[Samba] Samba workstation joined to Windows AD with an outgoing trust to a second AD

Ștefan Bălu stefan.balu at ulab.ro
Thu Aug 3 13:27:15 UTC 2023

Hey, guys, 

I have a RHEL 8.8 (Ootpa) machine, running Samba 4.17.5. This machine is joined to an Windows AD (let's call it EXTRA). Everything works as expected, wbinfo -m shows EXTRA domain (along with BUILTIN and machine's netbios name), wbinfo -u fetches the list of users in EXTRA domain and so does wbinfo -g (fetches all groups of the EXTRA domain). Doing an id EXTRA\\someuser fetches primary and secondary groups of the user within the EXTRA domain. 
The EXTRA domain also has an outgoing one-way trust with another domain, called MAIN. Now, although my Linux machine is able to partially resolve information on users and groups from the MAIN domain, it simply won't fetch the secondary groups of any MAIN\user. For example, doing id MAIN\\user , it returns: 

uid=<NUMBER>(MAIN\user) gid=<NUMBER>(MAIN\domain users) groups=<NUMBER>(MAIN\domain users), <NUMBER>(MAIN\user) 

Keep in mind that MAIN\user is also member of some of the MAIN groups, ex: MAIN\writers , but id command simply doesn't fetch the secondary groups of any user in the MAIN domain. Doing a getent group MAIN\\writers shows the following: 


idmap ranges don't overlap, I have one for EXTRA, one for MAIN and a default one (*). kerberos method is set to secrets and keytab , winbind enum users is set to yes , winbind enum groups is set to yes ... 

More information about the samba mailing list