AW: [Samba] samba and BUILTIN groups

Jörg Horchler joerg.horchler at coremedia.com
Tue Sep 5 11:52:15 GMT 2006 

Curious - I found the problem: 

Our old server runs with 'valid users = @<GROUP>' for all shares. This
syntax works. 

I ran smb with log level 10 on the new server and saw that it tries to
find the group 'Unix Group\<GROUP>'. After changing the parameter to
'valid users = @<DOMAIN>\<GROUP>' in our smb.conf it works!

Is this a new behaviour?

Am Freitag, den 25.08.2006, 12:04 +0200 schrieb Horchler, Joerg:
> Hi Jerry, 
>  
> just a question to what I don't understand: I think on both servers nested groups work correct (for example: I'm member of the group "sysop" which has no unix ID. The group "sysop" itself is member of the group "admin" which has the unix gid 500 in our Active Directory. When I type "id -a jhorchle" then I can see that I'm in the group 'admin'. This is the correct behaviour isn't it?)
> So our idmap backend is 'ad' but nested groups are working. 
>  
> I will check krb5 to see whether this works. 
>  
> Cheers 
> Jörg
> 
> ________________________________
> 
> Von: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Gesendet: Mo 21.08.2006 23:12
> An: Horchler, Joerg
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] samba and BUILTIN groups
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jörg Horchler wrote:
> 
> > 'winbind nss info' from 'sfu' to 'rfc2307' everything
> > worked as expected in the first look. Winbind resolved
> > our Windows-Users and groups correct. (wbinfo and
> > getent work perfect!)
> >
> > But when I try to connect to a share on the server
> > I get the following error:
> >
> > [2006/08/18 15:22:19, 0] auth/auth_util.c:create_local_nt_token(903)
> >   create_local_nt_token: Failed to create BUILTIN\Administrators group!
> 
> 
> There's a limitation that nested groups can only work
> if you have a allocating idmap backend (tdb or ldap).
> Please file a bug to help me track this.
> 
> But this is not causing the authentication failure you
> are seeing.  CHeck your Krb5 client install to track that
> down.
> 
> 
> 
> 
> 
> cheers, jerry
> =====================================================================
> Samba                                    ------- http://www.samba.org <http://www.samba.org/> 
> Centeris                         -----------  http://www.centeris.com <http://www.centeris.com/> 
> "What man is a man who does not make the world better?"      --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org <http://enigmail.mozdev.org/> 
> 
> iD8DBQFE6iHIIR7qMdg1EfYRAhZYAKCMhndL75xhpItANgoBlSo7fhcOSQCeLBj/
> DtikkPKI3p8yLUTU8fuHWRo=
> =ASuu
> -----END PGP SIGNATURE-----
> 
>

More information about the samba mailing list