I've been running a samba server with winbind (CentOS 7) as a member of an AD Domain (Windows 2012 R2) for several months without a problem. "Suddenly" I'm seeing the problem that the membership in newly created AD groups isn't correctly visible for some users on the samba server or only after some indefinite amount of time. I'm looking simply at the output of the 'id' command. This information is always consistent with the output of 'wbinfo -r', so I don't think it's a NSS problem. The "funny" thing is that this doesn't apply to all of the members of the newly created group, only for some of them.

On the DC i checked the affected users with the powershell command "get-aduser $username -Properties memberof | select -expand memberof", everything is correct.

To my experience the problem goes away after some time (a couple of hours) for some users, again not all of them. I fiddled with some winbind options in smb.conf, restarted winbind a couple of times, used "net cache flush", none of these changed anything. I didn't restart the AD or smbd though. Can anybody give me a hint?


Example (i temporarily set "winbind expand groups = 1" to use "getent group", but this doesn't affect the problem):

# getent group 'FOOBAR\testgroup'

# wbinfo -r 'FOOBAR\user01' | grep -c 13688

# wbinfo -r 'FOOBAR\user01' | grep -c 13688


        load printers = No
        log file = /var/log/samba/log.smbd
        realm = FOOBAR.DOMAIN.TLD
        security = ADS
        unix extensions = No
        workgroup = FOOBAR
        idmap config foobar : range = 10000-999999
        idmap config foobar : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        strict sync = No

        browseable = No
        path = /srv/samba01/lv01/exampleshare
        read only = No
        vfs objects = acl_xattr

