[Samba] wbinfo -r not listing domain local groups

Fabian Hugelshofer fh at open.ch
Wed Dec 7 08:22:39 MST 2011 

Hi,

Between Samba 3.4.15 and 3.5.11 there was a change in how 'wbinfo -r' 
gathers the groups of which a given user is member of.

Assume there is a Windows 2003 domain called DOMA. This domain has a 
child domain DOMB. On DOMA there is a security group G-DL-DOMA which has 
domain local scope. On DOMB there is a security group G-U-DOMB which has 
universal scope. Group G-U-DOMB is member of group G-DL-DOMA. Due to the 
domain local scope of G-DL-DOMA, this membership is only known to DOMA. 
Group G-U-DOMB has a user john from DOMB as member.

DOMA G-DL-DOMA
     |
DOMB G-U-DOMB
     |
DOMB john

A Linux system that is running winbind is joined into DOMA. On this 
system "wbinfo -r DOMB+john" is run to get the Unix GIDs of the groups 
in which the user from DOMB is member of. With Samba 3.4.15 (and 3.3.13) 
the GID of group G-DL-DOMA is shown, with Samba 3.5.11 (and 3.5.12) it 
is missing.

This probably has to do with which DC the Samba host is asking about 
membership of group G-U-DOMB. A DC from DOMB does not know that this 
group is member of G-DL-DOMA because the latter is from another domain 
and has domain local scope. Only a DC in DOMA will know that the group 
from DOMB is member of the domain local group of DOMA.

Does the behaviour of Samba 3.5 have to be considered a bug? Does anyone 
know what caused this change of behaviour? Was this intentional? Are 
there any plans to change the behaviour back to how it was in Samba 3.3 
and 3.4?

Regards,

Fabian


smb.conf from host running 'wbinfo -r':
[global]
   netbios name = PHI
   server string = phi
   workgroup = DOMA
   realm = doma.com
   security = ads
   winbind separator = +
   winbind cache time = 1800
   winbind offline logon = true
   winbind use default domain = yes
   name resolve order = host wins
   encrypt passwords = yes
   template shell = /bin/false
   template homedir = /home/%D/%U
   syslog only = yes
   log file = /dev/null
   idmap uid = 10000-999999
   idmap gid = 10000-999999
   idmap cache time = 3600

More information about the samba mailing list