samba - May 2014 - User accounts not getting complete group membership (getent group / groups mismatch)

We recently added a new LDAP/AD group to our domain, but have found that
only some accounts on a Linux (Ubuntu 12.04.4, Samba 3.6.3) machine are
getting the membership: "getent group <groupname>" shows them as
being in
the group, but "groups <username>" doesn't. I've tried
restarting winbindd
with the "-n" option to bypass caching, and deleting the
winbindd_idmap.tdb
and winbindd_cache.tdb files, but nothing seems to be working.  The logs
don't have any errors in them; I tried increasing the log level to 3, but I
don't know how to interpret it: all I noticed is that it seems to pause at
a certain user, but there aren't any different messages so I don't know
if
it's just waiting for the polling interval to expire?

The smb.conf file contains:

[global]
        security = ads
        realm = A.COMPANY.COM
        password server = ad.a.company.com
# note that workgroup is the 'short' domain name
        workgroup = COMPANY
#        winbind separator = +
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = true
        winbind use default domain = yes
        restrict anonymous = 2
        winbind refresh tickets = yes

-- 
Bruce

On Fri, May 16, 2014 at 12:35 PM, Bruce Cran <bruce.cran at gmail.com>
wrote:
>
> We recently added a new LDAP/AD group to our domain, but have found that
> only some accounts on a Linux (Ubuntu 12.04.4, Samba 3.6.3) machine are
> getting the membership: "getent group <groupname>" shows
them as being in
> the group, but "groups <username>" doesn't. I've
tried restarting winbindd
> with the "-n" option to bypass caching, and deleting the
winbindd_idmap.tdb
> and winbindd_cache.tdb files, but nothing seems to be working.  The logs
> don't have any errors in them; I tried increasing the log level to 3,
but I
> don't know how to interpret it: all I noticed is that it seems to pause
at
> a certain user, but there aren't any different messages so I don't
know if
> it's just waiting for the polling interval to expire?
>
I found the solution in http://serverfault.com/a/41254/54153 - deleting
/var/cache/samba/netsamlogon_cache.tdb and restarting winbind caused
'groups' to start displaying the new group. Strangely I see quite a few
old
messages about that file containing stale data, but replies that it should
be fixed in newer samba versions such as the one we're using - e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=227325 .

-- 
Bruce