winbind with users with sIDHistory can result in duplicate groups. When determining group membership for a user, the user's SID and any SIDs from the user's SID history are all listed (within the tokenGroup attribute of the LDAP query, if I understand correctly). Thanks to the ID_TYPE_BOTH "user private groups" feature (added in Samba 4.0.5), these all get turned into groups. When using the rid backend, this results in groups with the same name and different gids. For example, my jkelley account is assigned uid 14504 by the idmap_rid backend. There's also a jkelley group with gid 14504 (which I can see by doing "getent group jkelley", "wbinfo --group-info jkelley", and "getent group 14504"). However, thanks to my sIDHistory, there's also a jkelley group with gid 11128. "id jkelley" and "wbinfo --user-groups jkelley" show that the jkelley user is a member of group 11128, not group 14504. Interestingly, the existence (or at least the ability to retrieve) the 11128 group depends on what other operations have been done and cached. For example, "wbinfo --gid-info 11128" returns nothing at first, but after "wbinfo --user-groups jkelley" has been done, "wbinfo --gid-info 11128" finds the jkelley group. This is related to https://bugzilla.samba.org/show_bug.cgi?id=10217. Observed in Samba 4.1.6 on Ubuntu 14.04. I've also reproduced the symptoms using wbinfo (I haven't tested any of the NSS stuff) in Samba 4.0.5 and other 4.0.x versions.
This issue can also cause problems with the rid idmap backend. user1: SID: S-XXXXXXXX1-0001 sidhistory: S-YYYYYYYY4-1111 mapped uid: 70001 user2: SID: S-XXXXXXXX1-0002 Sidhistory: S-YYYYYYYY1-0002 mapped uid: 70002 When user1's information is retrieved (eg "id user1") everything looks fine, except for the odd group named "user1" (because of the sidHistory) User2's information looks similar. However because user2's sidhistory group maps to the same value as user1's uid, winbind forgets that it's mapped to user1. This causes any actions to lookup user1's uid to fail. Winbind essentially forgets their user mapping. Something to look for is SIDs of "groups" that return the domain user when queried. The groups look like they should be private user groups, but in fact are "user aliases" Samba and Winbind versions 4.1.6-ubuntu. (Package 4.1.6+dfsg-1ubuntu2.14.04.7)
(In reply to Kenny K from comment #1) Are you using "winbind use default domain = yes" ?
(In reply to Stefan (metze) Metzmacher from comment #2) what does wbinfo --sid-to-name return for all of the sids?
(In reply to Stefan (metze) Metzmacher from comment #3) What domain controller are you using?
That seems to be a duplicate of bug 12702 (which should be resolved with Samba 4.6.4)
*** This bug has been marked as a duplicate of bug 12702 ***
I haven't noticed that this bug exists when opening bug 12702, but the fix went to the other bug. The fix will be released in next Samba 4.6.x version.