs to the list.

<string>text</string>
<string>txt</string>
<string>vbs</string>
<string>wml</string>
<string>WML</string>


In the same file, but before the very last</dict>
</plist>
Add

<key>UTExportedTypeDeclarations</key>
<array>
<dict>
<key>UTTypeConformsTo</key>
<array>
<string>public.text</string>
<string>public.plain-text</string>
</array>
<key>UTTypeDescription</key>
<string>Microsoft Visual Basic</string>
<key>UTTypeIdentifier</key>
<string>com.macromates.textmate</string>
<key>UTTypeTagSpecification</key>
<dict>
<key>com.apple.ostype</key>
<string>TEXT</string>
<key>public.filename-extension</key>
<array>
<string>vbs</string>
</array>
</dict>
</dict>
</array>

And then

touch /Applications/TextWrangler.app

The Windows clients will need to be configured to point to the Domain Controllers (DC’s.) If you’ve never installed any non-Microsoft utilities, you should be OK by just making sure Windows Time is running. However, if it is not running, or something has broken time, these are steps that will help you fix your problems.

Let’s check to see if Windows Time is running

sc query w32time

You should get a result such as

SERVICE_NAME: w32time
TYPE               : 20  WIN32_SHARE_PROCESS
STATE              : 4  RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

If you don’t, start services.msc and start the service and set it to Automatic

Now let’s make sure that the server is setup correctly. Check to see if the domain server is our time server. Note the “:” is part of the command.

C:\WINDOWS>nltest /dsgetdc:

Look for the flag “TIMESERV.” This indicates that the Domain Controller is our Time Server.

DC: \\myDomainController.domain.com
Address: \\10.1.99.19
Dom Guid: 9db0908b-8f45-499f-9c20-49905773f553
Dom Name: domain.com
Forest Name: domain.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
The command completed successfully

Check that the client has the correct information

w32tm /dumpreg /subkey:parameters

The only thing to look for is a Type of NT5DS. That’s the protocol we use to speak to the the Domain Controller. Any other setting is wrong.

Value Name      Value Type          Value Data
-------------------------------------------------
 
ServiceMain     REG_SZ              SvchostEntry_W32Time
ServiceDll      REG_EXPAND_SZ       C:\WINDOWS\system32\w32time.dll
NtpServer       REG_SZ              time.windows.com,0x1
Type            REG_SZ              NT5DS

To sync the server with the domain controller.

w32tm /resync /rediscover

You should now be getting in sync. You can see your offset shrinking if you type

w32tm /stripchart /computer:myDomainController /samples:5 /dataonly

psexec @servers.txt net stop wuauserv
psexec @servers.txt reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
psexec @servers.txt net start wuauserv
psexec @servers.txt wuauclt.exe /resetauthorization /detectnow

Please be aware that you can make your system completely unusable if you break the registry. Make sure you have a full backup of your system. If anything goes wrong, you may end up losing all your data and reinstalling Windows. Microsoft says this “… is not supported by Microsoft. Use this method at your own risk.”

Microsoft’s recommendation did not work, but it’s probably worth trying again.

CD %windir%\system32\wbem
For /f %s in ('dir /b /s *.dll') do regsvr32 /s %s
wmiprvse /regserver

I found THIS worked.

cd /d %windir%\system32
regsvr32 /n /I userenv.dll
cd wbem
mofcomp scersop.mof
gpupdate /force
gpresult