Sorry, please ignore my previous - I fixed it using a method I thought
I'd already tried:
systemctl stop smbd nmbd winbindd
rm winbindd_* from /var/lib/samba/ (leaving the "wb priv" dir alone)
rm * from /var/cache/samba/
systemctl start smbd nmbd winbindd
id now works fine.
Cheers
Jon
On Fri, 2017-06-16 at 11:51 +0000, Jon Gerdes via samba
wrote:> All
>
> I am using the following config on a PC with Samba 4.6.5 (Arch),
> joined
> to a 2012 R2 domain/forest.
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 10000 - 19999
>
> # id <username>
>
> returns a list of groups fine for most users but for some, it
> includes
> deleted groups and misses groups that have been recently added.
>
> If I create a new user and a few groups, I can add and remove
> memberships fine and by flushing the cache as required, id works
> fine.
> For one particular user at least there are several extra entries
> returned by id. Deleted groups show a gid but no name. A recently
> added group does not appear in the list.
>
> These all work correctly:
> # net ads user info <user> -U <me> -S dc2
> # net rpc user info <user> -U <me> -S dc2
>
> I have rebooted all DCs (Winupdates 8), restarted my PC, flushed
> caches, deleted tdb files, run LDP and ADSI edit to see if there are
> any funny attributes on the user object, cleared all deleted objects
> in
> AD via Powershell.
>
> Running with "log level = 0 winbind:10 idmap:10" shows the
"ghost"
> SIDs
> failing to be looked up but doesn't seem to show me how the SIDs were
> found in the first place to cause a lookup.
>
> I've run:
>
> C:\> wmic group get domain,name,sid (gets you a list of all groups in
> the domain and their SIDs)
>
> and looked for the offending RIDs but they are not there.
>
> I'm not sure what I can try next. If anyone could tell me how idmap
> rid finds a list of SIDs for groups belonging to a user that might
> send
> me down the right path.
>
> I've just checked a pair of 4.5.x Sambas and they work OK. I've
read
> all the bugs that I could find in Bugzilla but none look appropriate.
>
> Cheers
> Jon