samba - Jan 2009 - Strange problems with ADS-groups and winbindd

Hello,

we experience some strange problems with group memberships of ADS users
using samba v3.2.4 on SLES-9. An upgrade to v3.2.7 didn't help.

Changes to the membership of users in ADS universal groups doesn't take
effect at all or take long time (1 day) to be seen on the linux side.

For example the command "net" shows the following GIDs of a user:

    # for i in $(net ads user info thenneri -U xxx)
      do
	getent group $i | awk -F : '{ print $3 }'
      done | sort
    Enter xxx's password:
    10006
    10007
    10008
    10009
    10011
    10374

The wbinfo shows the following GIDs of the same user:

    # wbinfo -r thenneri | sort
    10003
    10005
    10006
    10007
    10008
    10009
    10010
    10011

10005 is "domain users" - seems to be ok.
10003 is "BUILTIN\users" - I have no idea, how I get into that group.

The group 10010 is wrong! The group 10374 is missing!

After deleting some cache files from winbind, the output of wbinfo looks
more like the net command:

    # /etc/init.d/winbind stop
    Shutting down Samba WINBIND daemon done

    # cd /var/lib/samba
    # mv netsamlogon_cache.tdb netsamlogon_cache.tdb.OLD
    # mv winbindd_cache.tdb winbindd_cache.tdb.OLD

    # /etc/init.d/winbind start
    Starting Samba WINBIND daemon done

    # wbinfo -r thenneri | sort
    10003
    10005
    10006
    10007
    10008
    10009
    10010
    10011
    10374

The group 10010 is still wrong, but now the missing group 10374 is shown
with both commands.

This output doesn't change for the next few hours until we restart the
nmb-daemon (?!? - restarting winbind or smb doesn't have any effect) :

    # /etc/init.d/nmb restart
    Shutting down Samba NMB daemon done
    Starting Samba NMB daemon done

    # wbinfo -r thenneri | sort
    10003
    10005
    10006
    10007
    10008
    10009
    10010
    10011

Now the group 10374 is missing again! 

Our smb.conf looks like this:

    [global]
        workgroup = XX
        realm = xx.yyyy.com
        security = ADS
        encrypt passwords = yes
        preferred master = no

        idmap uid = 10000-50000
        idmap gid = 10000-50000

        winbind use default domain = yes
        template shell = /bin/bash
        winbind refresh tickets = true
        client use spnego = yes

        use kerberos keytab = true

        winbind cache time = 30

    [share]
        comment = sharing directory
        browseable = yes
        available = yes
        path = /data/share/
        guest ok = no
        printable = no
        writeable = yes

Has someone any idea how to debug this?

Thank you for your help!

Best regards   Tobias