[Samba] Unable to Create a LocalGroup, NT_STATUS_ACCESS_DENIED

Tue Sep 16 23:46:08 GMT 2008

I'm getting following response below to the command 'net sam createlocalgroup demo -d 3':

[2008/09/16 16:03:46, 3] param/loadparm.c:lp_load(5065)
  lp_load: refreshing parameters
[2008/09/16 16:03:46, 3] param/loadparm.c:init_globals(1445)
  Initialising global parameters
[2008/09/16 16:03:46, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2008/09/16 16:03:46, 3] param/loadparm.c:do_section(3804)
  Processing section "[global]"
[2008/09/16 16:03:46, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/etc/samba/winbind.conf"
[2008/09/16 16:03:46, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf"
[2008/09/16 16:03:46, 2] lib/interface.c:add_interface(81)
  added interface ip=10.1.130.249 bcast=10.1.130.255 nmask=255.255.255.0
[2008/09/16 16:03:46, 3] groupdb/mapping.c:pdb_default_create_alias(464)
  Could not get a gid out of winbind
Creating demo failed with NT_STATUS_ACCESS_DENIED
[2008/09/16 16:03:46, 2] utils/net.c:main(1075)
  return code = -1

I can't seem to find any real solutions to this problem, although I have seen other users with similar posts.  Here's the relevant sections from my smb.conf file:

[global]
server string =
security = ads
workgroup = DOMAIN
realm = DOMAIN.COM
encrypt passwords = yes
os level = 1
local master = no
domain master = no
preferred master = no
dns proxy = no
allow trusted domains = no
restrict anonymous = 2
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 3
admin users = root, Administrator
socket options = TCP_NODELAY IPTOS_LOWDELAY

Here's the relevant stuff from winbind.conf

idmap domains = DOMAIN
idmap config DOMAIN: default = yes
idmap config DOMAIN: backend = rid
idmap config DOMAIN: range = 1000-20000

winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
template shell = /bin/bash
template homedir = /home/%U

I've also noticed this in my logs whenever smb and winbind are restarted:

nmbd[2065]: [2008/09/16 16:30:12, 0] nmbd/nmbd.c:terminate(68)
nmbd[2065]:   Got SIGTERM: going down...
smbd[2384]: [2008/09/16 16:30:12, 0] smbd/server.c:main(986)
smbd[2384]:   standard input is not a socket, assuming -D option
nmbd[2387]: [2008/09/16 16:30:12, 0] nmbd/nmbd.c:main(752)
nmbd[2387]:   standard input is not a socket, assuming -D option
smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_administrators(844)
smbd[2385]:   create_builtin_administrators: Failed to create Administrators
smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_users(810)
smbd[2385]:   create_builtin_users: Failed to create Users
smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_administrators(844)
smbd[2385]:   create_builtin_administrators: Failed to create Administrators
smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_users(810)
smbd[2385]:   create_builtin_users: Failed to create Users
winbindd[2410]: [2008/09/16 16:31:23, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2230)
winbindd[2410]:   initialize_winbindd_cache: clearing cache and re-creating with version number 1

I'm trying to setup nested groups.  I would like to have a local group on my Linux box that contains the members of an AD group as some of its members.  I am running CentOS 5.2 and have used 3.0.28 that comes with it, and have also tried with 3.0.32 provided by SerNet both have produced the same errors.

Any help someone could provide would be much appreciated.

M@

________________________________
Confidentiality Notice: This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited.