This is a regression in trusty.
Consider:
$wbinfo -r jgg
1000
-1
10009
10011
10004
10003
-1
1002
-1
Results in:
$ getent initgroups jgg
jgg 4 24 27 30 46 108 124 1000 10009 10011 10004 10003 1002
$ id jgg
uid=2009(jgg) gid=1000(orc) groups=1000(orc),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),4294967295,10009(vpn_users),10011(xweb_users),10004(accounting),10003(domain_users),4294967295,1002(wsudoers),4294967295
Those 4294967295 values should not be in the group list.
The underlying issue is that some of the AD groups the user is a part of are not UNIX groups, they are just general AD groups:
$ ldapsearch uid=jgg memberOf
dn: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=XWEB Users,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=VPN Users,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=accounting,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=wsudoers,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=Boards website editors,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=Parts website editors,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=adm,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=Domain Users,CN=Users,DC=ads,DC=orcorp,DC=ca
memberOf: CN=Print Operators,CN=Builtin,DC=ads,DC=orcorp,DC=ca
For instance, 'Print Operators' is not a UNIX group, it doesn't have the RFC2307 schema elements.
# Print Operators, Builtin, ads.orcorp.ca
dn: CN=Print Operators,CN=Builtin,DC=ads,DC=orcorp,DC=ca
objectClass: top
objectClass: group
cn: Print Operators
description: Members can administer domain printers
member: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
member: CN=Ian Crowe,CN=Users,DC=ads,DC=orcorp,DC=ca
distinguishedName: CN=Print Operators,CN=Builtin,DC=ads,DC=orcorp,DC=ca
instanceType: 4
whenCreated: 20080729165935.0Z
whenChanged: 20080808163035.0Z
uSNCreated: 8209
uSNChanged: 30817
name: Print Operators
objectGUID:: SBkgyF4upEG4GO6bRhj17g==
objectSid:: AQIAAAAAAAUgAAAAJgIAAA==
adminCount: 1
sAMAccountName: Print Operators
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=orcorp,DC=ca
isCriticalSystemObject: TRUE
# wsudoers, Users, ads.orcorp.ca
dn: CN=wsudoers,CN=Users,DC=ads,DC=orcorp,DC=ca
objectClass: top
objectClass: group
cn: wsudoers
description: Workstation Sudoers
member: CN=Rolf Manderscheid,CN=Users,DC=ads,DC=orcorp,DC=ca
member: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
member: CN=Ian Crowe,CN=Users,DC=ads,DC=orcorp,DC=ca
distinguishedName: CN=wsudoers,CN=Users,DC=ads,DC=orcorp,DC=ca
instanceType: 4
whenCreated: 20080808044201.0Z
whenChanged: 20111130193544.0Z
uSNCreated: 30255
info: Members can use sudo on the workstations
uSNChanged: 2007454
name: wsudoers
objectGUID:: oYEd5AZTyESv6SHZoxBGeQ==
objectSid:: AQUAAAAAAAUVAAAAmm48yDCxnAEu012CfgQAAA==
sAMAccountName: wsudoers
sAMAccountType: 536870912
managedBy: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=orcorp,DC=ca
msSFU30Name: wsudoers
msSFU30NisDomain: ads
gidNumber: 1002
Turns out this is not just a cosmetic problem, having -1 in a supplementary group list completely breaks the NFS sever as well, in a very hard to find way.