LinuxQuestions.org - winbind + AD + sshd allowgroups = unreliable ssh logins.

Im having a nerve racking problem with winbind/sshd and allowed groups. I have read this setup works in many other cases but I have yet to get it to work reliably in our environment.

We have a large AD domain with thousands of groups and users.

My problem lies with sshd and allowing specific AD groups ssh permissions. No matter what I try if I add an AD group to allowgroups in sshd_config remote login performance takes a big hit. And by performance I mean the ability to logon through ssh... sometimes I can logon sometimes I cant other times I am just denied access.

os = SLES 10 SP2
samba versions are 3.0.32

AD is 2008 Mixed Mode/2003 compatibility mode. Here is the relevant section of smb.conf

edit: I also need to add that all the accounts I am working with do have the appropriate primary groups set in AD.

Code:

[global]

        workgroup = DOMAIN

        netbios name = hostname

        usershare allow guests = No

        idmap gid = 10000-20000

        idmap uid = 10000-20000

        security = ADS

        realm = DOMAIN.COM

        password server = domain.com

        domain master = no

        winbind separator = +

        winbind enum users = no

        winbind enum groups = no

        winbind use default domain = yes

        client use spnego = yes

        winbind offline logon = yes

        winbind refresh tickets = yes

        template homedir = /home/%D/%U

        template shell = /bin/bash

Anyone have any ideas?