[Samba] NT doesn't like that ... primary gid of user [info] is not a Domain group

Alex linuxro at online.ie
Wed Feb 8 10:11:29 GMT 2006 

Hello all,

Sorry for my long post but is a very urgent situation (is required to 
configure 3 PDC in less then 4 hours) and i have not enough time to read and 
experiment so i am posting here my problem. Please read entire message (is a 
little bit long).

I have already one PDC using samba-3.0.10-1.4E.2 (on RHEL4) which is working 
fine with windows 9x and xp clients, excepting one thing. All the time in 
smbd.log appears message:

[2006/02/07 12:00:17, 1] rpc_server/srv_util.c:get_domain_user_groups(298)
  get_domain_user_groups: primary gid of user [info] is not a Domain group !
  get_domain_user_groups: You should fix it, NT doesn't like that

OBS: User [info] is comming from an XP station already joined to domain.

Googling, i found a partial explanation here:
http://www-jerry.oit.duke.edu/linux/docs/samba/mapping_nt_groups_to_unix_groups.html

On this PDC server, smb users has been created as following:
useradd info
useradd grig

groupadd -g 1002 winusers

after that i added info and grig to winusers group
# cat /etc/group|grep win
winusers:x:1002:info,grig

id info
uid=501(info) gid=501(info) groups=501(info),1002(winusers)
id grig
uid=502(grig) gid=502(grig) groups=502(grig),1002(winusers)

first, i added unix root account to samba
smbpaswd -a root

and after that, regular users
smbpasswd -a info
smbpasswd -a grig

so now, with this configuration after each station has been joined to my 
domain, i aget above error when user [info] is looged in.

Net groupmap list show the following output:

# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-3853285721-4159745161-3213124769-512) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-3853285721-4159745161-3213124769-514) -> -1
Power Users (S-1-5-32-547) -> -1
Domain Users (S-1-5-21-4124161332-916733439-2715427237-513) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Admins (S-1-5-21-4124161332-916733439-2715427237-512) -> -1
Domain Guests (S-1-5-21-4124161332-916733439-2715427237-514) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3853285721-4159745161-3213124769-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Now, i tryed to map winusers group to PDC Domain Users group:

net groupmap add ntgroup="Domain Users" unixgroup="winusers"
No rid or sid specified, choosing algorithmic mapping
Successully added group Domain Users to the mapping db

[root at lfs ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-3853285721-4159745161-3213124769-512) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-3853285721-4159745161-3213124769-514) -> -1
Power Users (S-1-5-32-547) -> -1
Domain Users (S-1-5-21-4124161332-916733439-2715427237-513) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Admins (S-1-5-21-4124161332-916733439-2715427237-512) -> -1
Domain Guests (S-1-5-21-4124161332-916733439-2715427237-514) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3853285721-4159745161-3213124769-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Domain Users (S-1-5-21-4124161332-916733439-2715427237-2005) -> winusers

NO LUCK....message still persist in logs ...

In this case, i configured another computer as PDC with the following changes:

groupadd -g 1002 winusers

#here each user has been created with default group winusers
useradd -g 1002 info
useradd -g 1002 grig

# cat /etc/group|grep win
winusers:x:1002:

id info
uid=502(info) gid=1002(winusers) groups=1002(winusers)
id grig
uid=502(grig) gid=1002(winusers) groups=1002(winusers)

smbpaswd -a root
smbpasswd -a info
smbpasswd -a grig

NOW, error message does NOT APPEAR in smbd.log BUT.... findsmb perl script 
(started on PDC) doesn't find any networked station (all are XP windows 
clients), just the linux PDC.

This simptom does not affect all my windows stations, which can see and browse 
the network and access shares on PDC.

NOTE: for netbios name resolution i am using another samba acting as wins 
server, located remote in another network.

On incriminated PDC, i have these lines in smb.conf:

os level = 65
domain master = Yes
local master = Yes
preferred master = Yes
dns proxy = No
name resolve order = bcast wins
wins server = 10.0.0.111
remote announce = 10.0.0.13/NumeWorkGroup
remote browse sync = 10.0.0.13

CAN ANYBODY HELP ME TO FIX THIS UNPLEASANT BEHAVIOR?

WHICH ONE IS THE CORRECT WAY: users with the same group (GID) or users with 
unique group (GID) on creation time?

Thanks in advance.

Alex

More information about the samba mailing list