samba - Jun 2007 - urgent: winbind doesn't see groups from samba pdc+ldap

Hallo!

after migrating the pdc from nt to samba+ldap my member fileserver doesn't
see
the groups anymore.
I set it up  with nss as shown in:
http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss

getent passwd + group show all user and groups correctly

wbinfo -u shows all users correctly, but wbinfo -g show only 2 builtin 
accounts.

I tried without nss only with winbind before in the hope I had not to reset 
all permissions but it was exacty the same.

Machine is debian/etch samba 3.0.24

Please let me know if I should send more infos.

I'm very greateful for any hints.

thanks angela


********************
here my smb.conf
********************
[global]

# Server Definition
server string = %h (%v)
domain logons = no
domain master = no
local master = no
preferred master = no

timeserver = no

# Domaenen Zugehoerigkeit
workgroup = AAG
security = domain
password server = 192.168.100.72

# Namensaufloesung
name resolve order = host wins bcast

# Erlaubte Authentifizierungsprotokolle

map archive = yes
map hidden = no
map readonly = yes
map system = no
map to guest = never
delete readonly = yes

preserve case = yes

# Nach 15 Min. Inaktivit??t trennenlog file = /var/log/samba/%m.log
log level = 10
syslog = 1

panic action = /usr/share/samba/panic-action %d

# Wann werden DAten auf die Platten geschrieben?
strict sync = yes
sync always = yes

use sendfile = yes

# Auf mdbs keine Oplocks setzen
veto oplock files = /*.mdb/

# OpenOffice hat Problem beim Speichern, es liegt aber nicht an den Oplocks!
oplocks = yes
level2 oplocks = yes

# Winbind - f?r Authentifizierung ?ber einen anderen Server
#winbind cache time = 300
#winbind enum groups = yes
#winbind enum users = yes
#winbind uid = 10000-20000
#winbind gid = 10000-20000

ldap admin dn = cn=admin,dc=aag
ldap suffix = dc=aag
ldap group suffix = ou=groups
ldap user suffix = ou=users
ldap machine suffix = ou=computers
ldap idmap suffix = ou=idmap
idmap backend = ldap:ldap://erde.aag
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind trusted domains only = yes

deadtime = 15
keepalive = 0

... shares

****************************
/etc/ldap/ldap.conf
****************************
BASE    dc=aag
URI     ldap://erde.aag:389 ldap://mond.aag:389

nss_base_passwd ou=users,dc=aag?one
nss_base_passwd ou=computers,dc=aag?one
nss_base_shadow ou=users,dc=aag?one
nss_base_group  ou=groups,dc=aag?one

TLS_CACERT      /etc/ldap/certs/cacert.pem
TLS_CERT        /etc/ldap/certs/memberserver_cert.pem
TLS_KEY         /etc/ldap/certs/memberserver_key.pem
TLS_CHECKPEER   yes
SSL             start_tls

TLS_REQCERT     allow


It make no difference if I activate TLS or not.

******************************
/etc/nsswitch.conf
******************************
passwd:         files ldap winbind
group:          files ldap winbind
shadow:         files ldap winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis