zimbra and samba/posix securityID

[denmat]

Hi,

I'm using zimbra-4.5.7GA trial version on a fedora core 7 with samba samba-3.0.26a-0.fc7.

When I try to add a workstation to the domain I get this error,
"This security ID may not be assigned as the primary group of an object"

Anyone know how to get around this? I'm thinking more samba than zimbra ldap, but someone here might have a clue.

I followed the UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki
doco with some additions from the more recent smb.conf(5) man page.

smb.conf looks like this:
[global]
workgroup = test
server string = Samba PDC Server Version %v
interfaces = lo, eth0
passdb backend = ldapsam:"ldap://zimbra-au.test.com"
log level = 5 passdb: 10 auth:10 winbind: 5
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd --quiet --disabled-password --gecos "" -n -g staff "%u"
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false --disabled-password --gecos "machine account" --force-badname "%u"
logon script = %u.bat
logon path = \\%L\%U
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = uid=zimbra,cn=admins,cn=zimbra
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=machines
ldap suffix = dc=test,dc=com
ldap user suffix = ou=people
idmap backend = ldap:ldap://zimbra-au.test.com
idmap uid = 1000-50000
idmap gid = 1000-50000
ldapsam:trusted = Yes
ldapsam:editposix = Yes
cups options = raw

dn: sambaDomainName=TEST,dc=test,dc=com
sambaDomainName: TEST
sambaSID: S-1-5-21-1561061390-3309481903-831651774
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1024


dn: cn=Domain Computers,ou=groups,dc=test,dc=com
sambaGroupType: 2
cn: Domain Computers
sambaSID: S-1-5-21-1561061390-3309481903-831651774-515
gidNumber: 515
objectClass: posixGroup
objectClass: sambaGroupMapping

[denmat]

I should add this as well:
net groupmap list
Domain Admins (S-1-5-21-1561061390-3309481903-831651774-512) -> Domain Admins
Domain Users (S-1-5-21-1561061390-3309481903-831651774-513) -> Domain Users
Domain Computers (S-1-5-21-1561061390-3309481903-831651774-515) -> Domain Computers
Domain Guests (S-1-5-21-1561061390-3309481903-831651774-514) -> Domain Guests
Domain Controllers (S-1-5-21-1561061390-3309481903-831651774-516) -> Domain Controllers

[denmat]

Me again,

found this thread:
Zimbra + Samba LDAP, cannot add winxp

which I followed but it didn't help.

what I did find though was in my smb.conf I had
ldapsam:editposix = Yes
changing that to No fixed my issues - for the record.