Created attachment 6826 [details]
I've discovered some (possible rare) issue with
It seems that it can be more friendly under some broken AD configurations.
1) We have a complex AD forest, where remote corporate branches have its own slave DC.
2) Some of branches have its own"local" domains (I am not familiar whether trusted or not).
3) Some local admins of those branches include its own "local" members into the common corporate AD groups. 8)
4) As a result, we have a "correct" group with an uncorrect member (due to bad unknown sid).
All work fine with this, except the "getent group". We certainly have "winbind enum groups = yes", but
"getent group" fails, whereas "getent group GRPNAME" works fine.
I've discover that the error is NT_STATUS_TRUSTED_DOMAIN_FAILURE when winbindd tryes to obtain group members. Now, this error breaks all the obtaining process, hence "getent groups" return nothing about nss_winbind groups.
IMHO the best way is to ignore such an error, just leave the "bad" group "empty". This way we do not break "getent group", it "continue to obtain" info from AD.
The patch proposed in maillist attached. It fixes the issue for me.
Created attachment 6827 [details]
This is the corresponding patch for 3.6.0.
Comment on attachment 6827 [details]
Comment on attachment 6826 [details]
Volker, please push to master.
Karolin, please pick for the releases.
(In reply to comment #4)
> Volker, please push to master.
Pushed to v3-5-test and v3-6-test.
Closing out bug report.