[Samba] Member server - domain shows as "Unix User" on ACLs

Bill Cameron billcamer at gmail.com
Fri Dec 22 20:19:00 GMT 2006


This is the environment:

PDC - samba 3.0.14a (Debian Sarge)
	passdb backend = ldapsam

Member server - Win2003
	Joined domain and this one works correctly

Member server - samba 3.0.23d (Debian Etch)
	Joined domain and this one displays the domain as "Unix User" or  "Unix 
Group" when looking on the security tab on a WinXP machine that has 
logged into the domain and is accessing a share on the member server. A 
linux client using smbcacls also shows the domain as "Unix User"/"Unix 

Authentication works fine and I can access shares on the samba member 
server. If I add 'hide unreadable = yes' to the [Data] share then I am 
no longer able to see any files or directories on the share and I can't 
access a directory I have access to. NSS/PAM are configured and are 
working correctly. No user accounts are created locally on the member 

Winbind - Winbind isn't running on the PDC. I've tried it without 
winbindd on the member server, winbindd running as 'netlogon proxy only' 
on the member server and full winbindd with it creating idmap entries in 
ldap. The Win2003 server works fine without the idmap entries in ldap so 
I'm assuming samba should be able to work without idmap entries and 
winbinnd running as 'netlogon proxy only' on the member server. wbinfo 
-t (-u & -g) all work correctly displaying the domain users and groups 
on the member server.

'Samba-3 by Example' in the 'Adding Domain Member Servers and Clients' 
chapter makes it sound like you don't need to use winbindd since the 
information is in ldap and we aren't using any foreign domains.

Samba release notes for 3.0.23b say:
"If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local
SID and group membership." which seems to indicate I need winbindd.


1. Do I need winbindd?
2. If I do need winbindd is 'netlogon proxy only' enough? Remember - the 
Win2003 member server is working fine without any idmap entries in ldap.
3. How do I get the users to be seen as Domain users and not as local 
unix users?

smb.conf on the member server:
         unix charset = LOCALE
         workgroup = MYDOMAIN
         server string = %h
         security = DOMAIN
         log level = 2
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         name resolve order = wins host bcast
         wins server =
         ldap admin dn = cn=samba,ou=dsa,dc=domain,dc=ca
         ldap group suffix = ou=groups
         ldap idmap suffix = ou=idmap
         ldap machine suffix = ou=computers
         ldap suffix = dc=domain, dc=ca
         ldap user suffix = ou=people
         panic action = /usr/share/samba/panic-action %d
         idmap backend = ldap:ldap://main.domain.ca

         comment = Data share
         path = /srv
         read only = No
         create mask = 0660
         directory mask = 02770

Some log entries:
  log.wb-mydomain - seen when winbindd is first started
[2006/12/22 10:38:33, 2] libsmb/namequery.c:name_query(577)
   Got a positive name query response from ( )
[2006/12/22 10:38:33, 1] 
   cli_pipe_validate_current_pdu: RPC fault code 
DCERPC_FAULT_OP_RNG_ERROR received from remote machine PDC pipe \lsarpc 
fnum 0x749e!

  log.computername - seen when a client computer connects to the share 
on the member server.
[2006/12/22 10:39:47, 2] auth/auth.c:check_ntlm_password(309)
   check_ntlm_password:  authentication for user [user1] -> [user1] -> 
[user1] succeeded
[2006/12/22 10:39:47, 0] auth/auth_util.c:create_builtin_administrators(785)
   create_builtin_administrators: Failed to create Administrators
[2006/12/22 10:39:47, 2] auth/auth_util.c:create_local_nt_token(899)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/12/22 10:39:47, 0] auth/auth_util.c:create_builtin_users(751)
   create_builtin_users: Failed to create Users
[2006/12/22 10:39:48, 2] smbd/reply.c:reply_tcon_and_X(711)
   Serving IPC$ as a Dfs root
[2006/12/22 10:39:48, 1] smbd/service.c:make_connection_snum(950)
   computername ( connect to service Data initially as user 
user1 (uid=2001, gid=2001) (pid 8649)


More information about the samba mailing list