samba - Oct 2013 - nss_windbind.so can't see groups that wbinfo -g can (4.0.9 as AD DC)

[I'm afraid $customer made me anonymize their rootdn, user and group
names, so the ones below are made up.  Hopefully I haven't introduced
any errors in the process.]

I'm running Debian 7 with samba 4.0.9dfsg1-1 built from
git://git.debian.org/pkg-samba/samba.  I'm using samba as an AD DC,
with accounts migrated from a samba3/slapd stack using samba-tool
domain classicupgrade.

What I find confusing is that there are groups in samba -- as
confirmed by samba-tool group list, ldapsearch and wbinfo -g -- that
are not reported by getent groups (glibc's nss query tool).  Further,
getent groups can reverse-resolve GIDs into the missing groups.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 1-samba-tool.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 2-wbinfo.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 3-ldapsearch.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 4-getent.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0003.txt>
-------------- next part --------------


This is the worst one -- it only reverse-resolves:

    # getent group fb
    # getent group FB\\fb
    # getent group | grep fb:
    # getent group 1019
    FB\fb:*:1019:
    #

This one forward and reverse-resolves, but isn't listed by default:

    # getent group welles
    FB\welles:*:5029:
    # getent group FB\\welles
    FB\welles:*:5029:
    # getent group | grep welles:
    # getent group 5029
    FB\welles:*:5029:
    #

I can't understand why wbinfo and nss_windbind would give different
results.  The cn=fb and cn=robobobo objects, for example, look pretty
much alike -- it's not something as obvious as objectClass: posixGroup
in one and other the other.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 5-fb.ldif
URL:
<http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 6-robobobo.ldif
URL:
<http://lists.samba.org/pipermail/samba/attachments/20131011/da6c725b/attachment-0001.ksh>

trentbuck at gmail.com (Trent W. Buck) writes:
> I'm running Debian 7 with samba 4.0.9dfsg1-1 built from
> git://git.debian.org/pkg-samba/samba.  I'm using samba as an AD DC,
> with accounts migrated from a samba3/slapd stack using samba-tool
> domain classicupgrade.
>
> What I find confusing is that there are groups in samba -- as
> confirmed by samba-tool group list, ldapsearch and wbinfo -g -- that
> are not reported by getent groups (glibc's nss query tool).  Further,
> getent groups can reverse-resolve GIDs into the missing groups.
FTR, I gave up and used libnss-ldapd instead, which is working well
enough for now, more or less per
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

I'm still interested in investigating/resolving the winbind weirdness if
anyone, though.