[Samba] Possible bug in nss_winbind with ad backend and rfc2307

Jim Stalewski JStalewski at VisaLighting.com
Thu Jan 20 18:26:25 MST 2011

I ran some tests to see why getent passwd was not enumerating my domain
users and discovered this:

If I getent passwd <username> it returns the user information including
the primary group defined in the Unix attributes.
If I add a Unix GID in the idmap config range to the domain's Domain
Users group and getent passwd, it returns all of my domain users with
all of the Unix attributes as defined in AD for them, BUT it replaces
the primary group GID with the GID I defined for the Domain Users group.

Apparently, some genius decided that the best way to look up users in AD
is by membership in "Domain Users" rather than iterating through the
directory looking for users that have rfc2307 attributes defined,
totally ignoring the rfc2307 group attribute on the user objects.

The suspected bug is that it is not using the rfc2307 primary GID
attribute, but rather is defaulting the "Domain Users" group as the
primary group for all users regardless of the rfc2307 attributes.

Is there a way to force Winbind not to use the Domain Users group as the
primary group for the winbindd_getpwent process, so it returns the
rfc2307 group attribute as it used to / should?  Or do I have to redo
all of my group file ownership/permissions on all of my servers to match
"Domain Users" for some ungodly reason?

Currently running Samba 3.4.3 on SLES 11.1, and authenticating against
Windows 2003R2 AD, but I suspect this same bug/feature was introduced
with the idmap changes in 3.30 and above so should apply to all versions
above 3.30.  I don't know if the same logic is being used in v4 winbind
idmap process...

More information about the samba mailing list