I have a samba server, integrated with active directory, and for the most part, working great. The server is running RHEL4. (Samba 3.0.10-1.4E.9) I'm using the "idmap_rid" to maintain some semblance of order and consistency between all my samba servers as far as UID->SID mapping.
The issue I have been running into, is that occasionally one or two user accounts can't access the samba shares. On further investigation, wbinfo can get all normal info for the user (SID, SID>UID, UID>SID, --user-sids, etc.) except the -r option. When I run wbinfo -r DOMAIN+username, I get the response: Could not get groups for user DOMAIN+username I can "su - DOMAIN+username" without issue.
In the samba log for the users workstation, I get the following:
[2006/10/18 08:59:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
This can happen seemingly randomly. It also doesn't happen often, about 1 user or so every couple weeks. The only method I've discovered to fix it is to stop winbind and delete the winbindd_cache.tdb and winbindd_idmap.tdb files. When I restart winbind, everything is good to go again, sometimes. I have one user now that this fix does not work for.
One item to note: The only consistency between the users this has affected is that they are also members of groups from trusted domains within our AD forest.
My winbind settings in the smb.conf:
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
idmap uid = 1000000-3000000
idmap gid = 1000000-3000000
idmap backend = idmap_rid
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
realm = DOMAIN
Any thoughts or suggestions are greatly appreciated.