winbindd support for RFC2307bis

Volker Lendecke Volker.Lendecke at SerNet.DE
Sat Nov 18 20:35:47 UTC 2017

On Fri, Nov 17, 2017 at 08:04:19AM -0800, Richard Sharpe via samba-technical wrote:
> I am trying to figure out if winbindd supports RFC2307bis, and in
> particular, nested groups.

What exactly do you mean here? Are nested groups in LDAP really an
issue the LDAP part of Samba should be concerned with? The bug report
mainly speaks about idmapping, and idmapping as such is flat in the
sense that it's a 1:1 correspondence. The bug if I understand it right
is mainly about authentication against trusted domains that we can't
usually connect to via AD trusts. We can of course add separate
authentication credentials for domains that are not normally reach.

Nested groups are part of the user token, but they are expanded by the
DC for winbind, winbind does not see them.

For local groups or "aliases", winbind has its own schema. Do you mean
that? Do you want us to map nested ldap groups to local aliases or
builtins via "net groupmap" or a similar facility?


Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list