A potential issue to be aware of in Likewise-Samba integration projects

[Richard Sharpe]

Hi folks,

I have recently come across a problem relating to projects that run
Samba for file and print services and replace Winbind with Likewise
Open or Likewise Enterprise.

Likewise has a Samba integration command that allows their
authentication piece to be used instead of Winbindd.

It seems, however, and I am waiting on confirmation from someone in
Likewise, that when you join a domain using the Likewise
domainjoin-cli, they do not add entries to the group map database for
BUILTIN\Administrators and BUILTIN\Users. This has consequences when
certain applications place SDs on directories when they use those
BUILTIN groups and expect things to work.

However, because those groups/aliases and their contents do not exist,
certain file accesses (eg, creation) fails.

If it is indeed true that Likewise has that behavior, there is a work around.

Use the Likewise lsa tool to extract the SIDs of the relevant domain
groups after you have joined an AD domain and add them to the group
mapping file manually before you start smbd.

I cannot currently provide the commands I used, but should be able to
do so in a couple of days.

-- 
Regards,
Richard Sharpe