[Samba] Winbind showstopper!

[SRuth at LANDAM.com]

Hello all,
 
First off, let me say I've been using Samba successfully since '98.  Except
for a few minor issues here and there it's worked quite well.  So, thank you
for an excellent product.
 
Last weekend I migrated an existing Samba file/print server to a brand new
server.  This included upgrading Samba from 3.0.7 to 3.0.14a.
I've successfully been using winbind to authenticate to Windows 2000 and
then Windows 2003 AD domains (DOMAIN security mode, not ADS) for 2-3 years
now.  So, in order to maintain the existing domain account to UID mappings I
moved the winbindd_*.tdb files from the old to the new server.  (In case it
matters, I actually moved all of the .tdb files from the old to the new.)
 
This seemed to work just fine until I started modifying users' group
memberships in AD.  It seems winbind is not registering group membership
modifications.  It either doesn't register the updates at all, or not in a
timely fashion(as in it finally changed overnight for one account, but not
the other).  In case it matters, winbindd cache is set to 30 seconds.  I
used to have it set to 600 seconds, but changed it when I started
experiencing this issue.
 
The new server is running RedHat Enterprise Linux 4 ES.  Samba was built
from the redhat source RPM from the samba site.
 
I have also seen the same behavior on Samba version 3.0.15pre2.
 
Obviously this is a showstopper as I cannot appropriately change users'
access to resources.
 
Is this a known problem?  Is there a workaround?
 
Let me know if more information is required.
 
Thanks.
 
 
Sven M. Ruth
Sr. Analyst - Technology Resources
LandAmerica - Chicago Area
Ph:  312-558-1600 ext. 3023
 
"We are all born originals -- why is it so many of us die copies?" -- Edward
Young