User and group ID's , if set in RFC2307 are only resolved correctly on the samba AD-DC, If I do a ldbedit -e vi -H /etc/samba/sam.ldb and manually add objectClass: posixGroup to testgroup and objectClass: posixAccount to testuser before adding thisobjectclasses testgroup:*:3000022: S4HJ\testuser:*:3000013:100::/home/testuser:/bin/bash After Adding this object classes [root@merlot samba-4.0.0]# getent passwd testuser S4HJ\testuser:*:10000:10001::/home/testuser:/bin/bash [root@merlot samba-4.0.0]# getent group testgroup testgroup:*:10000: [root@merlot samba-4.0.0]# id -a S4HJ\\testuser uid=10000(S4HJ\testuser) gid=10001(testgroup2) Gruppen=10001(testgroup2),100(users),10000(testgroup) Regrads Hansjörg
in 4.0.4 the problem still exists Just to keep it documented here Andrew submitted this patch for 4.0.0 diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c index a6cc88f..e11a8e4 100644 --- a/source4/winbind/idmap.c +++ b/source4/winbind/idmap.c @@ -236,8 +236,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, LDB_SCOPE_SUBTREE, sam_attrs, 0, "(&(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u))" - "(uidNumber=%u)(objectSid=*)" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + "(uidNumber=%u)(objectSid=*))", ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, unixid->id); } else { /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ @@ -274,8 +273,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, ldb_get_default_basedn(idmap_ctx->samdb), LDB_SCOPE_SUBTREE, sam_attrs, 0, - "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u))", ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, unixid->id); } else { -- 1.7.11.7 I additionallay added [root@merlot winbind]# diff idmap.c idmap.c_org 440c440,441 < "(|(uidNumber=*)(gidNumber=*)))", --- > "(|(uidNumber=*)(gidNumber=*))" > "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
Marking as 'duplicate' of the bug I filed trying to get this fix into 4.0.5 *** This bug has been marked as a duplicate of bug 9718 ***