[Samba] User accounts not getting complete group membership (getent group / groups mismatch)

Bruce Cran bruce.cran at gmail.com
Fri May 16 17:28:05 MDT 2014

On Fri, May 16, 2014 at 12:35 PM, Bruce Cran <bruce.cran at gmail.com> wrote:

> We recently added a new LDAP/AD group to our domain, but have found that
> only some accounts on a Linux (Ubuntu 12.04.4, Samba 3.6.3) machine are
> getting the membership: "getent group <groupname>" shows them as being in
> the group, but "groups <username>" doesn't. I've tried restarting winbindd
> with the "-n" option to bypass caching, and deleting the winbindd_idmap.tdb
> and winbindd_cache.tdb files, but nothing seems to be working.  The logs
> don't have any errors in them; I tried increasing the log level to 3, but I
> don't know how to interpret it: all I noticed is that it seems to pause at
> a certain user, but there aren't any different messages so I don't know if
> it's just waiting for the polling interval to expire?

I found the solution in http://serverfault.com/a/41254/54153 - deleting
/var/cache/samba/netsamlogon_cache.tdb and restarting winbind caused
'groups' to start displaying the new group. Strangely I see quite a few old
messages about that file containing stale data, but replies that it should
be fixed in newer samba versions such as the one we're using - e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=227325 .


More information about the samba mailing list