[Samba] What exactly is this?

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Dec 29 06:49:08 MST 2014 

I have seen this in  a few cases.


On my domain controllers I created some unix groups to correspond to 
some of the well known  built-in Windows groups, and then created group 
mappings.     I thinks the winbind warnings on the domain controllers 
didn't really matter.    The domain controllers use LDAP backend so 
winbind was not critical.


e.g.

net groupmap add sid=S-1-5-32-544 unixgroup=smb_admin type=builtin 
ntgroup=Administrators
net groupmap add sid=S-1-5-32-545 unixgroup=smb_users type=builtin 
ntgroup=Users
net groupmap add sid=S-1-5-32-546 unixgroup=smb_gueststype=builtin 
ntgroup=Guests


I was recently setting up a member server, and in this case winbind was 
required.


in smb.conf I had an idmapping entry for my domain

     idmap config MYDOMAIN : backend  = nss
     idmap config MYDOMAIN : range = 100-300



but winbind was getting stuck on the builtin groups.  Once I added

     idmap config * : backend  = tdb
     idmap config * : range =  5000-6000



winbind could allocate uids and gids for the built groups and then move 
on to allocating uids and gids for the domain.


Per MS some of the well known builtin  groups are


http://support.microsoft.com/kb/163846

BUILTIN\ADMINISTRATORS     S-1-5-32-544
BUILTIN\USERS              S-1-5-32-545
BUILTIN\GUESTS             S-1-5-32-546
BUILTIN\ACCOUNT OPERATORS  S-1-5-32-548
BUILTIN\SERVER OPERATORS   S-1-5-32-549
BUILTIN\PRINT OPERATORS    S-1-5-32-550
BUILTIN\BACKUP OPERATORS   S-1-5-32-551
BUILTIN\REPLICATOR         S-1-5-32-552


On 12/24/14 14:11, Chris Nighswonger wrote:
> Could someone comment on whether or not this "WARNING" is valid?
>
> [2014/12/24 14:02:46.078767,  2]
> auth/token_util.c:479(finalize_local_nt_token)
>    WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
>
> My Samba DC has been working fine for the past couple of years even with
> this in the logs, but curiosity has gotten the better of me at this point.
> Google seems to indicate that others have wondered about this same
> question, but never received an answer.
>
> System info:
>
> root at biblios:/var/lib/samba/netlogon# lsb_release -a
> No LSB modules are available.
> Distributor ID:    Ubuntu
> Description:    Ubuntu 13.04
> Release:    13.04
> Codename:    raring
>
> root at biblios:/var/lib/samba/netlogon# nmbd -V
> Version 3.6.9
>
> root at biblios:/var/lib/samba/netlogon# smbd -V
> Version 3.6.9
>
> root at biblios:/var/lib/samba/netlogon# slapd -V
> @(#) $OpenLDAP: slapd  (Jun 20 2013 17:11:18) $
>      buildd at allspice:/build/buildd/openldap-2.4.31/debian/build/servers/slapd
>
> Samba log level = 2

More information about the samba mailing list