[I'm afraid $customer made me anonymize their rootdn, user and group names, so the ones below are made up. Hopefully I haven't introduced any errors in the process.] I'm running Debian 7 with samba 4.0.9dfsg1-1 built from git://git.debian.org/pkg-samba/samba. I'm using samba as an AD DC, with accounts migrated from a samba3/slapd stack using samba-tool domain classicupgrade. What I find confusing is that there are groups in samba -- as confirmed by samba-tool group list, ldapsearch and wbinfo -g -- that are not reported by getent groups (glibc's nss query tool). Further, getent groups can reverse-resolve GIDs into the missing groups. This is the worst one -- it only reverse-resolves: # getent group fb # getent group FB\\fb # getent group | grep fb: # getent group 1019 FB\fb:*:1019: # This one forward and reverse-resolves, but isn't listed by default: # getent group welles FB\welles:*:5029: # getent group FB\\welles FB\welles:*:5029: # getent group | grep welles: # getent group 5029 FB\welles:*:5029: # I can't understand why wbinfo and nss_windbind would give different results. The cn=fb and cn=robobobo objects, for example, look pretty much alike -- it's not something as obvious as objectClass: posixGroup in one and other the other.
Created attachment 9283 [details] Output of samba-tool group list
Created attachment 9284 [details] Output of wbinfo -g
Created attachment 9285 [details] output of ldapsearch + munging
Created attachment 9286 [details] Output of getent group
Created attachment 9287 [details] Example missing object
Created attachment 9288 [details] Example present object