samba - Jan 2017 - wbinfo -u does not return users from trusted domains

Hi,

I'm using samba 4.4.9 in an environment with trusted domains (windows
2k12R2; domain names: res.local, sub.res.local, res2.local).

When I use getent passwd/group I can get list of users/groups from all
domains (res, sub, res2).

However, when I use wbinfo -u/-g I get list of users/groups only from the
native domain I am connected to (res).

I'am able to fetch users/groups using wbinfo -u/-g --domain=RES2/SUB and
authenticate with users from all domains (only wbinfo -u/-g does not return
full list of users/groups).

Is this a known issue, anyone came across this?

Part of smb.conf:

        idmap backend = tdb
        winbind cache time = 300
        winbindd privileged socket directory /var/lib/samba/winbindd_privileged
        winbindd socket directory = /var/run/samba/winbindd
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind expand groups = 0
        winbind max clients = 200
        winbind max domain connections = 1
        winbind nested groups = Yes
        winbind normalize names = No
        winbind nss info = template
        winbind offline logon = No
        winbind reconnect delay = 30
        winbind refresh tickets = Yes
        winbind request timeout = 200
        winbind rpc only = No
        winbind sealed pipes = Yes
        winbind separator = +
        winbind trusted domains only = No
        winbind use default domain = No


Best regards,
Piotr K

On Mon, 16 Jan 2017 16:11:28 +0100
Piotr Kandziora via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm using samba 4.4.9 in an environment with trusted domains (windows
> 2k12R2; domain names: res.local, sub.res.local, res2.local).
> 
> When I use getent passwd/group I can get list of users/groups from all
> domains (res, sub, res2).
> 
> However, when I use wbinfo -u/-g I get list of users/groups only from
> the native domain I am connected to (res).
> 
> I'am able to fetch users/groups using wbinfo -u/-g --domain=RES2/SUB
> and authenticate with users from all domains (only wbinfo -u/-g does
> not return full list of users/groups).
> 
> Is this a known issue, anyone came across this?
> 
> Part of smb.conf:
> 
>         idmap backend = tdb
>         winbind cache time = 300
>         winbindd privileged socket directory >
/var/lib/samba/winbindd_privileged
>         winbindd socket directory = /var/run/samba/winbindd
>         winbind enum groups = Yes
>         winbind enum users = Yes
>         winbind expand groups = 0
>         winbind max clients = 200
>         winbind max domain connections = 1
>         winbind nested groups = Yes
>         winbind normalize names = No
>         winbind nss info = template
>         winbind offline logon = No
>         winbind reconnect delay = 30
>         winbind refresh tickets = Yes
>         winbind request timeout = 200
>         winbind rpc only = No
>         winbind sealed pipes = Yes
>         winbind separator = +
>         winbind trusted domains only = No
>         winbind use default domain = No
> 
> 
> Best regards,
> Piotr K
I think you need to read 'man idmap_ad' & 'man idmap_rid' ,
also
reading 'man smb.conf' would be a good idea. Most of the smb.conf lines
you have posted are the defaults and 'idmap backend' was deprecated
quite some time ago.

Rowland