[Samba] samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization

Stanislav N. aka pztrn pztrn at pztrn.name
Thu Jul 6 19:13:16 UTC 2017

Hello list.

I’m using samba4 authorization with debian 8 without any problems. But in debian 9 very same config causes problems - unable to change GID. Here is my smb.conf:

        netbios name = testvm
        security = ADS
        workgroup = WRKGRP
        realm = EXAMPLE.COM
        password server =
        wins server =
        wins proxy = no
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/zsh
        client use spnego = yes
        winbind use default domain = yes
        encrypt passwords = yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind nested groups = yes

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        inherit acls = Yes
        acl group control = yes

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000
        idmap config <win domain>:backend = ad
        idmap config <win domain>:schema_mode = rfc2307
        idmap config <win domain>:range = 3000000-4000000


With this configuraion on debian 8 domain user successfully logged in. On debian 9 domain user failed to log in. Relevant lines in auth.log:

Jul  6 18:58:58 testvm login[1230]: pam_winbind(login:auth): getting password (0x00000000)
Jul  6 18:59:02 testvm login[1230]: pam_winbind(login:auth): user ‘domainuser' granted access
Jul  6 18:59:02 testvm login[1230]: pam_winbind(login:account): user ‘domainuser' granted access
Jul  6 18:59:02 testvm login[1230]: pam_mail(login:session): pam_modutil_drop_priv: change_gid failed: Success
Jul  6 18:59:02 testvm login[1230]: pam_keyinit(login:session): Unable to change GID to 70005 temporarily
Jul  6 18:59:02 testvm login[1230]: pam_unix(login:session): session opened for user domainuser by LOGIN(uid=0)
Jul  6 18:59:02 testvm mkhomedir_helper: PAM unable to change perms on copy /home/domainuser/.profile: Invalid argument
Jul  6 18:59:02 testvm login[1230]: pam_systemd(login:session): Failed to create session: Seat has no VTs but VT number not 0
Jul  6 18:59:02 testvm login[1230]: Permission denied

GID 70005 is «domain admins» group.

AD DC is running in samba 4.2.14 on Gentoo. Client OS is running within LXC container, if it matters.

Any ideas?

With best regards, 
Stanislav N. aka pztrn
Jabber: pztrn at pztrn.name
E-Mail: pztrn at pztrn.name
Blog: http://pztrn.name && http://en.pztrn.name
Telegram: @pztrn
Key ID: B3E1F07E

More information about the samba mailing list