samba - Sep 2009 - Problem using local groups when winbind is running

Greetings,

I'm running Samba on a Debian stable server and have run into a problem
I can't seem to get past. It's version 3.2.5. The basic setup is that it
authenticates users via 'security = ads' and controls access to
individual shares using local groups via 'valid users = @localgroup'.
All of the users have accounts in /etc/password and are added to the
groups in /etc/group. This has been working great for years.

My problem comes when I install the 'winbind' package in order to get
access to ntlm_auth. Once winbindd is running, my local group
authentication no longer works. I've tried just about every backend
provided via 'idmap backend tdb', or 'idmap backend nss', etc.
Depending
on the configuration, I sometimes get various winbind errors such as
"[2009/09/23 15:06:11,  2] auth/token_util.c:create_local_nt_token(385)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
allocate gids?"

Even after getting all such errors cleared though, I still can't access
the shares which are using the 'valid users = @localgroup'
configuration. I've tried changing that to 'valid users =
+localgroup'
which should only check NSS but that also fails. Using the idbind nss
backend doesn't help either. I'm kind of at a loss as to what to try
next. Basically, I want things to work the same whether winbind is
running or not. Thanks in advance,

-David Mitchell




-- 
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------

> My problem comes when I install the 'winbind' package in order to
get
> access to ntlm_auth. Once winbindd is running, my local group
> authentication no longer works.
What does your /etc/nsswitch.conf say?  Mine says:

passwd:      compat winbind
shadow:      compat
group:       compat winbind

And local groups can be interchanged with AD groups.  We don't have any
AD users or groups in /etc/passwd or /etc/group though.

Cheers,
Adam.

> Even after getting all such errors cleared though, I still can't access
> the shares which are using the 'valid users = @localgroup'
> configuration. I've tried changing that to 'valid users =
+localgroup'
> which should only check NSS but that also fails.
Since you're on a domain you might have to specify that the groups are
local, e.g. @MACHINENAME\localgroup, as it might default to your domain
if one is not given explicitly.

I'm not sure how this works when winbind isn't running, but it should be
okay.

Cheers,
Adam.