[Samba] User accounts not getting complete group membership (getent group / groups mismatch)

Bruce Cran bruce.cran at gmail.com
Fri May 16 12:35:39 MDT 2014

We recently added a new LDAP/AD group to our domain, but have found that
only some accounts on a Linux (Ubuntu 12.04.4, Samba 3.6.3) machine are
getting the membership: "getent group <groupname>" shows them as being in
the group, but "groups <username>" doesn't. I've tried restarting winbindd
with the "-n" option to bypass caching, and deleting the winbindd_idmap.tdb
and winbindd_cache.tdb files, but nothing seems to be working.  The logs
don't have any errors in them; I tried increasing the log level to 3, but I
don't know how to interpret it: all I noticed is that it seems to pause at
a certain user, but there aren't any different messages so I don't know if
it's just waiting for the polling interval to expire?

The smb.conf file contains:

        security = ads
        realm = A.COMPANY.COM
        password server = ad.a.company.com
# note that workgroup is the 'short' domain name
        workgroup = COMPANY
#        winbind separator = +
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = true
        winbind use default domain = yes
        restrict anonymous = 2
        winbind refresh tickets = yes


More information about the samba mailing list