Overview: Samba 3.6.22 seems to have reintroduced an old winbind bug, that existed from 3.5.x (don't know the exact version) until 3.6.6, i.e. domain-local groups don't seem to work anymore. Domain-local groups from my Windows 2008 R2 domain worked fine for me with Samba 3.6.21. After my recent update to 3.6.22 when I logged in with a Windows-user and checked my groups using "id", only the built-in and global groups were listed. After downgrading to 3.6.21 everything once again worked as expected. Steps to Reproduce: -Upgrade to or install Samba 3.6.22 on a machine joined to a Windows domain -Restart machine (or Samba services) -Login with a Windows user that is member of at least one domain-local group -Check group membership with "id" command Actual Results: Only the built-in / global groups are listed. Expected Results: Built-in, global and domain-local groups are listed. Build Date & Platform: Ubuntu 12.04 LTS x64 Sernet Enterprise Samba 3.6.22 packages: http://download.sernet.de/pub/samba/3.6/debian/dists/squeeze/main/binary-amd64/ Sidenote: Ubuntu 12.04 LTS x64 by default unfortunately comes with Samba 3.6.3, which has the exact same problem with domain-local groups.
I retried installing Samba 3.6.22 (Sernet Enterprise packages) after purging every trace of older packages and rejoined the domain, and now domain-local groups seem to work fine again. Sorry if I caused any inconveniences.
Unfortunately the problem reappeared today after about 2 days of uptime. Once again after logging in with an AD-Account and checking with "id", domain-local groups were missing. Interestingly "wbinfo -g" as well as "getent group" still were listing domain-local groups. After restarting the winbind daemon domain-local groups started working again. So there seems to be a problem that only manifests itself after some time. I hope the problem can be fixed soon as my server already went productive. I realise that I could restart winbind regularly using a cronjob, but a fix would still be great. Sidenote: My other server running Centos 6.5 with Samba 3.6.9 doesn't have this problem after 36 days of uptime (and didn't for severeal months before that while running Samba 3.5.6).
In our organization, we have the same problem. Environment : - Windows 2008R2 AD ( = domain level = forest level ) - 2x Win 2008R2 DC servers - 2x Win 2012 DC servers - ~2k user accounts - ~1k groups (with a majority of Domain-local groups) Samba member server : - Debian 7.5 with Samba 3.6.6 : same problem - Debian 7.5 with Samba 4.1.9 from backports : same problem It's really annoying because most of our ACL are applied to Domain-Local groups. Steps to reproduce : - Disconnects samba clients and stop samba & winbind services - Clear logs, cache, /run/samba/* and winbind mappings - Start winbind - read groups : root@debian7-dev:~# wbinfo -r my-user | wc -l 62 - start samba - connect from a client with my user - read groups : root@debian7-dev:~# wbinfo -r my-user | wc -l 13 root@debian7-dev:~# wbinfo -r my-user 1000513 1001657 1013475 1018064 1017454 1018065 1000520 1000512 1000519 1000518 -1 -1 -1
those -1 group memberships usually come from bad idmap configurations. With working idmapping for earch and every group without conflict there, I've never seen issues with this.