[Samba] Problem with local groups as AD member

Wed Feb 21 19:32:52 GMT 2007

OK, I think I'm close to having my Samba server working like I want it
as an AD member of our Windows AD (lab configuration at this time). Just
have a few questions about getting the member server to do what I want,
specifically, getting local groups to work. From what I've read I think
this should be possible but not sure...I would like to have a local
group on the Samba server called  "DesktopSupport" and, then be able to
add groups from the AD domain to this group. Basically, the Samba server
groups "DesktopSupport" would contain AD groups "ClaimsDesktop",
"StaffDesktop", HRDesktop etc.

Running FC6 with the latest Samba 3.0.24. Join to the domain is successful.

  Not much in smb.conf but I'm trying to use a minimum amount of entries
to make troubleshooting easier. getent group/password seems to work fine
showing both BUILTIN groups and all domain groups and users from the AD
domain.

[global]
    workgroup = MISSING
    realm = MISSING.LOCAL
    netbios name = samba01
    preferred master = no
    server string = AD Samba Test
    security = ADS
    encrypt passwords = yes
    log level = 3
    log file = /var/log/samba/%m
    winbind enum users = Yes
    winbind enum groups = Yes
winbind nested groups = Yes
    idmap uid = 10000-200000
    idmap gid = 10000-200000

[images]
    comment = Desktop Image Storage
    path = /images
    read only = no
    public = yes

MISSING\domain computers:x:10002:
MISSING\domain controllers:x:10003:
MISSING\schema admins:x:10004:MISSING\administrator
MISSING\enterprise admins:x:10005:MISSING\administrator
MISSING\domain admins:x:10006:MISSING\administrator
MISSING\domain users:x:10007:
MISSING\domain guests:x:10008:
MISSING\group policy creator owners:x:10009:MISSING\administrator
MISSING\dnsupdateproxy:x:10010:
MISSING\desktoptest:x:10011:MISSING\techuser01
BUILTIN\administrators:x:10000:MISSING\administrator
BUILTIN\users:x:10001:

So after saying all of that, I'm having trouble creating a local group,
local to the samba server. I'm getting the following error.

[root at samba01 samba]# net rpc group add "DesktopSupport" -L -UAdministrator
Password:
add alias failed: NT_STATUS_ACCESS_DENIED

 From what I can tell, The "MISSING\Domain Admins" group is a  member of
the Samba group, "BUILTIN\Administrators" and that group appears to have
all privs assigned to it. But I'm not sure at this point if I need to
configure any groupmaps or local users on the Samba erver even though
I'm using AD authentication. I'm pretty much stumped here but  I have a
feeling I'm missing something obvious.

I am able to connect to the share and add files/directories and apply
ACLs to them from a Windows box so the important part appears to be
working fine. I don't HAVE to have the local groups but if it's possible
to use them, it would make administration easier.

Any advice is appreciated.

Mark