The Samba-Bugzilla – Bug 3996
WINBIND fail to retrieve group membership correctly form win2003 SP1
Last modified: 2014-07-23 12:47:04 UTC
On latest avaiable samba 3.0.23a, i encountered an unexpected working fo winbind.
I registered my samba server to a mono-forest-multi-domain (GC) as a domain member. I setup everithing reading the docs and all work well.
I use wbinfo -r DOMAIN\\USER to discover what group a user is member of.
When i made change on active directory, winbind show me different situations.
A) When i change a group membership of a user of a child domain (implicity trusted with the forest) i can see (with winbind cache = 1) the changes in about 15 seconds (waiting domain replications).
B) When i query an external domain manually trusted (two way), winbind does not show me changes, this is very bad for me.
So i installed a second samba srver and join it to forest GC. When i query external trusted domain, it show me different group membership, but wrong again.
If i made change, again never and never showed to me!
I need windbind to recognize users membership to let squid (with wbinfo_group.pl plugin) permit navigation with transparent ntlm auth (this work very well) and group selection (this is the problem).
This is a samba bug?
Sorry i forgot to tell that i have problems also quering child domains implicity trusted. Sometime i can see the changes, and sometimes no.
Only query to users on forest domain are alwais correct and refreshed in about 1 second.
I stopped samba, deleted *.tdb files, and restart samba.
Now all my group membership are refreshed correclty, but i don't know if this is a stable situation or i MUST periodically delete this files.
Someone can tell me if this is a bug?
Deleting *.tdb file work for a limited period, then i cannot see changes on groups like prevous post.
I downloaded 3.0.23b, now i try to test this new version against problem reported.
I noticed this error on winbind logs
Got invalid request length: 0
How is it?
I think winbind have problem whith trust relationship.
If i setup a manual trust with two domain, winbind does not refresh group membership correctly. In this B version i noticed a more stable work, without manual trust i can see refresh correctly.
I wull try for 3 or 4 days and do a full report about winbind work.
If i have group whith same name on different domain, this is a problem for samba?
Finally i found the problem!
Samba winbind fail to recognize group membership of user if you nest global group of a trusted or child domain with local domain group of global catalog root forest. I think winbind bug. Please let me know what you think about!
I add another information about this bug. Winbind stop to correctly identify users membership when:
1)i add to the same user more groups at the same time
2)if i put a user on 2 groups using 1 dc for doma\groupa and another dc for domb\groupb quickly
I don't know exactly why, but this is a big problem for me.
Someone can helo me? I'm going mad ...
*** This bug has been marked as a duplicate of bug 8641 ***