[Samba] Problem using local groups when winbind is running

David Mitchell mitchell at ucar.edu
Thu Sep 24 09:20:36 MDT 2009


I'm running Samba on a Debian stable server and have run into a problem
I can't seem to get past. It's version 3.2.5. The basic setup is that it
authenticates users via 'security = ads' and controls access to
individual shares using local groups via 'valid users = @localgroup'.
All of the users have accounts in /etc/password and are added to the
groups in /etc/group. This has been working great for years.

My problem comes when I install the 'winbind' package in order to get
access to ntlm_auth. Once winbindd is running, my local group
authentication no longer works. I've tried just about every backend
provided via 'idmap backend tdb', or 'idmap backend nss', etc. Depending
on the configuration, I sometimes get various winbind errors such as
"[2009/09/23 15:06:11,  2] auth/token_util.c:create_local_nt_token(385)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
allocate gids?"

Even after getting all such errors cleared though, I still can't access
the shares which are using the 'valid users = @localgroup'
configuration. I've tried changing that to 'valid users = +localgroup'
which should only check NSS but that also fails. Using the idbind nss
backend doesn't help either. I'm kind of at a loss as to what to try
next. Basically, I want things to work the same whether winbind is
running or not. Thanks in advance,

-David Mitchell

| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |

More information about the samba mailing list