10.3 to 11.1 upgrade breaks GID resolution in Samba

I’ve just upgraded my main file server from 10.3 to 11.1 by DVD (I did not have a chance to do a zypper up after, so it’s the base 11.1 install), and in upgrading my Samba from 3.0.23b to 3.2.4, I seem to have broken winbind resolution of group names.

wbinfo -g shows all the right group name entries, and getent group shows that they map to the proper GID numbers… it’s just that ls isn’t seeing them: I get domain usernames, but the group column is 5 digit numeric GIDs in my defined range.

I infer that something broke PAM, but I’m not enough of a PAM jockey to know what.

I don’t have a pam.d/winbind, but I’m not clear that I’m supposed to.

I see that the four pam.d/common-* files were touched, but their contents are the same as the older ones I have.

Any suggestions?

I should clarify that because of this, users who should be able to do things by their group membership and permissions, can’t.

Ok, this just got 7 levels weirder.

I just touched a file on that server, and did

chgrp “CORP\accounting” filename

and now all of my files properly show up in that group.

checks other directory ]

But only for that one group; other groups are still numeric. Some cache is not pre-populated, clearly.

And one further folo: that made ls find the groups properly, but that Windows user still can’t take advantage of her group permissions, even after logging out and in

And finally, the machine – specifically smbd – went runaway this afternoon; load average 61 before it finally went catatonic in a closet.

(That’s on a 3GHz Core2Duo; keyboard response was actually usable at 61, amazingly.)

Ok; the load average runaway was a red herring; other code, and I’ve turned it off. But any suggestions anyone can offer on the GID issue would be nice…

I’m in the same boat… ad group membership used to work on Samba versions up to 3.0… and is broken from 3.2… afaik

Digged everywhere and still having no success to get ad group membership work - individual ad account credentials work, btw

The closer to the cause i managed to get is this trail in samba log for the client station:

 [2010/02/19 03:10:59,  3] lib/util_sid.c:string_to_sid(228)
   string_to_sid: Sid DOMAIN\domain admins does not start with 'S-'.

I’m sure that (1) winbindd/winbindd_sid “sid to gid” is working (checked idmap) and (2) the client’s sent sid starts with ‘S-’ (checked on another Samba 3.0 server)

It seems, or leads to, “lib/util_sid.c” is buggy or crippled now.

Still digging.