samba - Jul 2004 - NT doesn't like that, you should fix it

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,
I have this in my /var/log/messages (pls mind the line wrap):
smbd3[3660]: [2004/07/09 15:31:26, 0] 
rpc_server/srv_util.c:get_domain_user_groups(372)

smbd3[3660]:   get_domain_user_groups: primary gid of user [fajar] is not a 
Domain group !

smbd3[3660]:   get_domain_user_groups: You should fix it, NT doesn't like
that

Why is that? However, the operation is normal, I can logon into the domain, 
download the profiles, etc. 

This is my smb.conf:
[global]
workgroup = samba3
netbios name = centrino
server string = Samba Server %v
message command = /usr/bin/linpopup "%f" "%m" %s; rm %s
printcap name = cups
load printers = yes
printing = cups
printer admin = @adm
log file = /var/log/samba3/log.%m
log level = 3
map to guest = bad user
security = user
encrypt passwords = yes
smb passwd file = /etc/samba3/smbpasswd
unix password sync = Yes
pam password change = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n \
*passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba3/smbusers
include = /etc/samba3/smb.conf.%m
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  winbind separator = +
  winbind use default domain = yes
template homedir = /home/%D/%U
  obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
remote announce = 192.168.0.255
local master = yes
os level = 33
domain master = yes 
preferred master = yes
domain logons = yes
logon script = %m.bat
logon script = %U.bat
logon path = \\%L\Profiles\%U
logon home = \\%L\%U\.profile
add user script = /usr/sbin/useradd -s /bin/false '%u'
delete user script = /usr/sbin/userdel '%s'
add user to group script = /usr/bin/gpasswd -a '%u' '%g'
delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
set primary group script = /usr/sbin/usermod -g '%g' '%u'
add group script = /usr/sbin/groupadd %g && getent group
'%g'|awk -F: '{print
$3}'
delete group script = /usr/sbin/groupdel '%g'
add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine 
Account' -s /bin/false -M %u
dns proxy = no 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
# You can enable VFS recycle bin on a per share basis:
# Uncomment the next 2 lines (make sure you create a
# .recycle folder in the base of the share and ensure
# all users will have write access to it. See
# examples/VFS/recycle/REAME in samba-doc for details
;   vfs object = /usr/lib/samba3/vfs/recycle.so

# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba3/netlogon
   guest ok = yes
   writable = yes
   browseable = no
   
#Uncomment the following 2 lines if you would like your login scripts to
#be created dynamically by ntlogon (check that you have it in the correct
#location (the default of the ntlogon rpm available in contribs)
;root preexec = /usr/bin/ntlogon -u %U -g %G -o %a -d /var/lib/samba3/netlogon
;root postexec = rm -f /var/lib/samba3/netlogon/%U.bat

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
    path = /var/lib/samba3/profiles
    browseable = no
    guest ok = yes
    writable = yes
# This script can be enabled to create profile directories on the fly
# You may want to turn off guest acces if you enable this, as it
# hasn't been thoroughly tested.
root preexec = PROFILE=/var/lib/samba3/profiles/%u; if [ ! -e $PROFILE ]; \
                then mkdir -pm700 $PROFILE; chown %u.%g $PROFILE;fi

# NOTE: If you have a CUPS print system there is no need to 
# specifically define each individual printer.
# You must configure the samba printers with the appropriate Windows
# drivers on your Windows clients or upload the printer driver to the
# server from Windows (NT/2000/XP). On the Samba server no filtering is
# done. If you wish that the server provides the driver and the clients
# send PostScript ("Generic PostScript Printer" under Windows), you
have
# to use 'printcap name = cups' or swap the 'print command' line
below
# with the commented one. Note that print commands only work if not using 
# 'printing=cups'
[printers]
   comment = All Printers
   path = /var/spool/samba3
   browseable = no
# to allow user 'guest account' to print.
   guest ok = yes
   writable = no
   printable = yes
   create mode = 0700
# ====================================# print command: see above for details.
# ====================================   print command = lpr-cups -P %p -o raw
%s -r   # using client side printer
drivers.
;   print command = lpr-cups -P %p %s # using cups own drivers (use generic 
PostScript on clients).

# This share is used for Windows NT-style point-and-print support.
# To be able to install drivers, you need to be either root, or listed
# in the printer admin parameter above. Note that you also need write access
# to the directory and share definition to be able to upload the drivers.
# For more information on this, please see the Printing Support Section of
# /usr/share/doc/samba3-<version>/docs/Samba-HOWTO-Collection.pdf 
#
# A special case is using the CUPS Windows Postscript driver, which allows
# all features available via CUPS on the client, by publishing the ppd file
# and the cups driver by using the 'cupsaddsmb' tool. This requires the
# installation of the CUPS driver (http://www.cups.org/windows.php) 
# on the server, but doesn't require you to use Windows at all :-).
[print$]
   path = /var/lib/samba3/printers
   browseable = yes
   write list = @adm root
   guest ok = yes
   inherit permissions = yes
   # Settings suitable for Winbind:
   ; write list = @"Domain Admins" root
   ; force group = +@"Domain Admins"

# A useful application of samba is to make a PDF-generation service
# To streamline this, install windows postscript drivers (preferably colour)
# on the samba server, so that clients can automatically install them.
# Note that this only works if 'printing' is *not* set to 'cups'

[pdf-generator]
   path = /var/tmp
   guest ok = No
   printable = Yes
   comment = PDF Generator (only valid users)
   #print command = /usr/share/samba3/scripts/print-pdf file path win_path 
recipient IP &
   print command = /usr/share/samba3/scripts/print-pdf %s ~%u //%L/%u %m %I 
"%J" &

# This one is useful for people to share files
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no
   public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
   comment = Public Stuff
   path = /home/samba3/public
   public = yes
   writable = no
   write list = @staff
[fredsprn]
   comment = Fred's Printer
   valid users = fred
   path = /homes/fred
   printer = freds_printer
   public = no
   writable = no
   printable = yes
[fredsdir]
   comment = Fred's Service
   path = /usr/somewhere/private
   valid users = fred
   public = no
   writable = yes
   printable = no
[pchome]
  comment = PC Directories
  path = /usr/pc/%m
  public = no
  writable = yes
[public]
   path = /usr/somewhere/else/public
   public = yes
   only guest = yes
   writable = yes
   printable = no
[myshare]
   comment = Mary's and Fred's stuff
   path = /usr/somewhere/shared
   valid users = mary fred
   public = no
   writable = yes
   printable = no
   create mask = 0765

[netware]
    path = /var/lib/samba3/netware-bpk
    public = no
    valid users = test1 test2
    writable = yes
    browseable = no
    
Thanks
- -- 
Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
15:56:13 up 8:00, Mandrake Linux release 9.2 (FiveStar) for i586 
public key: https://www.arinet.org/fajar-pub.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA7mGdkp5CsIXuxqURAnBXAKCAltfB45HLXx3YO2RlQdbfvD0uwACfclEi
836egEZFISG6YmPWwa1TsY4=Ixss
-----END PGP SIGNATURE-----

This is a simple problem, but it took me a while to find the answer also.  

man net

and look for GROUPMAP basically you need to map your unix groups to
samba/windows groups.  I have a poor understanding of it all so you will
probably want to read up on google, but that should get you started.

Miles

> Dear all,
> I have this in my /var/log/messages (pls mind the line wrap):
> smbd3[3660]: [2004/07/09 15:31:26, 0]
> rpc_server/srv_util.c:get_domain_user_groups(372)
> 
> smbd3[3660]:   get_domain_user_groups: primary gid of user [fajar] is not
> a
> Domain group !
> 
> smbd3[3660]:   get_domain_user_groups: You should fix it, NT doesn't
like
> that
> 
> Why is that? However, the operation is normal, I can logon into the
> domain,
> download the profiles, etc.
> 
> This is my smb.conf:
> [global]
> workgroup = samba3
> netbios name = centrino
> server string = Samba Server %v
> message command = /usr/bin/linpopup "%f" "%m" %s; rm %s
> printcap name = cups
> load printers = yes
> printing = cups
> printer admin = @adm
> log file = /var/log/samba3/log.%m
> log level = 3
> map to guest = bad user
> security = user
> encrypt passwords = yes
> smb passwd file = /etc/samba3/smbpasswd
> unix password sync = Yes
> pam password change = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n \
> *passwd:*all*authentication*tokens*updated*successfully*
> username map = /etc/samba3/smbusers
> include = /etc/samba3/smb.conf.%m
>   winbind uid = 10000-20000
>   winbind gid = 10000-20000
>   winbind separator = +
>   winbind use default domain = yes
> template homedir = /home/%D/%U
>   obey pam restrictions = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> remote announce = 192.168.0.255
> local master = yes
> os level = 33
> domain master = yes
> preferred master = yes
> domain logons = yes
> logon script = %m.bat
> logon script = %U.bat
> logon path = \\%L\Profiles\%U
> logon home = \\%L\%U\.profile
> add user script = /usr/sbin/useradd -s /bin/false '%u'
> delete user script = /usr/sbin/userdel '%s'
> add user to group script = /usr/bin/gpasswd -a '%u' '%g'
> delete user from group script = /usr/bin/gpasswd -d '%u'
'%g'
> set primary group script = /usr/sbin/usermod -g '%g' '%u'
> add group script = /usr/sbin/groupadd %g && getent group
'%g'|awk -F:
> '{print
> $3}'
> delete group script = /usr/sbin/groupdel '%g'
> add machine script = /usr/sbin/useradd -d /dev/null -g machines -c
> 'Machine
> Account' -s /bin/false -M %u
> dns proxy = no
> [homes]
>    comment = Home Directories
>    browseable = no
>    writable = yes
> # You can enable VFS recycle bin on a per share basis:
> # Uncomment the next 2 lines (make sure you create a
> # .recycle folder in the base of the share and ensure
> # all users will have write access to it. See
> # examples/VFS/recycle/REAME in samba-doc for details
> ;   vfs object = /usr/lib/samba3/vfs/recycle.so
> 
> # Un-comment the following and create the netlogon directory for Domain
> Logons
> [netlogon]
>    comment = Network Logon Service
>    path = /var/lib/samba3/netlogon
>    guest ok = yes
>    writable = yes
>    browseable = no
> 
> #Uncomment the following 2 lines if you would like your login scripts to
> #be created dynamically by ntlogon (check that you have it in the correct
> #location (the default of the ntlogon rpm available in contribs)
> ;root preexec = /usr/bin/ntlogon -u %U -g %G -o %a -d
> /var/lib/samba3/netlogon
> ;root postexec = rm -f /var/lib/samba3/netlogon/%U.bat
> 
> # Un-comment the following to provide a specific roving profile share
> # the default is to use the user's home directory
> [Profiles]
>     path = /var/lib/samba3/profiles
>     browseable = no
>     guest ok = yes
>     writable = yes
> # This script can be enabled to create profile directories on the fly
> # You may want to turn off guest acces if you enable this, as it
> # hasn't been thoroughly tested.
> root preexec = PROFILE=/var/lib/samba3/profiles/%u; if [ ! -e $PROFILE ];
> \
>                 then mkdir -pm700 $PROFILE; chown %u.%g $PROFILE;fi
> 
> # NOTE: If you have a CUPS print system there is no need to
> # specifically define each individual printer.
> # You must configure the samba printers with the appropriate Windows
> # drivers on your Windows clients or upload the printer driver to the
> # server from Windows (NT/2000/XP). On the Samba server no filtering is
> # done. If you wish that the server provides the driver and the clients
> # send PostScript ("Generic PostScript Printer" under Windows),
you have
> # to use 'printcap name = cups' or swap the 'print command'
line below
> # with the commented one. Note that print commands only work if not using
> # 'printing=cups'
> [printers]
>    comment = All Printers
>    path = /var/spool/samba3
>    browseable = no
> # to allow user 'guest account' to print.
>    guest ok = yes
>    writable = no
>    printable = yes
>    create mode = 0700
> # ====================================> # print command: see above for
details.
> # ====================================>    print command = lpr-cups -P
%p -o raw %s -r   # using client side
> printer
> drivers.
> ;   print command = lpr-cups -P %p %s # using cups own drivers (use
> generic
> PostScript on clients).
> 
> # This share is used for Windows NT-style point-and-print support.
> # To be able to install drivers, you need to be either root, or listed
> # in the printer admin parameter above. Note that you also need write
> access
> # to the directory and share definition to be able to upload the drivers.
> # For more information on this, please see the Printing Support Section of
> # /usr/share/doc/samba3-<version>/docs/Samba-HOWTO-Collection.pdf
> #
> # A special case is using the CUPS Windows Postscript driver, which allows
> # all features available via CUPS on the client, by publishing the ppd
> file
> # and the cups driver by using the 'cupsaddsmb' tool. This requires
the
> # installation of the CUPS driver (http://www.cups.org/windows.php)
> # on the server, but doesn't require you to use Windows at all :-).
> [print$]
>    path = /var/lib/samba3/printers
>    browseable = yes
>    write list = @adm root
>    guest ok = yes
>    inherit permissions = yes
>    # Settings suitable for Winbind:
>    ; write list = @"Domain Admins" root
>    ; force group = +@"Domain Admins"
> 
> # A useful application of samba is to make a PDF-generation service
> # To streamline this, install windows postscript drivers (preferably
> colour)
> # on the samba server, so that clients can automatically install them.
> # Note that this only works if 'printing' is *not* set to
'cups'
> 
> [pdf-generator]
>    path = /var/tmp
>    guest ok = No
>    printable = Yes
>    comment = PDF Generator (only valid users)
>    #print command = /usr/share/samba3/scripts/print-pdf file path win_path
> recipient IP &
>    print command = /usr/share/samba3/scripts/print-pdf %s ~%u //%L/%u %m
> %I
> "%J" &
> 
> # This one is useful for people to share files
> [tmp]
>    comment = Temporary file space
>    path = /tmp
>    read only = no
>    public = yes
> 
> # A publicly accessible directory, but read only, except for people in
> # the "staff" group
> [public]
>    comment = Public Stuff
>    path = /home/samba3/public
>    public = yes
>    writable = no
>    write list = @staff
> [fredsprn]
>    comment = Fred's Printer
>    valid users = fred
>    path = /homes/fred
>    printer = freds_printer
>    public = no
>    writable = no
>    printable = yes
> [fredsdir]
>    comment = Fred's Service
>    path = /usr/somewhere/private
>    valid users = fred
>    public = no
>    writable = yes
>    printable = no
> [pchome]
>   comment = PC Directories
>   path = /usr/pc/%m
>   public = no
>   writable = yes
> [public]
>    path = /usr/somewhere/else/public
>    public = yes
>    only guest = yes
>    writable = yes
>    printable = no
> [myshare]
>    comment = Mary's and Fred's stuff
>    path = /usr/somewhere/shared
>    valid users = mary fred
>    public = no
>    writable = yes
>    printable = no
>    create mask = 0765
> 
> [netware]
>     path = /var/lib/samba3/netware-bpk
>     public = no
>     valid users = test1 test2
>     writable = yes
>     browseable = no
> 
> Thanks
> - --
> Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
> 15:56:13 up 8:00, Mandrake Linux release 9.2 (FiveStar) for i586
> public key: https://www.arinet.org/fajar-pub.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQFA7mGdkp5CsIXuxqURAnBXAKCAltfB45HLXx3YO2RlQdbfvD0uwACfclEi
> 836egEZFISG6YmPWwa1TsY4> =Ixss
> -----END PGP SIGNATURE-----
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba