When using options idmap backend = idmap_ad and winbind nss info = sfu and a user is member of a group that doesn't have SFU attributes defined on AD, getent passwd user fail completelly. Only when all the groups a user is a member of have SFU attributes defined is that getent passwd user works. For example: on AD userA is member of groups "Domain Users" and "GroupUnixA". If both groups has SFU attributes defined, everything works ok. But if, for example, group "Domain Users" doesn't have SFU attributes defined but GroupUnixA has, getent passwd userA will fail and will return no information or errors. I think that on this scenario, it should return at least the information of GroupUnixA, ignoring the group Domain Users.
(In reply to comment #0) > When using options idmap backend = idmap_ad and winbind nss info = sfu and a > user is member of a group that doesn't have SFU attributes defined on AD, > getent passwd user fail completelly. Only when all the groups a user is a > member of have SFU attributes defined is that getent passwd user works. > For example: on AD userA is member of groups "Domain Users" and "GroupUnixA". > If both groups has SFU attributes defined, everything works ok. But if, for > example, group "Domain Users" doesn't have SFU attributes defined but > GroupUnixA has, getent passwd userA will fail and will return no information or > errors. > I think that on this scenario, it should return at least the information of > GroupUnixA, ignoring the group Domain Users. > I saw in bug 3062 that others people are getting this problems too. I think winbindd should work like nss_ldap, where it only maps AD groups that have SFU attributes defined and ignore the ones that doens't have. This behavior would be great because is not allways desirable that all groups a user is member off on AD should be mapped/used on the unix side.
severity should be determined by the developers and not the reporter.
setting as enhancement and version to 4.0. Still needs to be discussed if this is a wanted feature.
the posix group memberships are not being used by winbind intentionally. We use only the windows group memberships. And the uidnumber and gidnumber attributes are required to make those users/groups work. The man page of idmap_ad has been made much more verbose about this some time ago also.