This is a regression since Samba 3.5.9. With the bugfix for bug #7843 winbind stopped returning Domain Local groups for it's own domain. It is likely that this also fixes bug #8523. We see this problem in different scenarios. Here is the scenario how I reproduced it and tested the fix. I will ask different parties to test the fix. Scenario: You have two AD forest with an AD server in each. The domains are named LEVEL1.DISCWORLD.SITE and LEVEL2.DISCWORLD.SITE and they have a two way transitive trust. LEVEL1 is the domain which manages all user accounts. LEVEL2 manages groups and machines. There is a user LEVEL1\asn and a Domain Local group LEVEL2\samba. winbind is joined to LEVEL2. I authenticate the user with wbinfo -a LEVEL1\\asn%secret and then do id LEVEL1\\asn This worked with Samba versions up to version 3.5.8 and stopped working with 3.5.9 which fixes bug #7843. With the following patch fixes the problem for me. After that you can see again Domain Local groups of you own domain (the domain winbind is joined too).
Created attachment 7711 [details] v3-6-test patch
You don't seem to fully describe what the problem is. I assume that (1) user LEVEL1\asn is member of LEVEL2\samba. (2) "id LEVEL1\asn" listed the group LEVEL2\samba before. (3) "id LEVEL1\asn" does not list LEVEL2\samba any more. right? If so, then yes, bug #8523 might be aduplicate. That bugreport fixes the problem by removing the call to lookup_usergroups_cached() instead of fixing the function. :-) The patch looks reasonable, although I am not certain that the long comment is necessary. IMHO, the important thing is that the commit message carries that explanation. Cheers - Michael
Yes, that's correct.
Note that with this patch, sid_array_from_info3() is *never* called from anywhere in the code with the parameter "skip_ressource_groups" set to true. So we can just remove it, and remove the part of the code referring to it inside sid_array_from_info3() as well. Jeremy.
Created attachment 7715 [details] Replacement patch for master and 3.6.next with the removal of the sid_array_from_info3() paramter.
Comment on attachment 7715 [details] Replacement patch for master and 3.6.next with the removal of the sid_array_from_info3() paramter. Thanks, looks fine for me.
Re-assigning to Karolin for inclusion in 3.6.next. Jeremy.
Pushed to v3-6-test. Closing out bug report. Thanks!
Hmmm, this still seems to be in 3.6.12, at least on FreeBSD: Here are the groups dummy-1 is in: $ wbinfo --user-domgroups=`wbinfo -n dummy-1 | cut -f1 -d\ ` S-1-5-21-757122879-414339038-1732654586-513 S-1-5-21-757122879-414339038-1732654586-42349 The first is Domain Users, the second the domain local group I set up. Here is what id dummy-1 displays: $ id dummy-1 uid=1344820287(dummy-1) gid=1344799233(domain users) groups=1344799233(domain users) Domain Users is listed twice but the second group is not listed at all. Now to figure out why.
I am also experiencing this problem using both the stock packages from RHEL 6.3 (3.6.9-151) as well as the latest packages from enterprisesamba.org (3.6.13-45). The user's domain local groups will show up initially and after some period of time they are dropped both from the wbinfo and id commands. Setting the groups to global scope appears to resolve the issue.
Yes, cause the information is only available with the credentials with the user. samba:~ # wbinfo --user-domgroups=$(wbinfo -n DISCWORLD+asn | cut -f1 -d\ ) S-1-5-21-2175650508-4111995269-951467909-513 S-1-5-21-2175650508-4111995269-951467909-1109 S-1-5-21-2175650508-4111995269-951467909-1106 S-1-5-21-2175650508-4111995269-951467909-1108 samba:~ # wbinfo -K DISCWORLD+asn Enter DISCWORLD+asn's password: plaintext kerberos password authentication for [DISCWORLD+asn] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 samba:~ # wbinfo --user-domgroups=$(wbinfo -n DISCWORLD+asn | cut -f1 -d\ ) S-1-5-21-2175650508-4111995269-951467909-513 S-1-5-21-2175650508-4111995269-951467909-1109 S-1-5-21-2175650508-4111995269-951467909-1106 S-1-5-21-2175650508-4111995269-951467909-1108 S-1-5-21-2175650508-4111995269-951467909-1110 samba:~ # wbinfo --sid-to-name=S-1-5-21-2175650508-4111995269-951467909-1110 DISCWORLD+domain_local_group 4 I've wrote a blog post about this: https://blog.cryptomilk.org/2012/11/08/understanding-winbind/