samba - May 2013 - idmap ad group lookup

Whe have a Active Directory with the SFU2307 Unix extensions running.
The user authentication is running fine against the Active Directorty, for this
why are using the "ad" idmap backend.

The only problem that are not running is, that "getent group" are only
shows the local linux groups and no Actvie Directory Groups with a GID.

"wbinfo -g" and "wbinfo -G" are working fine.

Why are using Samba 3.6.15 on a Ubuntu 64 Bit machine.
It seems so that this problem is existing since the idmap syntax on the samba
config has changed.

I have also create a trace for this problem, and it seems that winbind try's
to get a GID from a windows group, that have no mapping, so he breaks on the
first fail up.

Why have only mapped the "domain users" group and some one create
groups.

smb.conf:
[global]

   security = ADS
   panic action = /usr/share/samba/panic-action %d
   workgroup = INT
   realm = INT.TMG
   socket options = TCP_NODELAY
   interfaces = 127.0.0.1 eth0
   bind interfaces only = true
   printing = cups
   printcap name = cups
   load printers = no
   wins server = 10.9.2.1, 10.9.2.2

        winbind cache time = 604800
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        idmap alloc config:range = 5000 - 9999
        idmap config INT : schema_mode = rfc2307
        idmap config INT : range = 10000 - 300000000
        idmap config INT : default = yes
        idmap config INT : backend = ad
        idmap config * : backend = ad
        idmap config * : schema_mode = rfc2307
        idmap config * : range = 10000 - 300000000
        admin users = int\administrators


Winbind Trace output:
accepted socket 24
[ 3851]: request interface version
[ 3851]: request location of privileged pipe
accepted socket 27
closing socket 24, client exited
[ 3851]: getgrent
child daemon request 59
Finished processing child request 59
child daemon request 59
Current tickets expire in 35986 seconds (at 1368130999, time is now 1368095013)
Search for
(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00Y\12\88r\CB3Q\0FQA\97\1C\04\02\00\00)))
in <dc=INT,dc=TMG> gave 1 replies
Could not get unix ID
Finished processing child request 59
getgrent failed: NT_STATUS_NONE_MAPPED
closing socket 27, client exited



Thanks for your help.

Greetings

Thomas

On 09/05/13 12:30, Feustel, Thomas wrote:
> Whe have a Active Directory with the SFU2307 Unix extensions running.
> The user authentication is running fine against the Active Directorty, for
this why are using the "ad" idmap backend.
>
> The only problem that are not running is, that "getent group" are
only shows the local linux groups and no Actvie Directory Groups with a GID.
>
Hi
Probably not what you want but it only works if you specify the group:
  getent group <groupname>
Steve

Hello Thomas,

Am 09.05.2013 12:30, schrieb Feustel, Thomas:
> The only problem that are not running is, that "getent group" are
> only shows the local linux groups and no Actvie Directory Groups
 > with a GID.
>
> "wbinfo -g" and "wbinfo -G" are working fine.
Sounds like
https://bugzilla.samba.org/show_bug.cgi?id=7355


Regards,
Marc