[Samba] Problem using local groups when winbind is running

David Mitchell mitchell at ucar.edu
Mon Sep 28 12:25:46 MDT 2009 

Adam Nielsen wrote:
>> Even after getting all such errors cleared though, I still can't access
>> the shares which are using the 'valid users = @localgroup'
>> configuration. I've tried changing that to 'valid users = +localgroup'
>> which should only check NSS but that also fails.
> 
> Since you're on a domain you might have to specify that the groups are
> local, e.g. @MACHINENAME\localgroup, as it might default to your domain
> if one is not given explicitly.
> 
> I'm not sure how this works when winbind isn't running, but it should be
> okay.

I couldn't get that configuration syntax to work with or without winbindd.


I did do some more digging. This seems to be a symptom, not a cause but
perhaps it helps identify the source of the problem.  When it works, ie,
without winbind, this produces reasonable output listing my correct unix
UID and group membership:

> [2009/09/28 12:09:32,  5] auth/token_util.c:debug_nt_user_token(470)
>   NT user token of user S-1-22-1-1000
>   contains 12 SIDs
>   SID[  0]: S-1-22-1-1000
>   SID[  1]: S-1-22-2-96
>   SID[  2]: S-1-1-0
>   SID[  3]: S-1-5-2
>   SID[  4]: S-1-5-11
>   SID[  5]: S-1-22-2-20
>   SID[  6]: S-1-22-2-24
>   SID[  7]: S-1-22-2-25
>   SID[  8]: S-1-22-2-29
>   SID[  9]: S-1-22-2-44
>   SID[ 10]: S-1-22-2-46
>   SID[ 11]: S-1-22-2-1111
>   SE_PRIV  0x0 0x0 0x0 0x0
> [2009/09/28 12:09:32,  5] auth/token_util.c:debug_unix_user_token(490)
>   UNIX token of user 1000
>   Primary group is 96 and contains 8 supplementary groups
>   Group[  0]: 96
>   Group[  1]: 20
>   Group[  2]: 24
>   Group[  3]: 25
>   Group[  4]: 29
>   Group[  5]: 44
>   Group[  6]: 46
>   Group[  7]: 1111
> [2009/09/28 12:09:32,  5] smbd/uid.c:change_to_user(272)
>   change_to_user uid=(0,1000) gid=(0,96)

But when it fails, I get the much more suspicious output for similar
debug calls. I haven't dug into when the user_token stuff is
initialized, but clearly it isn't happening properly when winbind is
running in my case.

> [2009/09/28 12:19:32,  5] auth/token_util.c:debug_nt_user_token(464)
>   NT user token: (NULL)
> [2009/09/28 12:19:32,  5] auth/token_util.c:debug_unix_user_token(490)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2009/09/28 12:19:32,  5] smbd/uid.c:change_to_root_user(287)
>   change_to_root_user: now uid=(0,0) gid=(0,0)

Out of curiousity, I added 'root' to 'testgroup' in /etc/group but that
didn't help. It doesn't find the supplementary group for root.

-David

> 
> Cheers,
> Adam.
> 


-- 
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------

More information about the samba mailing list