samba - Jul 2008 - Winbind syslog errors and Domain Local Groups

Hello all.

I'm relatively new to Samba, and haven't been able to track down a
solution to this particular problem.

I use Samba/Winbind to authenticate FreeBSD machines against a
Windows 2003 Active Directory. That all works fine. The problem is
that groups in the AD of type "Security Group - Domain Local" are
causing winbindd a lot of grief. Every time the winbindd daemon is
accessed, it spews syslog messages like these for every Domain
Local group in the AD:

--------------------
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group dhcp users
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group dhcp administrators
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group dnsadmins
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group debugger users
---------------------

All non-local groups show up just fine in the BSD system. Local
groups do not show up in a getent group.

All groups, including the local ones, show up when I run wbinfo -g.
Running wbinfo -n <localgroup> comes back with a SID:
$ wbinfo -n dnsadmins
<munged-SID> Local Group (4)

This SID is trackable back to a gid:
$ sudo wbinfo --sid-to-gid <munged-SID>
11105

Why, then, are these groups not actually getting populated? Can anyone
shed some light on this?

-HKS

Any ideas?
-HKS

On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS <hks.private@gmail.com>
wrote:
> Hello all.
>
> I'm relatively new to Samba, and haven't been able to track down a
> solution to this particular problem.
>
> I use Samba/Winbind to authenticate FreeBSD machines against a
> Windows 2003 Active Directory. That all works fine. The problem is
> that groups in the AD of type "Security Group - Domain Local" are
> causing winbindd a lot of grief. Every time the winbindd daemon is
> accessed, it spews syslog messages like these for every Domain
> Local group in the AD:
>
> --------------------
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group dhcp users
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group dhcp administrators
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group dnsadmins
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group debugger users
> ---------------------
>
> All non-local groups show up just fine in the BSD system. Local
> groups do not show up in a getent group.
>
> All groups, including the local ones, show up when I run wbinfo -g.
> Running wbinfo -n <localgroup> comes back with a SID:
> $ wbinfo -n dnsadmins
> <munged-SID> Local Group (4)
>
> This SID is trackable back to a gid:
> $ sudo wbinfo --sid-to-gid <munged-SID>
> 11105
>
> Why, then, are these groups not actually getting populated? Can anyone
> shed some light on this?
>
> -HKS
>