[Samba] nested groups with ADS does not work?

Vladimir Shved vladimirshved at gmail.com
Tue Jan 16 05:37:41 GMT 2007

Using current samba 3.0.23d package on debian etch. Joined AD,
everything works but
when doing something like:

net rpc group add demo -L

Could not connect to server
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

or when doing:

net rpc group add demo -L -U administrator
add alias failed: NT_STATUS_ACCESS_DENIED

also at the same time log spits this out:
[2007/01/15 22:24:54, 0] auth/auth_util.c:create_builtin_administrators(785)
  create_builtin_administrators: Failed to create Administrators
[2007/01/15 22:24:54, 0] auth/auth_util.c:create_builtin_users(751)
  create_builtin_users: Failed to create Users

I did some mappings, so running this:
net groupmap list
Domain Admins (S-1-5-21-2251837095-2786957548-4043407633-512) -> root
Domain Guests (S-1-5-21-2251837095-2786957548-4043407633-514) -> nogroup
Domain Users (S-1-5-21-2251837095-2786957548-4043407633-513) -> users

I'm not using LDAP, only tdbsam.

wbinfo -m
shows only joined AD domain, should it show domain and local domain too?

Also  when doing
getent group "domain users"
does not list everyone, maybe only one user. Usually after reboot, it
lists everyone but then after awhile the list becomes empty.

Is it even possible to use nested groups(local groups) on samba when
its in the ADS mode? Is it an issue with debian packages? Can anyone

I'm trying to build ADS member file server without hustle of adding
extra groups to AD, and manage permissions by using local groups on


More information about the samba mailing list