This happens with Samba 3.0.8 configured as a domain member server (security = ADS), the domain being in w2k native mode. The following code appears twice in the winbindd_getgroups() function in nsswitch/winbindd_group.c. -- if (gid_list == NULL) goto done; -- It's within the two loops which iterate through the list of group memberships. This has the following consequence: If the loop is executed for the first time (examining the first group membership) and if THIS (i.e. the first) group has NO gidNumber assigned (i.e. add_gids_from_group_sid() fails), then the function fails completely ("goto done;"!), even if some other group (i.e. a non-first group) has a gidNumber assigned. The code should either be removed completely (I see no reason why the function should fail, even if the user has NO unix group membership, this is valid scenario?!), or it should be at least moved to somewhere after the loops, so it only fails if no group has a gidNumber assigned (in fact a posix user must have a group memberships - the primary group; however, this doesn't need to be checked here, because getpwent() fails already if there is no primary group membership).
Created attachment 772 [details] Proposed patch
Looks good - applied. Moved this check to just before the return. Jeremy.
This is fixed in 3.0.11 (by either guenther or volker) I think.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.