I found the reason for this behavior, its a new 2012 KDC feature called resource sid compression
Markus Baier
Markus_Baier at baier-network.de
Sun Mar 31 07:19:01 MDT 2013
The reason is a new feature called resource sid compression.
At a Windows 2012 Server KDC resource sid compression is enabled
by default!
The Windows Server 2012 KDC will always compress the resource SIDs.
The old behavior, befor Windows Server 2012, was to store all the
Domain local SIDs as SIDs in the Extra-SID portion within the PAC.
With the compression enabled, the SID of the domain will transferd
only once, within the ResourceGroupDomainSid field.
Then only the RIDs for the local groups will be listet
in the ResourceGroupIds array.
For interoperability with other Kerberos implementations
or with winbind 3.6 without the patch, this feature can be disabled
on the 2012 KDC.
To disable the compression set the DisableResourceGroupsFields
register value under the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters
to 1
More and detailed technical informations can be found
at MS-KILE - v20130118 - 3.3.5.5.3
and in this blog post from technet:
http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx
Maybe this infos could be helpful for other samba users
with similar problems and missing domain local groups.
Best Regards
Markus Baier
More information about the samba-technical
mailing list