[Samba] nss_windbind.so can't see groups that wbinfo -g can (4.0.9 as AD DC)

Trent W. Buck trentbuck at gmail.com
Thu Oct 10 21:45:51 MDT 2013


[I'm afraid $customer made me anonymize their rootdn, user and group
names, so the ones below are made up.  Hopefully I haven't introduced
any errors in the process.]

I'm running Debian 7 with samba 4.0.9dfsg1-1 built from
git://git.debian.org/pkg-samba/samba.  I'm using samba as an AD DC,
with accounts migrated from a samba3/slapd stack using samba-tool
domain classicupgrade.

What I find confusing is that there are groups in samba -- as
confirmed by samba-tool group list, ldapsearch and wbinfo -g -- that
are not reported by getent groups (glibc's nss query tool).  Further,
getent groups can reverse-resolve GIDs into the missing groups.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 1-samba-tool.txt
URL: <http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 2-wbinfo.txt
URL: <http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 3-ldapsearch.txt
URL: <http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 4-getent.txt
URL: <http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0003.txt>
-------------- next part --------------


This is the worst one -- it only reverse-resolves:

    # getent group fb
    # getent group FB\\fb
    # getent group | grep fb:
    # getent group 1019
    FB\fb:*:1019:
    #

This one forward and reverse-resolves, but isn't listed by default:

    # getent group welles
    FB\welles:*:5029:
    # getent group FB\\welles
    FB\welles:*:5029:
    # getent group | grep welles:
    # getent group 5029
    FB\welles:*:5029:
    #

I can't understand why wbinfo and nss_windbind would give different
results.  The cn=fb and cn=robobobo objects, for example, look pretty
much alike -- it's not something as obvious as objectClass: posixGroup
in one and other the other.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 5-fb.ldif
URL: <http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 6-robobobo.ldif
URL: <http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0001.ksh>


More information about the samba mailing list