[Samba] Samba4 and idmap_ad

[Ollenburg, Andreas (KRZ)]

Hello everyone,

I have a - maybe only cosmetical - problem. I am currently configuring two SLES servers running Samba4 as member servers in a Windows2008/2012-AD. (Yeah, poor us!) Everything went fine: installing the samba packages, getting Kerberos running, and joining the AD. But when I use id or wbinfo now to get user information I get lots of groups which cannot be mapped a GID and thus are displayed as -1 or 4294967295:

id DOMAIN\\USER
uid=3611(DOMAIN\\USER) gid=3000(DOMAIN\\PRIMARYGROUP) groups=3000(DOMAIN\\PRIMARYGROUP),3001(DOMAIN\\OTHERGROUP),4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,2(daemon)

wbinfo -r DOMAIN\\USER
3000
3001
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
2

On another server running Samba3 only the two groups with GID 3000 and 3001 are shown.

Here are excerpts from my smb.conf:

[global]
        realm = OUR.DOMAIN.NAME
        workgroup = DOMAIN
        security = ads
        idmap config *:backend = tdb
        idmap config *:range = 100000-199999
        idmap config NTKRZ:backend = ad
        idmap config NTKRZ:schema_mode = rfc2307
        idmap config NTKRZ:range = 1000-19999
        winbind nss info = rfc2307
        winbind trusted domains only = No
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = No
        winbind nested groups = Yes
        winbind refresh tickets = Yes
        winbind offline logon = No

Any ideas anyone?

Thanks in advance and greetings from Germany
 Andreas