[Samba] why does add_local_groups come up in only one system's logs?

Rowland Penny rpenny at samba.org
Mon Aug 8 19:16:56 UTC 2016

On Mon, 8 Aug 2016 15:27:44 -0300
francis picabia <fpicabia at gmail.com> wrote:

> OK, that was my bad for copy/pasting some config lines I found with
> a report of "this works!" on a bug report (only the second login
> connects bug).
> I've included the domain and fixed the range so it won't overlap with
> Unix IDs.
> #  grep idmap /etc/samba/smb.conf
>    idmap config MYDOM : backend = rid
>    idmap config MYDOM : range = 70000-99999999
> I eliminated the "valid users =" line from the homes section.
> On Debian, there are a couple of difference services.  I read that
> with 4.2, it can
> run its own winbind service.  So I wondered if that can make a
> difference.

I think you could be getting confused here. If you run Samba as a DC,
then yes, from 4.2.0, the separate winbindd binary is used instead of
the 'winbind' built into the samba binary.
On a domain member that is joined to AD, you will need to run
the winbindd binary as well.

> If I stop winbind, and restart samba...
> # /etc/init.d/samba restart
> [ ok ] Restarting nmbd (via systemctl): nmbd.service.
> [ ok ] Restarting smbd (via systemctl): smbd.service.
> [ ok ] Restarting samba-ad-dc (via systemctl): samba-ad-dc.service.
> # ps auxww | grep winbind
> root     19867  0.0  0.0  12764   948 pts/0    S+   14:13   0:00 grep
> winbind

This shows that 'winbindd' isn't running, if I run a similar command on
a domain member:

rowland at devstation:~$ ps ax | grep winbind
 2334 ?        Ss     0:11 /usr/local/samba/sbin/winbindd
 2532 ?        S      0:00 /usr/local/samba/sbin/winbindd
 2535 ?        S      0:00 /usr/local/samba/sbin/winbindd
 2536 ?        S      0:01 /usr/local/samba/sbin/winbindd
 4731 ?        S      0:00 /usr/local/samba/sbin/winbindd
17044 pts/7    S+     0:00 grep winbind

> Then I can connect with smbclient to the system where I never could
> before. That would be fine except that ssh requires winbind.
> If I stop /etc/init.d/samba and launch nmbd, smbd and winbind as
> services on their own, then ssh login with AD credentials works,
> but I cannot connect with smbclient.
If try to connect from a DC to devstation with smbclient, I get this:

root at dc1:~# smbclient -L //devstation -UAdministrator
Enter Administrator's password: 
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]

	Sharename       Type      Comment
	---------       ----      -------
	homes           Disk      
	data2           Disk      
	IPC$            IPC       IPC Service (Samba 4 Client devstation)
	root            Disk      Home directory of root
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]

	Server               Comment
	---------            -------
	DEVSTATION           Samba 4 Client devstation

	Workgroup            Master
	---------            -------

> The other system running with winbind allows both smbclient
> and ssh connections.
> On the problem system:
> Winbind on, and smbclient fails.
> Winbind off, and smbclient connects.
> It doesn't matter if winbind is in /etc/nsswitch.conf
> The good working system does not have winbind in the nsswitch.conf
> Both systems have the same packages containing winbind in the name.

I would check everything, if they are running the same OS and Samba
version etc, then you should get the same results etc, provided Samba
is running as the same thing i.e. a domain member


More information about the samba mailing list