https://bugzilla.novell.com/show_bug.cgi?id=275407 moby@pcsn.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|moby@pcsn.net | ------- Comment #13 from moby@pcsn.net 2007-06-15 12:14 MST ------- I do not see how this bug can be left "as is". It is not really getent passwd that I am worked up about, it is the fact that the user accounts from the domain that are not listed by getent passwd cannot be used to set ACLs, which, IMHO, is of critical use for most users of Samba. The primary use of Samba on Linux, for myself and I am sure many others, is to replace Microsoft Windows member servers in a Windows domain. I have done that with great success in many cases using Samba 3.0.23d-19.5. Using ACLs and AD domain integration, I have replaced many Windows file servers with Linux machines. Now, with this latest release of Samba, I cannot use setfacl or anything else that requires using domain accounts at the file system level (chown etc). This makes the use of Samba on Linux as a file server replacement for MS Windows impossible, and I am sure one of the primary uses of Samba, together with it's AD integration, is on file servers. Having said all that and hoping the bug will not be closed, here are some more observations. Going through the source for winbind (nsswitch/winbindd_user.c to be exact), I notice that the GID for the user's "primary" group is looked up. I re-did my tests for getent group. I was wrong in saying that getent group works fine - it does not show the built-in domain users or domain admins groups. Further, when if I go into dsa.msc (AD users and groups console) and set a group that does show up in the getent group output, then that user shows up in getent passwd. So the problem is not one of getent passwd not showing certain users - that is an effect. A more fundamental cause is certain built-in groups (I am only sure about domain admins and domain users so far - I am looking further) do not show up in getent group - and if those groups are the only, or the primary, groups for users, then those users fail to show up in getnet passwd output. Trying to track why built in group domain users does not show up in getent group, I ran the following tests: wbinfo --name-to-sid="domain users" S-1-5-21-4075376926-2798723368-2832161110-513 Domain Group (2) [root@suse-test:/var/log/samba]wbinfo --sid-to-gid=S-1-5-21-4075376926-2798723368-2832161110-513 Could not convert sid S-1-5-21-4075376926-2798723368-2832161110-513 to gid So the problem is ~why~ is wbinfo --sid-to-gid using the well known RID for a built-in group failing? That, at least IMHO, is the root cause of the problem. I am going to trawl through the logs and see if I can find out anything else. In the meantime, can you verify that the wbinfo tests above work for you using my (albeit modified for your environment) smb.conf? Many thanks for sticking with this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.