[Samba] samba and winbind issues

Wieprecht, Karen M. Karen.Wieprecht at jhuapl.edu
Mon Oct 28 16:13:01 GMT 2002

Are you talking about access rights (like write list = @group) ?

I found a few interesting things with groups and security=domain with

1.  the @group syntax applies to the UNIX group names.  To give access to an
NT group,  you need to use something like this:

	write list = @"WALNETNT_Domain Users" 

2.  If I specified an NT user,  it seemed that I had to prefix it with the
domain name and my winbind separator to get it to work correctly

	write list = WALNETNT_jmacs

3. If you want to grant access to more than one user/group, separate the
entries with commas:
	write list = WALNETNT_jmacs, @"WALNETNT_Domain Users" 

4. If you are using a username map file to make the user's UID assignment
match when he access files from either side,  it seems to cause his
membership to other NT groups to go un-noticed.  

	Example:  I had a read-only share that was writable by
@"WALNETNT_Domain Users" ,  but user karen  (NT) was being assigned the UNIX
"karen" account UID and GID by the username mapping mechanism,  and was no
longer recognized as a member of the NT Domain Users group ...   I was going
to play with adding other UNIX groups to the write list to see if I could
fix this problem.

Hope this answers your question.  

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain at rbinc.com] 
Sent: Friday, October 25, 2002 5:22 PM
To: 'Wieprecht, Karen M.'
Subject: RE: [Samba] samba and winbind issues

Thanks for the email.  I finally got samba to work but now I am having
issues with groups.  When I do a groups jfountain, i get domain admins but
no other groups.  when i do a groups user1, i get nothing - and the user is
in a couple groups.

Any thoughts or ideas? what am i missing?

-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht at jhuapl.edu]
Sent: Thursday, October 24, 2002 9:04 AM
To: 'Jennifer Fountain'; 'samba at lists.samba.org'
Subject: RE: [Samba] samba and winbind issues

1. Run ~samba/bin/wbinfo -u and make sure you are actually talking to your
domain controller

2. Do you have winbind entries in your nsswitch.conf file?  Have you made
your system re-read this info (the command is "nsadmin restart" on irix,
don't know about other platforms).  

3. The windows box isn't caching any old login data is it?   (I've had
problems testing samba configuration changes because windows 2000 caches
some of the login stuff ... I'm not great on windows admin, don't know how
to force the cache to clear without a reboot,  so I've had to reboot the
windows client to test...

4. One of the samba guys said that the winbind use default domain parameter
might not do what I originally hoped (help me  match NT username with UNIX
username without having to use a username map).  Recent tests seem to show
that my UID's only match if I turn that parameter off and use a username
map.  Of course,  testing has been very frustrating because I keep fighting
with windows caching ...  Have you tried using a username map?  

	Karen Wieprecht

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain at rbinc.com] 
Sent: Wednesday, October 23, 2002 9:39 AM
To: samba at lists.samba.org
Subject: [Samba] samba and winbind issues

I know winbind (i think) is working fine. i can log into a unix box with my
NT userid but when i try to access shares on my samba server, i get these

 [2002/10/23 08:47:01, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 08:47:01, 0] lib/util.c:(1092)
  PANIC: failed to set gid

[2002/10/23 09:17:08, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 09:17:08, 0] lib/util.c:(1092)
  PANIC: failed to set gid

log.smbd: END

Here is a copy of my smb.conf


# Samba config file created using SWAT
# from ws09573.rb.net (
# Date: 2002/10/23 08:16:35

# Global parameters
	workgroup = domain1
	netbios name = ARES
	server string = ARES_SAMBA
	interfaces = lan4
	bind interfaces only = Yes
	security = DOMAIN
	encrypt passwords = Yes
	password server = dc1
	wins server =
	winbind uid = 40000-49999
	winbind gid = 50000-59999
	template shell = /usr/bin/ksh
	winbind use default domain = Yes

	path = /tmp/jfountain
	username = jfountain
	valid users = jfountain
	admin users = domain admins
	read only = No

what am i doing wrong?

any info would be greatly appreciated!
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list