[Samba] Winbind and local groups with nss

Eric denicfr at yahoo.fr
Mon Sep 3 07:53:35 MDT 2012 

Hi all,

First of all, sorry for my english. I don't speak well english (of course I'm french! ;-) ) but I will try to do my best to explain you my problem.

I have a CentOS 6.3 system running with samba 3.5.10 against an AD 2008. My goal is to build a vsftpd server authenticating with users in my AD domain.

Everything is working quite fine but I have something strange :

When I put winbind in debug mode and when I do 'id -G root' I see these messages in winbindd.log : 

[2012/09/03 15:37:23.449662,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 21
[2012/09/03 15:37:23.449967,  3] winbindd/winbindd_misc.c:352(winbindd_interface_version)
  [ 4759]: request interface version
[2012/09/03 15:37:23.450112,  3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
  [ 4759]: request location of privileged pipe
[2012/09/03 15:37:23.450337,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 22
[2012/09/03 15:37:23.450421,  6] winbindd/winbindd.c:816(winbind_client_request_read)
  closing socket 21, client exited
[2012/09/03 15:37:23.450539,  3] winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
  getgroups root
[2012/09/03 15:37:23.450691,  5] winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2012/09/03 15:37:23.451367,  6] winbindd/winbindd.c:816(winbind_client_request_read)
  closing socket 22, client exited


Winbind is asked by nss to resolve root secondary groups !!! I don't undestrand why : root is only local and all his groups are local.

The output is : 
# id -G root
0 1 2 3 4 6 10 494

My question is quite simple : why nss ask winbind to resolve theses groups name whereas they are all local !?!
Do you think the only thing I have to do is  ignore these messages ?

Here are my conf files : 

/etc/nsswitch.conf :
passwd:     files winbind
shadow:     files
group:      files winbind

/etc/samba/smb.conf : 

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
    workgroup = DOMAIN
    realm = DOMAIN.FQDN
    server string = Serveur ftp
    security = ADS
    allow trusted domains = No
    password server = 10.32.242.32 10.56.242.56
    ntlm auth = No
    kerberos method = secrets and keytab
    log level = 10
    log file = /var/log/samba/log.%m
    nt pipe support = No
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    load printers = No
    domain master = No
    dns proxy = No
    idmap alloc backend = tdb
    idmap uid = 10000-500000
    idmap gid = 10000-500000
    template homedir = /usr/app/ftp/ftp/%U
    template shell = /sbin/nologin
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind refresh tickets = Yes
    create krb5 conf = No
    invalid users = root
    cups options = raw

Thank you for your help !

More information about the samba mailing list