I have similar cases on this thread at AD group membership changes not reflected in winbind information. The only difference is that this only occurs on "cross domain" for my scenario.
Here is my configuration – http://pastebin.ca/3035431 …
I would appreciate if anyone could shed me some lights on:
(1) how to let "id" command reflect the correct group membership.
(2) how can I make Winbind to reflect the group membership automatically
once there is changes have been made in Active Directory.
Thanks!
Best Answer
Before trying what I suggest, understand it may reset UID/GID mappings that were created by Samba. I do this because everything I care about comes from Active Directory rfc2307 so I'm comfortable wiping Samba / Winbindd caches and starting over.
What finally worked for me was removing all the files from /var/cache/samba.
I recently battled getting the group list to update for just one stubborn user id. My user id of course.
I don't believe I am in a Cross Domain situation but it's possible. I'm in a large multi-domain Active Directory but was working with users and groups in just one domain.
I tried many attempts including "net cache flush", adding --no-caching to winbindd, and deleting group_mapping.tdb, winbindd_idmap.tdb, and winbindd_cache.tdb from /var/lib/samba.
Here is a script with commands that cleans out the Samba / Winbindd cache files:
I believe I created the situation that caused my user id to not update. On this CentOS 7 system, I started off trying the "realm" command and SSSD method of talking to Active Directory using the CentOS 7 built in sssd and Samba which I think was Samba 4.1.x.
SSSD almost worked but was too slow. Commands like "id" and "groups" were horribly slow. It think Samba struggled because look ups were too slow.
I decided to try the latest Samba 4.2.x because of the new winbindd and default larger io.
Sernet Samba / Winbindd 4.2.3 appears to be working great. Samba joined Active Directory without a problem. Commands line "id" and "groups" are fast especially after the first lookup.
Here is my smb.conf for reference: