10062 – Winbind: Group names of other domains can't be resolved

Bug 10062 - Winbind: Group names of other domains can't be resolved

Summary: Winbind: Group names of other domains can't be resolved

Status:	NEW

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.0.9
Hardware:	x64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Duplicates (1):	3476 (view as bug list)
Depends on:
Blocks:

Reported:	2013-08-01 14:57 UTC by jack9027
Modified:	2014-07-24 11:08 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
winbind.log (23.98 KB, text/plain) 2013-08-01 14:57 UTC, jack9027	no flags	Details
smb.conf (476 bytes, text/plain) 2013-08-01 14:58 UTC, jack9027	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jack9027 2013-08-01 14:57:47 UTC

Created attachment 9096 [details]
winbind.log

Hi everyone,

I'm using winbind on ubuntu 12.04 with the latest packages from enterprisesamba.com. Everything works fine except that one group name can't be resolved. The relevant group is in another domain (TESTD2), which has an trust to TESTD. The strange thing is that wbinfo can resolve the group name:

ubuntu@rbdsau0g-virt:~$ su TESTD\\uidv0541
Password: 
groups: cannot find name for group ID 100001

uidv0541@rbdsau0g-virt:/home/ubuntu$ wbinfo -G 100001
S-1-5-21-2048354812-1799923345-800859446-444655

uidv0541@rbdsau0g-virt:/home/ubuntu$ wbinfo -s S-1-5-21-2048354812-1799923345-800859446-444655
TESTD2\MT-All_Users 2


The smb.conf and the relavant output of winbind -i -d 10 is also attached. I tried idmap backend tdb and ad and could reproduce the same behaviour with both.

Please tell me if I can provide you any further information.

Thanks in advance!

Comment 1 jack9027 2013-08-01 14:58:05 UTC

Created attachment 9097 [details]
smb.conf

Comment 2 Thiago Crepaldi 2013-10-30 16:54:35 UTC

I have the same issue on Samba 4.0.9 (which works on samba 3.6.9)

I joined one domain \\DOMA which trusts on \\DOMB. 

1)"getent group DOMA\\group1" works, but "getent group DOMB\\group2" returns nothing !

2) "wbinfo -n DOMB\group2" returns  the SID successfully

3) "getent passwd" works fine for both

4) "wbinfo --group-info DOMB\\group2"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group domb\group2

5) "wbinfo -s <domb_group2_sid>" works too
DOMB\group2 2

6) "wbinfo -Y <domb_group2_sid>" returns a GID
5015

7) "wbinfo -G 5015" retudn the correct SID
<domb_group2_sid>

8) "wbinfo --gid-info 5015" fails !!!!
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 5015

9) "getent group 5015" returns nothing

Comment 3 Björn Jacke 2014-01-28 23:09:16 UTC

"winbind use default domain = yes" is highly deprecated to use. Especially if you have trusted domains. Does it work if you set winbind use default domain to "no"?

Comment 4 Björn Jacke 2014-07-24 06:50:40 UTC

*** Bug 3476 has been marked as a duplicate of this bug. ***

Comment 5 Björn Jacke 2014-07-24 11:08:13 UTC

samba just doesn' have the permissons in ad to query all the info it needs. u can try setting winbind expand groups=0 and/or do net setauthuser to give winbind more possibilities to get the information it needs and as a result get the id resolution work.