getent group seems to fail getting the list of groups that exist in active directory when using any idmapping backend (tried with rid and ad) that filters out some of the groups (playing with minid and maxid). The expected result should be to successfully list all groups whose sids are mapped to valid gids It seems that the problem exists only for the group part, since getent passwd works fine. Looking at winbind logs, any requests coming from libnss stop at the first idmapping that gets filtered. and getent group returns no results. Also if the following info helps, I tried to debug the problem, so I activated debugging winbind_nss_linux.c (added #define DEBUG_NSS) and also changed MAX_GETGRENT_USERS defined in nsswitch/winbind_nss_linux.c from 250 to 1. After doing that, I get a partial list of the groups in active directory, but the list stops at the first group that gets filtered from id mapping.