given you have an nsswitch.conf like passwd: files ldap winbind group: files ldap winbind and a smb.conf with idmap config MYDOM:backend = nss idmap config MYDOM:range = 1000-1000000 idmap config MYDOM:readonly = yes you get strange inconsistent results when users/groups are resolved: # touch testfile # chown a_domain_user testfile # nscd -i passwd # ls -l testfile ... MYDOM\a_domain_user ... # nscd -i passwd # ls -l testfile ... a_domain_user ... To resolve this problem and to get consistent results a solution could be that any domains that are configured with idmap backend nss should get the domain part stipped off. Does that sound reasonable?
Should they be returned at all ?
simo: good point, indeed. btw: the above steps to reproduce the problem need a "getent passwd 'MYDOM\a_domain_user'" after the first nscd flush.