[Samba] samba winbind ignores local unix groups.

s f sf878787767676 at gmail.com
Sun Mar 27 22:26:30 MDT 2011

Hello everybody,

Google as I might, I cannot find any recent discussions on solving this
problem, many times asked, but no solutions have worked for me.

Synopsis of Details:
Centos 5.5 64_bit,
WIndows AD 2008.

As all the threads I find are quite old, hopefully things have changed, or
maybe I am wasting time and it is not possible ? Please let me know if this
is the case.

Why does samba+winbind ignore the local unix groups ?

I have joined my samba server to Windows AD.

I have configured a share with the values:
#Perms are 777
path                    = /home/pub_share
comment                 = Public_Share
writable                = yes
create mask             = 775
directory mask          = 775
browsable               = yes
valid users             = @adgroup

If I use a group from Windows AD, there is no problem accessing the share,
but we do not want to add / change groups in AD, we need to add users to our
local /etc/groups as access to Windows AD is very limited and we would
rather control things on the linux side, and use the single sign on from AD
for the users.

If I change valid users to:
valid users             = @linuxgroup

And create a user and add them to that group on the samba server, it does
not work, they can ssh into the machine using the local user password OR
their Win AD credentials via winbind, but not access the share via SMB.

id <username> shows all groups the user belongs to in WinAD and /etc/group
getent password
getent group
wbinfo -g
wbinfo -u

All show the correct values I would expect.

Below are my configs if you need more info let me know, I have tried many
things including group maps, adding DOMAIN+user and various other things. If
you have a working SAMBA+AD+WINBIND+LOCALGROUPS I would love to know about


# General name options
log level = 2
workgroup               = xxxx
netbios name            = smb1

server string           = samba test server
idmap backend           = rid:xxxx=5000-100000000
idmap uid               = 10000-100000000
idmap gid               = 10000-100000000

security                = ads
encrypt passwords       = yes

realm                   = xxx
password server         = xxx
os level                = 10

# Winbind Stuff - Active Directory
winbind enum users      = yes
winbind enum groups     = yes
winbind nested groups   = yes
winbind use default domain      = yes
winbind separator = +
template shell          = /bin/bash
template homedir        = /home/%D/%U
obey pam restrictions   = yes

# Disabled printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# Extended ACL support
map acl inherit = no
nt acl support = no

path                    = /home/pub_share
comment                 = Public_Share
writable                = yes
create mask             = 775
directory mask          = 775
browsable               = yes
valid users             = @linuxgroup

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_smb_auth.so use_first_pass nolocal
auth        sufficient    pam_winbind.so use_first_pass auth
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 silent
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

passwd:     files winbind
shadow:     files winbind
group:      files winbind

More information about the samba mailing list