security = ADS When I change a user's groups, the permissions aren't obeyed. Example: User X is in group A, B & C. I have a directory N only accessible by group B. I remove user X from group B on the ADS. As I have set the winbind cache refresh very low, the change is seen with "id X" very quickly. Great so far. Problem is, somehow Samba still allows X to access directory N with smbclient -k and with a Windows XP client. When I log in with smbclient without Kerberos, X can't access directory N anymore. All as it should be again. After this the XP client has to log off, then log on, and then the permissions are obeyed. I tried both "client use spnego" no & yes. Same result. I reproduced this behaviour in two different networks.
Relogging the XP client twice also aplies the changes to the permissions.
It's a winbindd issue. Starting winbindd with -n (no caching) solves the problem. This is ofcourse bad for performance, but at least I've finally got a working setup ;) Sidenote: It is also very, VERY important that both A-records and PTR-records in DNS are correct!
behavior is by design. Original bug report against 3.0.8pre1