I’ve just upgraded my main file server from 10.3 to 11.1 by DVD (I did not have a chance to do a zypper up after, so it’s the base 11.1 install), and in upgrading my Samba from 3.0.23b to 3.2.4, I seem to have broken winbind resolution of group names.
wbinfo -g shows all the right group name entries, and getent group shows that they map to the proper GID numbers… it’s just that ls isn’t seeing them: I get domain usernames, but the group column is 5 digit numeric GIDs in my defined range.
I infer that something broke PAM, but I’m not enough of a PAM jockey to know what.
I don’t have a pam.d/winbind, but I’m not clear that I’m supposed to.
I see that the four pam.d/common-* files were touched, but their contents are the same as the older ones I have.
And one further folo: that made ls find the groups properly, but that Windows user still can’t take advantage of her group permissions, even after logging out and in
Ok; the load average runaway was a red herring; other code, and I’ve turned it off. But any suggestions anyone can offer on the GID issue would be nice…
I’m in the same boat… ad group membership used to work on Samba versions up to 3.0… and is broken from 3.2… afaik
Digged everywhere and still having no success to get ad group membership work - individual ad account credentials work, btw
The closer to the cause i managed to get is this trail in samba log for the client station:
[2010/02/19 03:10:59, 3] lib/util_sid.c:string_to_sid(228)
string_to_sid: Sid DOMAIN\domain admins does not start with 'S-'.
I’m sure that (1) winbindd/winbindd_sid “sid to gid” is working (checked idmap) and (2) the client’s sent sid starts with ‘S-’ (checked on another Samba 3.0 server)
It seems, or leads to, “lib/util_sid.c” is buggy or crippled now.