[Samba] winbind fails to list all groups with adminCount not set

[Peter Kruse]

samba version 3.0.10
Windows ADS in native mode

Hello all,

We have samba running on a cluster with 65K users and groups.
Some of these (security-) groups contain other (security-) groups
that contain the useraccounts.  Those "meta-groups" are only listed
for some users.  Example:
group A contains group B, and group B contains user A.

The following script will list the groups that a user is
a member of:

============================8<=================================
#!/bin/bash

gids=$(wbinfo -r $1)
retval=$?
if [ $retval -ne 0 ]; then
         echo wbinfo returned an error >&2
         exit $retval
fi

for g in $gids
do
         echo $(wbinfo -s $(wbinfo -G $g))
done
===========================8<====================================

It will only list both groups A and B if the windows LDAP
attribute "adminCount" is set.  If this attribute is not
set then the script will only show group B.  I confirmed this
for many users without exception.
To check if adminCount is set or not I used this command:

ldapsearch -D <binddn> \
-w <password> -h <windows-ads> -x -b \
cn=<username>,cn=Users,dc=...

Microsoft says in this article:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_admincount.asp

"Indicates that a given object has had its ACL's changed to a more
secure value by the system because it was a member of one of the
administrative groups (directly or transitively)."

and this attribute is set

"When an object is added to an administrative group."

The attribute is set by the system and you cannot set it
via a frontend (I tried gq).  To be honest I don't know
what I have to do to set this attribute.
But my question is:  Why does winbind only list all groups
if this attribute is set?

Hope you can help,

	Peter