Bug 10062 - Winbind: Group names of other domains can't be resolved
Summary: Winbind: Group names of other domains can't be resolved
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.9
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
: 3476 (view as bug list)
Depends on:
Reported: 2013-08-01 14:57 UTC by jack9027
Modified: 2014-07-24 11:08 UTC (History)
2 users (show)

See Also:

winbind.log (23.98 KB, text/plain)
2013-08-01 14:57 UTC, jack9027
no flags Details
smb.conf (476 bytes, text/plain)
2013-08-01 14:58 UTC, jack9027
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description jack9027 2013-08-01 14:57:47 UTC
Created attachment 9096 [details]

Hi everyone,

I'm using winbind on ubuntu 12.04 with the latest packages from enterprisesamba.com. Everything works fine except that one group name can't be resolved. The relevant group is in another domain (TESTD2), which has an trust to TESTD. The strange thing is that wbinfo can resolve the group name:

ubuntu@rbdsau0g-virt:~$ su TESTD\\uidv0541
groups: cannot find name for group ID 100001

uidv0541@rbdsau0g-virt:/home/ubuntu$ wbinfo -G 100001

uidv0541@rbdsau0g-virt:/home/ubuntu$ wbinfo -s S-1-5-21-2048354812-1799923345-800859446-444655
TESTD2\MT-All_Users 2

The smb.conf and the relavant output of winbind -i -d 10 is also attached. I tried idmap backend tdb and ad and could reproduce the same behaviour with both.

Please tell me if I can provide you any further information.

Thanks in advance!
Comment 1 jack9027 2013-08-01 14:58:05 UTC
Created attachment 9097 [details]
Comment 2 Thiago Crepaldi 2013-10-30 16:54:35 UTC
I have the same issue on Samba 4.0.9 (which works on samba 3.6.9)

I joined one domain \\DOMA which trusts on \\DOMB. 

1)"getent group DOMA\\group1" works, but "getent group DOMB\\group2" returns nothing !

2) "wbinfo -n DOMB\group2" returns  the SID successfully

3) "getent passwd" works fine for both

4) "wbinfo --group-info DOMB\\group2"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group domb\group2

5) "wbinfo -s <domb_group2_sid>" works too
DOMB\group2 2

6) "wbinfo -Y <domb_group2_sid>" returns a GID

7) "wbinfo -G 5015" retudn the correct SID

8) "wbinfo --gid-info 5015" fails !!!!
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 5015

9) "getent group 5015" returns nothing
Comment 3 Björn Jacke 2014-01-28 23:09:16 UTC
"winbind use default domain = yes" is highly deprecated to use. Especially if you have trusted domains. Does it work if you set winbind use default domain to "no"?
Comment 4 Björn Jacke 2014-07-24 06:50:40 UTC
*** Bug 3476 has been marked as a duplicate of this bug. ***
Comment 5 Björn Jacke 2014-07-24 11:08:13 UTC
samba just doesn' have the permissons in ad to query all the info it needs. u can try setting winbind expand groups=0 and/or do net setauthuser to give winbind more possibilities to get the information it needs and as a result get the id resolution work.