Created attachment 6826 [details] Proposed patch I've discovered some (possible rare) issue with "source3/winbindd/wb_group_members.c:wb_group_members_done()" function. It seems that it can be more friendly under some broken AD configurations. 1) We have a complex AD forest, where remote corporate branches have its own slave DC. 2) Some of branches have its own"local" domains (I am not familiar whether trusted or not). 3) Some local admins of those branches include its own "local" members into the common corporate AD groups. 8) 4) As a result, we have a "correct" group with an uncorrect member (due to bad unknown sid). All work fine with this, except the "getent group". We certainly have "winbind enum groups = yes", but "getent group" fails, whereas "getent group GRPNAME" works fine. I've discover that the error is NT_STATUS_TRUSTED_DOMAIN_FAILURE when winbindd tryes to obtain group members. Now, this error breaks all the obtaining process, hence "getent groups" return nothing about nss_winbind groups. IMHO the best way is to ignore such an error, just leave the "bad" group "empty". This way we do not break "getent group", it "continue to obtain" info from AD. The patch proposed in maillist attached. It fixes the issue for me.
Created attachment 6827 [details] Patch This is the corresponding patch for 3.6.0. Volker
Comment on attachment 6827 [details] Patch Looks good
Comment on attachment 6826 [details] Proposed patch Looks good
Volker, please push to master. Karolin, please pick for the releases.
(In reply to comment #4) > Volker, please push to master. 71dcb84e61443df3f149693486fde40315d7503d Volker
Pushed to v3-5-test and v3-6-test. Closing out bug report. Thanks!