There is a bug in winbind/nss: When there are MANY (1000+ here) AD users and FEW (20 here) of them actually have a unix mapping (we use idmap_ad with uidNumber attributes), listing the users ("getent passwd") and groups fails. The reason is that winbindd_getpwent (nsswitch/winbindd_user.c) and winbindd_getgrent (nsswitch/winbindd_group.c) fetch users/groups in chunks of 250 by default. If there is no unix-mapped user within a chunk, it will fail without further searching the user list. The attached patchs changes the behaviour to fetch users until there are 250 users who have actually a unix-mapping.
Created attachment 1396 [details] Proposed patch
See also BZ#3660?
*** Bug 3660 has been marked as a duplicate of this bug. ***
Correct - thanks. I've fixed in SAMBA_3_0, SAMBA_3_0_25 and SAMBA_3_0_26 trees. Probably too late for 3.0.25 but will make any subsequent release. Jeremy.