Just to add a few data points, we've been running Winbind for years to use accounts from our university's domain. We don't have Domain Admin access though so a lot of accounts belong to AD groups out of our control and that we can't assign GIDs to. This has never been an issue because Winbind would not report membership in such groups to Linux. Compare the output of Ubuntu 12.04 and 14.04 for the same account:
### 12.04 + winbind 2:3.6.3-2ubuntu2.10 truffle:~$ groups mhatrak mhatrak : domain users ling-mayberrylab BUILTIN\users truffle:~$ id mhatrak uid=100051358(mhatrak) gid=513(domain users) groups=513(domain users),1310022(ling-mayberrylab),287(BUILTIN\users) ### 14.04 + winbind 2:4.1.6+dfsg-1ubuntu2 enoki:~$groups mhatrak mhatrak : domain users groups: cannot find name for group ID 4294967295 4294967295 groups: cannot find name for group ID 4294967295 4294967295 ling-mayberrylab libuuid enoki:~$id mhatrak uid=100051358(mhatrak) gid=513(domain users) groups=513(domain users),4294967295,4294967295,1310022(ling- mayberrylab),101(libuuid) The new behavior breaks sudo because it can't verify all the groups. It may be that this is the only program affected but I haven't done any exhaustive testing. enoki:~$sudo bash sudo: unable to set runas group vector: Invalid argument Interestingly, SSSD works better now. It also reports an error but at least sudo is still functional. ### 14.04 + sssd 1.11.5-1ubuntu3 porcini:~$ groups mhatrak mhatrak : groups: cannot find name for group ID 1000002 1000002 ling-mayberrylab domain users porcini:~$ id mhatrak uid=100051358(mhatrak) gid=1000002 groups=1000002,1310022(ling-mayberrylab),513(domain users) porcini:~$ sudo bash porcini:~# It seems to me the old Winbind behavior is desirable. There's little point in telling the OS about group membership for groups that are not going to work due to their lack of a GID. It should be easy to filter them out automatically or at least provide an option to do so. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1307778 Title: getent group on trusty returns only local groups To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1307778/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs