The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC.
Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) If you're interested, check the archives for message entitled "Finding group members - fix to winbindd_ads.c" around Feb 8. Ken ________________________________ Ken Cross Network Storage Solutions Phone 865.675.4070 ext 31 [EMAIL PROTECTED] > -----Original Message----- > From: > [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > amba.org] On Behalf Of Chere Zhou > Sent: Tuesday, March 04, 2003 8:27 PM > To: [EMAIL PROTECTED] > Subject: 3.0a21 and HEAD: only primary group of a domain user > is set on smbd > > > Dear list, > > I know that on 2.2.5, when we get user info from winbindd, we > also initialize > group information based on the group list got from winbind, and do a > "setgroups" for the process, so that all of the groups the > user is a member > of is set on the smbd. > > Now on 3.0a21 and HEAD, I do not see any "setgroup" operation > from winbind, > and the smbd process only got the primary group of the Win2k > domain user. So > it fails when a file permission is checked for other groups > the user is a > member of. > > I can see that sec_ctx.c is about the only place that calls > sys_setgroups > now, when the Unix group info has only the primary group. At > the same place > the NT token has about 9 groups for my test user. > > Can somebody explain why we are not doing what 2.2.5 was > doing? Is there any > design issue related to this? > > Thanks a lot! > > Chere >