Created attachment 7013 [details] Config, ldif and all logs When using ldapsam:editposix, winbind cannot retrieve group information from LDAP. Samba config and 'smbd -b' output is in attachment How to reproduce bug (doing mostly as written in http://wiki.samba.org/index.php/Ldapsam_Editposix): 1. Modify /etc/nsswitch.conf: passwd: files winbind shadow: files group: files winbind 2. Create enties in LDAP (ldif is in attachment) 3. smbpasswd -w 11111111 4. /etc/init.d/winbind start 5. net sam provision Checking for Domain Users group. Adding the Domain Users group. Checking for Domain Admins group. Adding the Domain Admins group. Check for Administrator account. Adding the Administrator user. Checking for Guest user. Adding the Guest user. Checking Guest's group. Adding the Domain Guests group. 6. net sam createbuiltingroup Administrators Created BUILTIN group Administrators with RID 544 net sam createbuiltingroup Users Created BUILTIN group Users with RID 545 net sam createbuiltingroup Guests Created BUILTIN group Guests with RID 546 New ldif after provisioning is in attachment. 8. /etc/init.d/smb start 9. Some winbind checks: wbinfo -t checking the trust secret for domain XYZZY via RPC calls succeeded wbinfo -n XYZZY\\administrator S-1-5-21-291514870-970769412-1889819721-500 SID_USER (1) wbinfo -s S-1-5-21-291514870-970769412-1889819721-500 XYZZY\Administrator 1 wbinfo -S S-1-5-21-291514870-970769412-1889819721-500 1000 wbinfo -n XYZZY\\domadmins S-1-5-21-291514870-970769412-1889819721-512 SID_DOM_GROUP (2) wbinfo -s S-1-5-21-291514870-970769412-1889819721-512 XYZZY\Domain Admins 2 wbinfo -Y S-1-5-21-291514870-970769412-1889819721-512 1001 10. Groups and users listing wbinfo -u administrator nobody wbinfo -g domain users domain admins domain guests 11. Now, interesting thing begins: getent passwd administrator administrator:*:1000:1001:Administrator:/home/XYZZY/administrator:/bin/false Works! getent group domadmins getent group XYZZY\\domadmins getent group XYZZY\\domain\ admins NOTNING! LDAP log and 10th level log when 'getent group domadmins' executed is in attachment 12. Simple perl script: #!/usr/bin/perl print 'getpwuid(1000) = ', join('; ', getpwuid(1000)), "\n"; print 'getgrgid(1001) = ', join('; ', getgrgid(1001)), "\n"; prints: getpwuid(1000) = administrator; *; 1000; 1001; ; ; Administrator; /home/XYZZY/administrator; /bin/false getgrgid(1001) = NO GROUPS INFORMATION! LDAP log and 10th level Samba log when 'getgrgid(1001)' called is in attachment 13. Additional winbind checks: wbinfo --user-info=XYZZY\\Administrator administrator:*:1000:1001:Administrator:/home/XYZZY/administrator:/bin/false wbinfo --group-info=XYZZY\\domadmins failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group XYZZY\domadmins Very strange, why WBC_ERR_DOMAIN_NOT_FOUND here? LDAP log and 10th level Samba log when 'wbinfo --group-info=XYZZY\\domadmins' executed is in attachment 14. ACHTUNG! 'getent group' and 'getgrid' WORKS when in smb.conf there is parameter: winbind expand groups = 0 # (default is '1') But then all groups are ALWAYS EMPTY (have no members). getent group domusers: domain users:x:1000: perl script with getgrgid: getpwuid(1000) = administrator; *; 1000; 1001; ; ; Administrator; /home/XYZZY/administrator; /bin/false getgrgid(1001) = domain admins; x; 1001;
Created attachment 7014 [details] Right logs Sorry, in previous message 'log level' wasn't actually 10. Right logs in attacment.