when I do "id -a kptest" as user root I get a correct set of primary+secondary groups back for user kptest. However when I perform "id -a" after "su - kptest" (so become the user first) I get every group in the system returned (119 groups, which on Solaris get truncated after 16 groups NGROUPS_MAX limit..!). This only happened for user kptest, not for other domain users... I noticed a difference processing in the function netsamlogon_cache_get, where for user kptest tons of rpc_ calls where execute every time I performed the id command and this did not happen for the other domain user... Later on I cleared all tdb files in /var/lock, touched /etc/nsswitch.conf (to tell Solaris to clear its user and group caches) and restarted winbind. It seems the problem went away after that. (the strange thing is that I repeated that procedure already several times without result but yesterday it suddenly cleared all problems...). Maybe this is caused because I switched back-and-forth between the setting "use default domain=yes / no" The other observation I made is that the group "GA KTP share" got the id 10522 in all previous tests but since yesterday (after the full clear of the tdb databases ) it got gid 10001... (if you do net user kptest /domain on a dos prompt you see the user is only member of Domain Users and GA KTP share, definitely not of all the other groups!). Below the transcript with proof of the problem. Also a proof of how this affects user kptest not being able to access a directory open for "GA KTP share" users of which it is a member... This issue makes me wonder if we should start using winbind, although the concept is beautiful it does not seem stable yet. # id kptest uid=10000(kptest) gid=10001(Domain Users) # id -a kptest uid=10000(kptest) gid=10001(Domain Users) groups=10522(GA KTP share) # su - kptest Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 kplus2:/export/home/ads/kptest> id uid=10000(kptest) gid=10001(Domain Users) kplus2:/export/home/ads/kptest> id -a uid=10000(kptest) gid=10001(Domain Users) groups=10001(Domain Users),10260(DR Microsoft VisioStandaard 2002 EN),10117(DR Niche WorkPace 2.5 EN),10114(DR Novell ConsoleOne 1.3.4 EN),10258(DR Citrix ICAClient 6.31.1051 EN),10129(DR CBS StandaardOnderwijsindeling1998 Editie2002-2003 NL),10267(DR Axim2000),10382 (DR Kluwer ToolkitMedezeggenschapPraktijkmodellenOR April2003NL),10461(DR ISProjectsITFQualityDocs1.0EN),10451(DR SWIFT BicDatabasePlus Dec_2003 EN),10405(DR CrystalReportsRuntime 9 EN),10235(DR InterflexSystem6020V150445NL),10328(DR NICELOG 6.55 EN),10421(DR Fundation Fundation 4 NL),10154(DR MorseWatchmanInc. KeyPro V1.65 EN),10376(DR IBM PersonalCommunications 5.0 NL) kplus2:/export/home/ads/kptest> groups kptest Domain Users DR Microsoft VisioStandaard 2002 EN DR Niche WorkPace 2.5 EN DR Novell ConsoleOne 1.3.4 EN DR Citrix ICAClient 6.31.1051 EN DR CBS StandaardOnderwijsindeling1998 Editie2002-2003 NL DR Axim2000 DR Kluwer ToolkitMedezeggenschapPraktijkmodellenOR April2003NL DR ISProjectsITFQualityDocs1.0EN DR SWIFT BicDatabasePlus Dec_2003 EN DR CrystalReportsRuntime 9 EN DR InterflexSystem6020V150445NL DR NICELOG 6.55 EN DR Fundation Fundation 4 NL DR MorseWatchmanInc. KeyPro V1.65 EN DR IBM PersonalCommunications 5.0 NL kplus2:/export/home/ads/kptest> groups Domain Users DR Microsoft VisioStandaard 2002 EN DR Niche WorkPace 2.5 EN DR Novell ConsoleOne 1.3.4 EN DR Citrix ICAClient 6.31.1051 EN DR CBS StandaardOnderwijsindeling1998 Editie2002-2003 NL DR Axim2000 DR Kluwer ToolkitMedezeggenschapPraktijkmodellenOR April2003NL DR ISProjectsITFQualityDocs1.0EN DR SWIFT BicDatabasePlus Dec_2003 EN DR CrystalReportsRuntime 9 EN DR InterflexSystem6020V150445NL DR NICELOG 6.55 EN DR Fundation Fundation 4 NL DR MorseWatchmanInc. KeyPro V1.65 EN DR IBM PersonalCommunications 5.0 NL kplus2:/export/home/ads/kptest> # cd /tmp # mkdir test # chown kplus:"GA KTP share" usage: chown [-fhR] owner[:group] file... # chown kplus:"GA KTP share" test # chmod 770 test # su - kptest Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 kplus2:/export/home/ads/kptest> cd /tmp/test ksh: /tmp/test: permission denied kplus2:/export/home/ads/kptest> ls -al /tmp/test /tmp/test: Permission denied total 16 kplus2:/export/home/ads/kptest> exit # ls -al /tmp/test total 32 drwxrwx--- 2 kplus GA KTP share 117 Mar 15 14:22 . drwxrwxrwt 11 root sys 3751 Mar 15 14:22 .. # # net -V Version 3.0.2a # # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: kptest@AD.KASBANK.COM Valid starting Expires Service principal 03/11/04 19:36:12 03/12/04 03:36:14 krbtgt/AD.KASBANK.COM@AD.KASBANK.COM renew until 03/11/04 20:36:12 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
'winbind use default domain' is evil. Just my opinion. That being said you should probably get the patch from bug 1165. Finally, the net_samlogon.tdb cache stores user information when in security = domain (particularly for universal group membership). If you switch back and forth between security = domain and security = ads you can run into problems such as these. I'll make a change so that we blow away net_samlogon_cache.tdb when securityu = ads.
not a duplicate per say but a related issues *** This bug has been marked as a duplicate of 2360 ***