I ran some tests to see why getent passwd was not enumerating my domain users and discovered this:
If I getent passwd <username> it returns the user information including the primary group defined in the Unix attributes. If I add a Unix GID in the idmap config range to the domain's Domain Users group and getent passwd, it returns all of my domain users with all of the Unix attributes as defined in AD for them, BUT it replaces the primary group GID with the GID I defined for the Domain Users group. Apparently, some genius decided that the best way to look up users in AD is by membership in "Domain Users" rather than iterating through the directory looking for users that have rfc2307 attributes defined, totally ignoring the rfc2307 group attribute on the user objects. The suspected bug is that it is not using the rfc2307 primary GID attribute, but rather is defaulting the "Domain Users" group as the primary group for all users regardless of the rfc2307 attributes. Is there a way to force Winbind not to use the Domain Users group as the primary group for the winbindd_getpwent process, so it returns the rfc2307 group attribute as it used to / should? Or do I have to redo all of my group file ownership/permissions on all of my servers to match "Domain Users" for some ungodly reason? Currently running Samba 3.4.3 on SLES 11.1, and authenticating against Windows 2003R2 AD, but I suspect this same bug/feature was introduced with the idmap changes in 3.30 and above so should apply to all versions above 3.30. I don't know if the same logic is being used in v4 winbind idmap process... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba