Bug 10062 - Winbind: Group names of other domains can't be resolved
Winbind: Group names of other domains can't be resolved
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: Winbind
4.0.9
x64 Linux
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
: 3476 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-01 14:57 UTC by jack9027
Modified: 2014-07-24 11:08 UTC (History)
2 users (show)

See Also:


Attachments
winbind.log (23.98 KB, text/plain)
2013-08-01 14:57 UTC, jack9027
no flags Details
smb.conf (476 bytes, text/plain)
2013-08-01 14:58 UTC, jack9027
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description jack9027 2013-08-01 14:57:47 UTC
Created attachment 9096 [details]
winbind.log

Hi everyone,

I'm using winbind on ubuntu 12.04 with the latest packages from enterprisesamba.com. Everything works fine except that one group name can't be resolved. The relevant group is in another domain (TESTD2), which has an trust to TESTD. The strange thing is that wbinfo can resolve the group name:

ubuntu@rbdsau0g-virt:~$ su TESTD\\uidv0541
Password: 
groups: cannot find name for group ID 100001

uidv0541@rbdsau0g-virt:/home/ubuntu$ wbinfo -G 100001
S-1-5-21-2048354812-1799923345-800859446-444655

uidv0541@rbdsau0g-virt:/home/ubuntu$ wbinfo -s S-1-5-21-2048354812-1799923345-800859446-444655
TESTD2\MT-All_Users 2


The smb.conf and the relavant output of winbind -i -d 10 is also attached. I tried idmap backend tdb and ad and could reproduce the same behaviour with both.

Please tell me if I can provide you any further information.

Thanks in advance!
Comment 1 jack9027 2013-08-01 14:58:05 UTC
Created attachment 9097 [details]
smb.conf
Comment 2 Thiago Crepaldi 2013-10-30 16:54:35 UTC
I have the same issue on Samba 4.0.9 (which works on samba 3.6.9)

I joined one domain \\DOMA which trusts on \\DOMB. 

1)"getent group DOMA\\group1" works, but "getent group DOMB\\group2" returns nothing !

2) "wbinfo -n DOMB\group2" returns  the SID successfully

3) "getent passwd" works fine for both

4) "wbinfo --group-info DOMB\\group2"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group domb\group2

5) "wbinfo -s <domb_group2_sid>" works too
DOMB\group2 2

6) "wbinfo -Y <domb_group2_sid>" returns a GID
5015

7) "wbinfo -G 5015" retudn the correct SID
<domb_group2_sid>

8) "wbinfo --gid-info 5015" fails !!!!
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 5015

9) "getent group 5015" returns nothing
Comment 3 Björn Jacke 2014-01-28 23:09:16 UTC
"winbind use default domain = yes" is highly deprecated to use. Especially if you have trusted domains. Does it work if you set winbind use default domain to "no"?
Comment 4 Björn Jacke 2014-07-24 06:50:40 UTC
*** Bug 3476 has been marked as a duplicate of this bug. ***
Comment 5 Björn Jacke 2014-07-24 11:08:13 UTC
samba just doesn' have the permissons in ad to query all the info it needs. u can try setting winbind expand groups=0 and/or do net setauthuser to give winbind more possibilities to get the information it needs and as a result get the id resolution work.