samba - Jan 2011 - Possible bug in nss_winbind with ad backend and rfc2307

I ran some tests to see why getent passwd was not enumerating my domain
users and discovered this:

If I getent passwd <username> it returns the user information including
the primary group defined in the Unix attributes.
If I add a Unix GID in the idmap config range to the domain's Domain
Users group and getent passwd, it returns all of my domain users with
all of the Unix attributes as defined in AD for them, BUT it replaces
the primary group GID with the GID I defined for the Domain Users group.

Apparently, some genius decided that the best way to look up users in AD
is by membership in "Domain Users" rather than iterating through the
directory looking for users that have rfc2307 attributes defined,
totally ignoring the rfc2307 group attribute on the user objects.

The suspected bug is that it is not using the rfc2307 primary GID
attribute, but rather is defaulting the "Domain Users" group as the
primary group for all users regardless of the rfc2307 attributes.

Is there a way to force Winbind not to use the Domain Users group as the
primary group for the winbindd_getpwent process, so it returns the
rfc2307 group attribute as it used to / should?  Or do I have to redo
all of my group file ownership/permissions on all of my servers to match
"Domain Users" for some ungodly reason?

Currently running Samba 3.4.3 on SLES 11.1, and authenticating against
Windows 2003R2 AD, but I suspect this same bug/feature was introduced
with the idmap changes in 3.30 and above so should apply to all versions
above 3.30.  I don't know if the same logic is being used in v4 winbind
idmap process...

More info on this topic:

Without giving my AD domain's Domain Users group an Unix gid, getent
passwd enumerates no AD users.  With the Domain Users group having a gid
in the range of the idmap config range, I do get my users enumerated
with a getent passwd.

In winbindd.log, for each cached user with rfc2307 information, it logs
for nss_get_info_cached: 
result:
      homedir = '/home/user'
      shell = '/bin/bash'
      gecos = '(null)'     (because I'm not using gecos attrib)
      gid = '60000'

but the getent passwd result is
user:*:10043:12011:User Name:/home/user:/bin/bash

where 12011 is the gid I gave to "Domain Users."

rfc2307 should have returned gid 60000 as per the nss_get_info_cached
result.  

If I do: getent passwd user 
the result is:
user:*:10043:60000:User Name:/home/user:/bin/bash

as it should be. 

gid 60000 is a local group, not an AD-defined group, so as not to depend
on AD for filesystem group ownership/permissions.  If getent passwd
doesn't enumerate the user data with the user having the proper default
group, they will not inherit the proper permissions.
> -----Original Message-----
> From: Jim Stalewski 
> Sent: Thursday, January 20, 2011 7:26 PM
> To: samba at lists.samba.org
> Subject: [Samba] Possible bug in nss_winbind with ad backend 
> and rfc2307
> 
> I ran some tests to see why getent passwd was not enumerating 
> my domain users and discovered this:
> 
> If I getent passwd <username> it returns the user information 
> including the primary group defined in the Unix attributes.
> If I add a Unix GID in the idmap config range to the domain's 
> Domain Users group and getent passwd, it returns all of my 
> domain users with all of the Unix attributes as defined in AD 
> for them, BUT it replaces the primary group GID with the GID 
> I defined for the Domain Users group.
> 
> Apparently, some genius decided that the best way to look up 
> users in AD is by membership in "Domain Users" rather than 
> iterating through the directory looking for users that have 
> rfc2307 attributes defined, totally ignoring the rfc2307 
> group attribute on the user objects.
> 
> The suspected bug is that it is not using the rfc2307 primary 
> GID attribute, but rather is defaulting the "Domain Users" 
> group as the primary group for all users regardless of the 
> rfc2307 attributes.
> 
> Is there a way to force Winbind not to use the Domain Users 
> group as the primary group for the winbindd_getpwent process, 
> so it returns the
> rfc2307 group attribute as it used to / should?  Or do I have 
> to redo all of my group file ownership/permissions on all of 
> my servers to match "Domain Users" for some ungodly reason?
> 
> Currently running Samba 3.4.3 on SLES 11.1, and 
> authenticating against Windows 2003R2 AD, but I suspect this 
> same bug/feature was introduced with the idmap changes in 
> 3.30 and above so should apply to all versions above 3.30.  I 
> don't know if the same logic is being used in v4 winbind 
> idmap process...
> 
>