[Samba] Winbindd and Domain local groups

Solaiyappan Perichiappan psolaiyappan at novell.com
Wed Nov 6 05:30:43 MST 2013

I have been trying to use Winbindd in SLES 11 SP3 (Samba version 3.6.3-17.25.1) to fetch AD (Windows 2008 R2) identities into the Linux box and currently running into some problem w.r.t domain local groups and thought I could get some help here..
I have a two domain setup, in which DOMAIN1 is the parent domain and DOMAIN2 is the child domain. I have 2 users DOMAIN1\user1, DOMAIN2\user2 and they are part of a global group DOMAIN1\group1 and DOMAIN2\group2 respectively. I have joined my SLES box to the DOMAIN1 (net ads join -U Administrator). I have also created a new domain local group in DOMAIN2 called DOMAIN2\domainlocal2 and added DOMAIN1\group1 and DOMAIN2\group2 as members of this domain local group. 
With this setup, if I see wbinfo --user-sids=<SID of DOMAIN2\user2> or  wbinfo --user-domgroups=<SID of DOMAIN2\user2>, I could see that the user is a member of DOMAIN2\domainlocal2 (along with the global group DOMAIN2\group2). But, If I do the same thing for the user DOMAIN1\user1, I don't find DOMAIN2\domainlocal2 as a valid group (I could find the global group DOMAIN1\group1 in the list)
The same test works for universal groups, but not for domain local groups.
Is there something wrong with my setup or my understanding (I expect the domain local groups to be a part of valid groups)? 
Or is there anything more to it?

More information about the samba mailing list