AW: [Samba] samba and BUILTIN groups

Horchler, Joerg joerg.horchler at
Fri Aug 25 10:04:35 GMT 2006

Hi Jerry, 
just a question to what I don't understand: I think on both servers nested groups work correct (for example: I'm member of the group "sysop" which has no unix ID. The group "sysop" itself is member of the group "admin" which has the unix gid 500 in our Active Directory. When I type "id -a jhorchle" then I can see that I'm in the group 'admin'. This is the correct behaviour isn't it?)
So our idmap backend is 'ad' but nested groups are working. 
I will check krb5 to see whether this works. 


Von: Gerald (Jerry) Carter [mailto:jerry at]
Gesendet: Mo 21.08.2006 23:12
An: Horchler, Joerg
Cc: samba at
Betreff: Re: [Samba] samba and BUILTIN groups

Hash: SHA1

Jörg Horchler wrote:

> 'winbind nss info' from 'sfu' to 'rfc2307' everything
> worked as expected in the first look. Winbind resolved
> our Windows-Users and groups correct. (wbinfo and
> getent work perfect!)
> But when I try to connect to a share on the server
> I get the following error:
> [2006/08/18 15:22:19, 0] auth/auth_util.c:create_local_nt_token(903)
>   create_local_nt_token: Failed to create BUILTIN\Administrators group!

There's a limitation that nested groups can only work
if you have a allocating idmap backend (tdb or ldap).
Please file a bug to help me track this.

But this is not causing the authentication failure you
are seeing.  CHeck your Krb5 client install to track that

cheers, jerry
Samba                                    ------- <> 
Centeris                         ----------- <> 
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - <> 


More information about the samba mailing list