We fail do some valid name lookups. This goes back to require_membership_of = redhat in pam_winbind.conf. As you can see a group without a domain is specified which results in a lookup of that group without a domain name. [2013/04/04 12:08:52.940058, 10, pid=9331] winbindd/winbindd.c:617(process_request) process_request: Handling async request 9333:LOOKUPNAME [2013/04/04 12:08:52.940186, 3, pid=9331] winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send) lookupname +redhat [2013/04/04 12:08:52.940307, 1, pid=9331] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName domain : * domain : '' name : * name : 'REDHAT' flags : 0x00000000 (0) [2013/04/04 12:08:52.948321, 1, pid=9331] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_DOM_GRP (2) sid : * sid : S-1-5-21-2175650508-4111995269-951467909-1106 result : NT_STATUS_OK We end up with the following mappings in the cache: { key(10) = "NS//REDHAT" data(66) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00- S-1-5-21-2175650508-4111995269-951467909-1106" } { key(48) = "SN/S-1-5-21-2175650508-4111995269-951467909-1106" data(28) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00\00\06redhat" } If you do an 'id' as the user now. It is not able to find the group name in the cache: DISCWORLD+asn@samba:~> id uid=100001104(DISCWORLD+asn) gid=100000513(DISCWORLD+domain users) groups=100000513(DISCWORLD+domain users),100001106,100001108(DISCWORLD+samba) I've created a patch which looks up the domain name from the sid if domain_name is not set. So we will later find the correct entries when we try to lookup DISCWORLD\redhat.
Created attachment 8744 [details] v4-0-test patch
Created attachment 8747 [details] v3-6-test patch
Karolin, please add to 4.0.x and 3.6.x. Thanks!
Pushed to v3-6-test and autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!