samba - Feb 2007 - Active Directory for users authentication only?

Hi folks,

I'm setting up a new samba box (Redhat ES 4.0, with Rehat
samba-3.0.10-1.4E.9) to replace a proprietry OS X version that's been
running home directories for our school staff - we've previously used
local accounts and groups on the OS X server rather than the AD accounts
all our staff have; one of the key goals in moving to a new system was
to allow users to logon without having to re-enter their windows
usernames and passwords.

To this end I've got my krb5.conf, pam.d/samba, pam.d/logon, pam.d/sshd
and smb.conf all setup to work with AD. The machine joined the directory
successfully with the net join command, getent retrieves the user and
group entries without problem and my users (those few that are helping
me during this development phase) can logon via ssh and samba by using
their active directory usernames and passwords (or without, as in the
case of windows clients with their cached credentials - my test users
are very happy with the setup!).

However I've hit a stumbling block, (presumably because of our previous
server!) we have a fair few local group entries in /etc/group that just
don't exist in AD (and never will), we need these groups over those
listed by AD for the users... in fact we don't even need the AD provided
groups AT ALL! 
Using 'groups USER' at the shell successfully enumerated all the groups
for a given user; both those defined in /etc/groups, and those winbind
retrieves from AD.... however it doesn't seem as if the local groups are
being picked up by samba.

I then edited nsswitch.conf so that group details are only retrieved by
"file" (users are of course "files winbind") but I'm
still having
problems accessing directories in a share that has folders owned by
groups which are defined in /etc/group rather than winbind.. e.g I have
a 'Group' share with the following test directories at the moment:

drwxrwx---  23 root FMSC    4096 Jan 31 09:28 FMSC
drwxrwx---   7 root website 4096 Jan 22 11:28 School Website

My account, now that I've edited nsswitch to use files for groups only,
is a member of the following (/etc/group) groups:

# groups njps3
njps3 : Domuser FMSC school isd cetl timetable anatomy faculty hhstaff
Assets website

(Domuser is the primary group id as returned by winbind - I simply
created an entry in /etc/group so that it doesn't just show a numberic
GID)... Yet I cannot open the directory 'FMSC'... Samba reports the
following:

[2007/02/02 09:49:07, 3] smbd/process.c:process_smb(1091)
  Transaction 18 of length 90
[2007/02/02 09:49:07, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 14973) conn 0x2aef37f0
[2007/02/02 09:49:07, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2007/02/02 09:49:07, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380)
  call_trans2qfilepathinfo FMSC (fnum = -1) level=1004 call=5
total_data=0
[2007/02/02 09:49:07, 3] smbd/process.c:process_smb(1091)
  Transaction 19 of length 100
[2007/02/02 09:49:07, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 14973) conn 0x2aef37f0
[2007/02/02 09:49:07, 3] smbd/trans2.c:call_trans2findfirst(1359)
  call_trans2findfirst: dirtype = 22, maxentries = 1366,
close_after_first=0, close_if_end = 1 requires_resume_key = 1 level 0x104,
max_data_bytes = 16384
[2007/02/02 09:49:07, 3] smbd/error.c:error_packet(105)
  error string = Permission denied
[2007/02/02 09:49:07, 3] smbd/error.c:error_packet(129)
  error packet at smbd/trans2.c(1429) cmd=50 (SMBtrans2)
NT_STATUS_ACCESS_DENIED

I assume, perhaps naively, that this is because Samba is purely looking
up group information for my account from winbind? If so, what do I need
to modify so that Samba ignores group information from winbind and
purely uses /etc/group?

Regards

-John

(Hopefully all relevant config information is included below)

[global]
   workgroup 		= CAMPUS
   realm 			= CAMPUS.NCL.AC.UK
   password server 	= password.server
   client use spnego    = no
   server signing       = auto
   server string        = School of Medical Education Development
   hosts allow          = some.address.ranges.
   printcap name        = /etc/printcap
   load printers        = no
   log file             = /var/log/samba/%m.log
   log level            = 2
   max log size         = 50
   security             = ads
   password level       = 8
   username level       = 8
   encrypt passwords    = yes
   dns proxy            = no

   idmap uid            = 16777217-33554431
   idmap gid            = 20-33554431
   template shell       = /bin/false
   winbind use default domain = yes
   winbind separator    = \
   winbind enum users   = yes
   winbind enum groups  = yes
   winbind nested groups = Yes
   winbind trusted domains only = yes

[groups]
   comment = School of Medical Education Development project groups
   path = /export/Groups
   browseable = no
   read only = no
   public = no
   browseable = no
   writable = yes
   create mode = 0660
   directory mask = 0775
   default case = lower
   preserve case = yes

pam.d/samba
#%PAM-1.0
auth       required     pam_nologin.so
#auth       required    pam_stack.so service=system-auth
auth       sufficient   pam_winbind.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_smbpass.so nodelay
smbconf=/etc/samba/smb.conf
#password   required    pam_stack.so service=system-auth

nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files

 John Snowdon - IT Support Specialist
-==========================================-
 School of Medical Education Development 
 Faculty of Medical Sciences Computing
 University of Newcastle

 Email : j.p.snowdon@ncl.ac.uk

John Snowdon said:
> SNIP
>
> I assume, perhaps naively, that this is because Samba is purely looking
> up group information for my account from winbind? If so, what do I need
> to modify so that Samba ignores group information from winbind and
> purely uses /etc/group?
I've encountered a similar problem and opened a bug report.

https://bugzilla.samba.org/show_bug.cgi?id=4353

Ralf