samba - Dec 2008 - Winbind not getting new membership for AD users

Happy Holidays for those of you celebrating holidays this time of year :-)

 

I am having difficulty with a newly joined Samba server, version 3.0.28-1 on
CENT OS 5.1.  Winbind doesn't seem to be picking up changes to group
membership.  For instance, the example commands below show a discrepancy
between wbinfo and getent group (dom\user1 does, in fact, belong to
dom\group, aka 10016)

 

 

# wbinfo -r dom\\user1

10001

10015

10039

 

# getent group dom\\group

dom\group:*:10016:dom\user1,dom\user2,dom\user3

 

In this second example, wbinfo thinks user dom\user4 does not below to group
10005, but getent believes (again, correctly) that dom\user4 does NOT belong
to group 10005.

 

# wbinfo -r dom\\user4

10009

10029

10016

10001

10008

10007

10006

10028

10005

10039

 

# getent group 10005

dom\group:*:10005:dom\user5,dom\user6

 

 

In both cases, getent correctly shows group membership whereas wbinfo does
not "know" about changes made after the server was first joined to the
domain.

 

 

In looking through the logs, I see in /var/log/samba/winbindd.log the
following message repeated hundreds of times since the server was joined.
Is this related to the problem above?

 

[2008/12/24 12:36:24, 1] nsswitch/winbindd_group.c:getgrgid_got_sid(606)

  could not lookup sid

[2008/12/24 12:36:28, 1] nsswitch/winbindd_group.c:getgrgid_got_sid(606)

  could not lookup sid

[2008/12/24 12:36:37, 1] nsswitch/winbindd_group.c:getgrgid_got_sid(606)

  could not lookup sid

 

 

I am unsure where to troubleshoot next.  I appreciate your help very much!!

 

 

Michael Davidson

Mount Washington Observatory

North Conway, NH 03860

 

www.mountwashington.org