On latest avaiable samba 3.0.23a, i encountered an unexpected working fo winbind. I registered my samba server to a mono-forest-multi-domain (GC) as a domain member. I setup everithing reading the docs and all work well. I use wbinfo -r DOMAIN\\USER to discover what group a user is member of. When i made change on active directory, winbind show me different situations. A) When i change a group membership of a user of a child domain (implicity trusted with the forest) i can see (with winbind cache = 1) the changes in about 15 seconds (waiting domain replications). B) When i query an external domain manually trusted (two way), winbind does not show me changes, this is very bad for me. So i installed a second samba srver and join it to forest GC. When i query external trusted domain, it show me different group membership, but wrong again. If i made change, again never and never showed to me! I need windbind to recognize users membership to let squid (with wbinfo_group.pl plugin) permit navigation with transparent ntlm auth (this work very well) and group selection (this is the problem). This is a samba bug?
Sorry i forgot to tell that i have problems also quering child domains implicity trusted. Sometime i can see the changes, and sometimes no. Only query to users on forest domain are alwais correct and refreshed in about 1 second.
I stopped samba, deleted *.tdb files, and restart samba. Now all my group membership are refreshed correclty, but i don't know if this is a stable situation or i MUST periodically delete this files. Someone can tell me if this is a bug?
Deleting *.tdb file work for a limited period, then i cannot see changes on groups like prevous post.
I downloaded 3.0.23b, now i try to test this new version against problem reported.
I noticed this error on winbind logs nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 How is it?
I think winbind have problem whith trust relationship. If i setup a manual trust with two domain, winbind does not refresh group membership correctly. In this B version i noticed a more stable work, without manual trust i can see refresh correctly. I wull try for 3 or 4 days and do a full report about winbind work. If i have group whith same name on different domain, this is a problem for samba?
Finally i found the problem! Samba winbind fail to recognize group membership of user if you nest global group of a trusted or child domain with local domain group of global catalog root forest. I think winbind bug. Please let me know what you think about!
I add another information about this bug. Winbind stop to correctly identify users membership when: 1)i add to the same user more groups at the same time 2)if i put a user on 2 groups using 1 dc for doma\groupa and another dc for domb\groupb quickly I don't know exactly why, but this is a big problem for me. Someone can helo me? I'm going mad ...
*** This bug has been marked as a duplicate of bug 8641 ***