[Samba] samba and BUILTIN groups

Jörg Horchler joerg.horchler at coremedia.com
Fri Aug 18 14:36:52 GMT 2006

Hi all, 

yesterday I installed Samba Version 3.0.23b on our new fileserver. We
currently have another fileserver with Samba 3.0.22. 

Our existing fileserver is compiled from source because we patched it to
support Windows 2003 Server R2 active directory schema. (We changed the
OIDs Samba reads from the ADS schema.)

Now we want to replace it with rpm-packages of the new version. We
installed a new fileserver and cloned the smb.conf. After changing
'winbind nss info' from 'sfu' to 'rfc2307' everything worked as expected
in the first look. Winbind resolved our Windows-Users and groups
correct. (wbinfo and getent work perfect!)

But when I try to connect to a share on the server I get the following

[2006/08/18 15:22:19, 0] auth/auth_util.c:create_local_nt_token(903)
  create_local_nt_token: Failed to create BUILTIN\Administrators group!

And the server prompts me for a username and password. 

My /etc/samba/smb.conf is: 

        workgroup = WORKGROUP
        realm = REALM.COM
        server string = %h
        security = ADS
        auth methods = winbind
        allow trusted domains = No
        lanman auth = No
        log level = all:10
        disable netbios = Yes
        reset on zero vc = Yes
        deadtime = 10
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        wins server = x.x.x.x, x.x.x.x, x.x.x.x
        ldap ssl = no
        idmap backend = ad
        idmap uid = 100-100000
        idmap gid = 100-100000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        read only = No
        acl map full control = No
        inherit acls = Yes
        ea support = Yes
        map acl inherit = Yes
        use sendfile = Yes
        hide special files = Yes
        map readonly = permissions
        strict locking = No
        dos filemode = Yes

This is exactly the same config as for the working server expect 

winbind nss info = rfc2307

which is 

winbind nss info = sfu 

on the old server. 

Do I have to create a local group for BUILTIN\Administrators? 

Thanks for you help

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 

More information about the samba mailing list