The same config works fine with Samba 4.1.23 on OpenIndiana. However, when I update samba to 4.2.0 or later (tried 4.2.0, 4.2.12, 4.4.3) suplementary groups are ignored. I mean, "wbinfo -r user" correctly shows user groups, but 'wbinfo --group-info "some group"' doesn't show group's members: # wbinfo --group-info 'Domain Users' domain users:x:10513: # id -a user # ( doesn't show user's groups:) uid=19938(user) gid=10512(domain admins) groups=10512(domain admins) Log from winbind: accepted socket 20 [19828]: request interface version (version = 27) [19828]: request location of privileged pipe accepted socket 22 closing socket 20, client exited getgroups root child daemon request 59 msrpc_name_to_sid: name=SFEDU\ROOT name_to_sid [rpc] SFEDU\ROOT for domain SFEDU ldb_wrap open of secrets.ldb Connecting to 195.208.251.100 at port 135 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 0 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 0 IPTOS_LOWDELAY = 16 IPTOS_THROUGHPUT = 16 SO_SNDBUF = 49152 SO_RCVBUF = 128872 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. TCP_KEEPALIVE_THRESHOLD = 7200000 TCP_KEEPALIVE_ABORT_THRESHOLD = 480000 Bind RPC Pipe: host sfedu-adc1.ad.sfedu.ru auth_type 0, auth_level 1 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 72 rpc_read_send: data_to_read: 44 check_bind_response: accepted! rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 156 rpc_read_send: data_to_read: 136 Connecting to 195.208.251.100 at port 49155 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 0 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 0 IPTOS_LOWDELAY = 16 IPTOS_THROUGHPUT = 16 SO_SNDBUF = 49152 SO_RCVBUF = 128872 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. TCP_KEEPALIVE_THRESHOLD = 7200000 TCP_KEEPALIVE_ABORT_THRESHOLD = 480000 check lock order 2 for /var/samba/lock/g_lock.tdb release lock order 2 for /var/samba/lock/g_lock.tdb Starting GENSEC mechanism schannel Bind RPC Pipe: host sfedu-adc1.ad.sfedu.ru auth_type 68, auth_level 6 create_generic_auth_rpc_bind_req: generate first token rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 105 rpc_read_send: data_to_read: 64 check_bind_response: accepted! ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 check lock order 2 for /var/samba/lock/g_lock.tdb release lock order 2 for /var/samba/lock/g_lock.tdb rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 232 rpc_read_send: data_to_read: 200 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 Finished processing child request 59 Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED closing socket 22, client exited accepted socket 20 [19835]: request interface version (version = 27) [19835]: request location of privileged pipe accepted socket 22 closing socket 20, client exited getpwnam and child daemon request 59 msrpc_name_to_sid: name=SFEDU\AND name_to_sid [rpc] SFEDU\AND for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 232 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 Finished processing child request 59 child daemon request 59 ads: query_user Current tickets expire in 35952 seconds (at 1465239282, time is now 1465203330) Search for (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\21\26?\9FX\F9\89\D3\04{\06\83\D2\26\00\00) in <dc=AD,dc=SFEDU,dc=RU> gave 1 replies smb_register_idmap_nss: Successfully added idmap nss backend 'template' ads query_user gave and Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 216 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 Finished processing child request 59 Deregistering messaging pointer for type 33 - private_data=0 Deregistering messaging pointer for type 13 - private_data=0 Deregistering messaging pointer for type 1028 - private_data=0 Deregistering messaging pointer for type 1027 - private_data=0 Deregistering messaging pointer for type 1029 - private_data=0 Deregistering messaging pointer for type 1280 - private_data=0 Deregistering messaging pointer for type 1033 - private_data=0 Deregistering messaging pointer for type 1 - private_data=0 Deregistering messaging pointer for type 1036 - private_data=0 Deregistering messaging pointer for type 1035 - private_data=0 Registering messaging pointer for type 1028 - private_data=0 Registering messaging pointer for type 1027 - private_data=0 Registering messaging pointer for type 1280 - private_data=0 Registering messaging pointer for type 1 - private_data=0 Registering messaging pointer for type 1034 - private_data=0 Overriding messaging pointer for type 1034 - private_data=0 child daemon request 59 Successfully added idmap backend 'tdb' Successfully added idmap backend 'passdb' Successfully added idmap backend 'nss' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend wbc_sam Successfully added passdb backend 'wbc_sam' Attempting to register passdb backend samba_dsdb Successfully added passdb backend 'samba_dsdb' Attempting to register passdb backend samba4 Successfully added passdb backend 'samba4' Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend IPA_ldapsam Successfully added passdb backend 'IPA_ldapsam' Attempting to find a passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init check lock order 1 for /var/samba/locks/winbindd_idmap.tdb release lock order 1 for /var/samba/locks/winbindd_idmap.tdb check lock order 1 for /var/samba/locks/winbindd_idmap.tdb release lock order 1 for /var/samba/locks/winbindd_idmap.tdb check lock order 1 for /var/samba/locks/winbindd_idmap.tdb release lock order 1 for /var/samba/locks/winbindd_idmap.tdb idmap backend rid not found Probing module 'rid' Probing module 'rid': Trying to load from /usr/lib/samba/idmap/rid.so Module 'rid' loaded Successfully added idmap backend 'rid' Finished processing child request 59 Opening cache file at /var/samba/cache/gencache.tdb Opening cache file at /var/samba/lock/gencache_notrans.tdb child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-512 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Mapped sid to [SFEDU]\[Domain Admins] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Finished processing child request 59 child daemon request 59 Finished processing child request 59 getpwuid 19938 child daemon request 59 pdb_default_uid_to_sid: host has no idea of uid 19938 Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 Finished processing child request 59 getgrgid 10512 child daemon request 59 Finished processing child request 59 child daemon request 59 Finished processing child request 59 [19835]: getgrent Deregistering messaging pointer for type 33 - private_data=0 Deregistering messaging pointer for type 13 - private_data=0 Deregistering messaging pointer for type 1028 - private_data=0 Deregistering messaging pointer for type 1027 - private_data=0 Deregistering messaging pointer for type 1029 - private_data=0 Deregistering messaging pointer for type 1280 - private_data=0 Deregistering messaging pointer for type 1033 - private_data=0 Deregistering messaging pointer for type 1 - private_data=0 Deregistering messaging pointer for type 1036 - private_data=0 Deregistering messaging pointer for type 1035 - private_data=0 Registering messaging pointer for type 1028 - private_data=0 Registering messaging pointer for type 1027 - private_data=0 Registering messaging pointer for type 1280 - private_data=0 Registering messaging pointer for type 1 - private_data=0 Registering messaging pointer for type 1034 - private_data=0 Overriding messaging pointer for type 1034 - private_data=0 child daemon request 59 samr: sequence number Create pipe requested samr Created internal pipe samr _samr_Connect2: 3866 _samr_Connect2: ACCESS should be DENIED (requested: 0x000f003f) but overritten by euid == initial uid _samr_Connect2: access GRANTED (requested: 0x000f003f, granted: 0x000f003f) Opened policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 55 57 82 3A ........ ....UW.: [0010] 7D 4D 00 00 }M.. _samr_Connect2: 3895 Found policy hnd[0] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 55 57 82 3A ........ ....UW.: [0010] 7D 4D 00 00 }M.. access_check_object: user rights access mask [0x3f0] _samr_OpenDomain: ACCESS should be DENIED (requested: 0x000f040f) but overritten by euid == initial uid _samr_OpenDomain: access GRANTED (requested: 0x000f040f, granted: 0x000f07ff) Opened policy hnd[2] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 55 57 82 3A ........ ....UW.: [0010] 7D 4D 00 00 }M.. _samr_OpenDomain: 500 _samr_QueryDomainInfo: 3499 Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 55 57 82 3A ........ ....UW.: [0010] 7D 4D 00 00 }M.. Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend wbc_sam Successfully added passdb backend 'wbc_sam' Attempting to register passdb backend samba_dsdb Successfully added passdb backend 'samba_dsdb' Attempting to register passdb backend samba4 Successfully added passdb backend 'samba4' Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend IPA_ldapsam Successfully added passdb backend 'IPA_ldapsam' Attempting to find a passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init _samr_QueryDomainInfo: 3589 Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 55 57 82 3A ........ ....UW.: [0010] 7D 4D 00 00 }M.. Closed policy Finished processing child request 59 child daemon request 59 ads: enum_dom_groups Current tickets expire in 35952 seconds (at 1465239282, time is now 1465203330) Search for (&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1)))) in <dc=AD,dc=SFEDU,dc=RU> gave 317 replies ads enum_dom_groups gave 317 entries Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-520 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 264 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 Mapped sid to [SFEDU]\[Group Policy Creator Owners] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 264 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-513 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 232 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 Mapped sid to [SFEDU]\[Domain Users] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 232 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-521 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 264 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 Mapped sid to [SFEDU]\[Read-only Domain Controllers] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 264 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-514 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Mapped sid to [SFEDU]\[Domain Guests] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-516 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 4 Mapped sid to [SFEDU]\[Domain Controllers] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 4 Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-515 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 Mapped sid to [SFEDU]\[Domain Computers] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 248 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 Finished processing child request 59 child daemon request 59 Finished processing child request 59 child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-522 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 280 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Mapped sid to [SFEDU]\[Клонируемые контроллеры домена] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 280 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Finished processing child request 59 .... A lot of other groups here..... child daemon request 59 msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-91610 for domain SFEDU rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 232 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Mapped sid to [SFEDU]\[IPAMUG] Finished processing child request 59 child daemon request 59 rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru rpc_write_send: data_to_write: 168 rpc_read_send: data_to_read: 232 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Finished processing child request 59 child daemon request 59 Finished processing child request 59 [19852]: getgrent getgrent failed: NT_STATUS_NO_MORE_ENTRIES getgrgid 10512 child daemon request 59 Finished processing child request 59 child daemon request 59 Finished processing child request 59 closing socket 22, client exited .... Config: [global] # Generic netbios name = backup-smb workgroup = SFEDU server string = File Server # Browsing os level = 65 # Access & security security = ads password server = * realm = AD.SFEDU.RU preferred master = no idmap config SFEDU : backend = rid idmap config SFEDU: range = 10000 - 155000 idmap uid = 10000 - 155000 idmap gid = 10000 - 155000 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind offline logon = yes winbind refresh tickets = yes template homedir = /export/home/%U template shell = /usr/bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 1 ldap timeout = 200 hosts allow = 195.208.240.0/255.255.240.0 \ 10.0.0.0/255.0.0.0 \ 127.0.0.1 # Charset settings unix charset = utf-8 dos charset = cp1251 # # Defaults for shares # # DOS attributes store dos attributes = no map hidden = no map system = no map archive = no map read only = permissions # UNIX permissions create mask = 660 ; AND force create mode = 660 ; OR directory mask = 770 force directory mode = 770
Sorry, actually this was an effect of changing "winbind expand groups" default value in Samba 4.2.
Thanks for letting us know.