[Samba] winbind problem

Whit Blauvelt whit+samba at transpect.com
Sun Feb 17 02:09:10 GMT 2008

I'm trying to do an ADS share. With a sane nsswitch.conf, that is with these

passwd:         compat winbind
group:          compat winbind

I get this as the result:

# smbclient //no3/ftp  -Uwhit                                                                                                                
Domain=[ABC] OS=[Unix] Server=[Samba 3.0.26a]
tree connect failed: NT_STATUS_ACCESS_DENIED

Yet with an insane nsswitch.conf, this is with these settings:

passwd:         winbind
group:          winbind

I get a valid connection:

# smbclient //no3/ftp  -Uwhit                                                                                                                
Domain=[ABC] OS=[Unix] Server=[Samba 3.0.26a]
smb: \> quit

So what's going on? It makes no difference if 'whit' is a UNIX user or not
in this. The ADS part of the login goes through either way. But with
'compat' there (or 'files') it runs through a bunch of extra stuff that
shows in the log for the connection, beginning with:

[2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(221)
  check_ntlm_password:  Checking password for unmapped user [ABC]\[whit]@[FTP] with the new password interface
[2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(224)                                                 
  check_ntlm_password:  mapped user is: [ABC]\[whit]@[FTP]

and including:

[2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: winbind authentication for user [whit] succeeded


[2008/02/16 20:31:58, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [whit] -> [whit] -> [whit] succeeded


[2008/02/16 20:31:58, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
  pdb_create_builtin_alias: Could not get a gid out of winbind
[2008/02/16 20:31:58, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2008/02/16 20:31:58, 2] auth/auth_util.c:create_local_nt_token(914)
  create_local_nt_token: Failed to create BUILTIN\Administrators group!

and the same for BUILTIN\users and lots of other stuff up to:

[2008/02/16 20:31:58, 2] smbd/service.c:make_connection_snum(616)
  user 'whit' (from session setup) not permitted to access this share (FTP)
[2008/02/16 20:31:58, 3] smbd/error.c:error_packet_set(106)                
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Now, I'm not wanting any of whatever winbind is doing here beyond
authenticating against the ADS for the SMB shares on the Linux box. There
are no home directories desired for the SMB users, just the shared shares,
and no sort of login to the box for them outside of Samba. 

So what do I do to turn off this crap that looks like it must have to do
with home directories and mapping the UNIX accounts (I'm guessing), that
winbind does only if nsswitch gives it access to 'compat' or 'files,' and
that denies users access to shares that without all this garbage they can
get to just fine. Pardon my English.


More information about the samba mailing list