I've noticed that in FreeBSD 5.1 there seems to be an error in winbind when it trys to create the local account from the AD. By default it doesn't pass the user's group to the create_user function. I noticed in the code of the wb_client.c file it is hardcoded as 'fstrcpy( request.data.acct_mgt.groupname, "" );' Below is a -d4 on the Winbind process [47507]: request interface version [47507]: request location of privileged pipe [47507]: ping [47507]: pam auth crap domain: EXAMPLE user: aaronc Using cleartext machine password cred_create cred_create cred_assert [47507]: create_user: user=>(aaronc), group=>() If you notice it doesn't pass a group parameter. After I noticed this I hardcoded my group into the field in the wb_client.c for testing, and I noticed I got a different error [47507]: request interface version [47507]: request location of privileged pipe [47507]: ping [47507]: pam auth crap domain: EXAMPLE user: aaronc Using cleartext machine password cred_create cred_create cred_assert [47507]: create_user: user=>(aaronc), group=>(techs) winbindd_create_user: Cannot validate gid for group (techs) I believe this is an error in the winbind client end, but I'm not entirly sure how to fix it.
I believe the second error I get comes from the fact that the nsswitch in freebsd 5.1 doesn't work right with samba 3.0.0 yet winbindd_create_user: Cannot validate gid for group (techs) The code calls the getgrnam and doesn't recieve it. But that sill doesn't explain why wc_client.c passes a null group param for create_user
You shouldn't be creating local accounts in this case anyways. The correct configuration is to use winbindd NSS support.
The correct thing to do is to fix bug 797.