The command # samba-tool group listmembers my_group --hide-expired does not list contacts (or other group member objects without the accountExpires attribute). Have patch, need bug number.
There is another bug here as well, the search doesn't list members of nested groups either. Example: sudo samba-tool group listmembers 'domain admins' Unix Admins swanadmin dhcpduser Administrator But using what I believe to be the correct search filter: sudo ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com)' sAMAccountName | grep 'sAMAccountName' | sed 's/sAMAccountName: //' Unix Admins swanadmin rowland dhcpduser Administrator It clearly shows that I am a member of Domain Admins via the Unix Admins group. Shall I wait until you fix your bug and then file another bug, or do you want to fix it at the same time as you fix yours ?
(In reply to Rowland Penny from comment #1) Hi Rowland, I would like to fix these different issues separately. I've created a merge request: https://gitlab.com/samba-team/samba/-/merge_requests/1923
This bug was referenced in samba master: 86f2b8dab1102974d32275282dfe69f4af5b6834 2e2426e51576aae6211950b25aaacdd97815b111
Created attachment 16597 [details] fix for 4.14, cherry-picked from master
Closing as it is fixed.