Basic Samba-Active Directory troubleshooting using wbinfo

This document is intended to step you through some of the basics of troubleshooting samba connectivity with your domain controller, using wbinfo.   This is not intended to show you how to configure Samba to talk to your domain controller.  Others have done a much better job that I can.

winbind must be running in order for wbinfo to work, and you need to be connected to your domain.

wbinfo -p
Ping to winbindd succeeded on fd 4

A simple ping test to see if your DC is alive

wbinfo -t
checking the trust secret via RPC calls succeeded

Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working. This is a good first step to make sure you can talk to your DC

wbinfo -u

This will list your domain users. Make sure the users you expect are there

wbinfo -a greg.cain%password

This is an easy way to check that your user can authenticate against the domain. However, I’d recommend against using it since it will show your password on the command line, in your history, and in the ps command if it’s executed at the right time (there are many other reasons, but those should be enough to dissuade you.) Use a dummy account if possible.

wbinfo -g

Show a list of domain groups. Again, make sure the groups you expect are present.

wbinfo -n greg.cain
S-1-5-21-XXXX789314-3545391909-2802175779-XXXX User (1)

This will get you the SID for the user you’ve specified (greg.cain in this case.)

wbinfo -s S-1-5-21-XXXX789314-3545391909-2802175779-XXXX
DOMAIN\greg.cain

Using the SID you just returned, let’s make sure the reverse mappings are correct.

wbinfo -r greg.cain
16XXX216
16XXX217
....

This will show a list of groups that the user greg.cain belongs to.

wbinfo -G 16XXX217
S-1-5-21-1540789314-3545391909-2802175779-YYY

This converts the GID to the SID.

wbinfo -Y S-1-5-21-1540789314-3545391909-2802175779-YYY
16XXX217

This is the reverse mapping of the SID to the GID