[Samba] Problem idmap_ad

Rowland Penny rpenny at samba.org
Wed Dec 14 14:08:34 UTC 2022

On 14/12/2022 13:37, Leszek Szczepanowski wrote:
> Yup,
> It was me, with slightly different problem. That I fixed myself even 
> before you was able to respond, but the way you respond - thanks anyway.
> What surprises me however is why if we ask for a group with wbinfo, we 
> can add any suffix to the existing group in a query, and the result is 
> always like without a suffix.

Cannot really help you with that, but I presume winbind removes the 
domain before checking.

> I can't see any sense in this, but during my investigation the the 
> different mapping for the same group, resulted in answer:
> wbinfo --lookup-sids="S-1-5-21-725345543-1060284298-1708537768-513"
> S-1-5-21-725345543-1060284298-1708537768-513 -> <none>\Domain Users 2
> And when I tried to query about this "Domain Users 2" it returned 
> "Domain Users". Then I tried to query for "Domain Users anystring" and 
> it also returned "Domain Users".
> Is it a bug, or a feature? :)

Neither, it is a lack of knowledge. What 'wbinfo -g' does is that it 
lists the entire AD group list, you cannot ask it directly for 
information about one group. If you want to check if a group exists, you 
have to pipe the output through grep e.g. 'wbinfo -g | grep 'domain 
users' (note the group name must all be in lowercase). However, just 
because wbinfo says a group exists, this does not mean that the Unix OS 
knows it, this is where winbind, a correctly set up smb.conf and 
nsswitch come in, 'getent group' must show the group.

Try running 'wbinfo --help' to show just what wbinfo is capable of.


More information about the samba mailing list