Winbind : Strange groups behavior, AIX 5.3 with 3.0.26a

miguel.sanders at miguel.sanders at
Wed Oct 24 14:08:03 GMT 2007

On which ML/TL are you currently?

Lsuser has had a bug in which not all LDAP groups are listed.
This could be your problem.
I don't think it is winbind related.

Met vriendelijke groeten
Kind regards
Bien à vous
Systems Engineer UNIX
SAP Infrastructure Group Ghent
John F. Kennedylaan 51
B 9042 Ghent
Tel: + 32 (0)9 347 35 38
Mob: + 32 (0)485 76 18 90
mailto:miguel.sanders at

-----Oorspronkelijk bericht-----
Van: at [ at] Namens Jérôme Oufella
Verzonden: woensdag 24 oktober 2007 15:44
Aan: samba-technical at
Onderwerp: Winbind : Strange groups behavior, AIX 5.3 with 3.0.26a

We set up winbind on AIX 5.3.
The link is working fine except with a particular point : windows-based users are unable to get their group membership info in some cases :

Here's an operation log :
# As a local user, id and id myusername report the same thing.
root at srv1:/# id
uid=0(root) gid=0(system)
root at srv1:/# id root
uid=0(root) gid=0(system)

# Now let's become a winbind user
root at srv1:/# su winuser1

# id just reports the user's native group.
winuser1 at srv1:/#id
uid=10013(winuser1) gid=10002(domain users)

# While id username reports the whole group list.
winuser1 at srv1:/$ id winuser1
uid=10013(winuser1) gid=10002(domain users)

# lsuser seems to miss the groups= attribute, while listing a windows-based user :
root at srv1:/#lsuser root
root id=0 pgrp=system groups=system,bin,sys,security,cron,audit,lp
home=/ shell=/usr/bin/ksh
root at srv1:/etc/samba #lsuser winuser1
winuser1 id=10013 pgrp=domain users home=/home/PROD/winuser1 shell=/bin/sh gecos=winuser1 registry=WINBIND roles= id=10013 pgrp=dom in users home=/home/PROD/winuser1 shell=/bin/sh pgid=10002
gecos=winuser1 shell=/bin/sh pgrp=domain users SID=S-1-5-something-91354

One of the results is we cannot use group-based permissions on the filesystem (other than the native user's group).

Has anyone a clue about what's happening ?
Any help will be greatly appreciated.
Thanks in advance.

Jerome Oufella

This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for Arcelormittal except when expressly agreed otherwise in writing in a separate agreement.  

More information about the samba-technical mailing list