Winbindd and Domain local groups

steve steve at
Tue Nov 5 04:50:16 MST 2013

On Tue, 2013-11-05 at 04:07 -0700, Solaiyappan Perichiappan wrote:
> Hi,
> I have been trying to use Winbindd in SLES 11 SP3 (Samba version 3.6.3-17.25.1) to fetch AD (Windows 2008 R2) identities into the Linux box and currently running into some problem w.r.t domain local groups and thought I could get some help here..
> I have a two domain setup, in which DOMAIN1 is the parent domain and DOMAIN2 is the child domain. I have 2 users DOMAIN1\user1, DOMAIN2\user2 and they are part of a global group DOMAIN1\group1 and DOMAIN2\group2 respectively. I have joined my SLES box to the DOMAIN1 (net ads join -U Administrator). I have also created a new domain local group in DOMAIN2 called DOMAIN2\domainlocal2 and added DOMAIN1\group1 and DOMAIN2\group2 as members of this domain local group. 
> With this setup, if I see wbinfo --user-sids=<SID of DOMAIN2\user2> or  wbinfo --user-domgroups=<SID of DOMAIN2\user2>, I could see that the user is a member of DOMAIN2\domainlocal2 (along with the global group DOMAIN2\group2). But, If I do the same thing for the user DOMAIN1\user1, I don't find DOMAIN2\domainlocal2 as a valid group (I could find the global group DOMAIN1\group1 in the list)
> The same test works for universal groups, but not for domain local groups.
> Is there something wrong with my setup or my understanding (I expect the domain local groups to be a part of valid groups)? 
> Or is there anything more to it?
> Thanks,
> Solai

Can you post smb.conf? But FWIW, we had problems with group mapping on
openSUSE with 3.6.6 until we went with sssd instead of winbind.

More information about the samba-technical mailing list