What were you trying to do that didn't work?

After upgrading Samba to version samba-4.22.4-6, AD groups resolution is not working correctly. Restarting the service will temporary fix the issue (some cases ~10 minutes), then "id" is not returning all AD groups, just "domain users" and/or primary group.

What is the impact of this issue to you?

This trigger lot of authentication/authorization issues.

Please provide the package NVR for which the bug is seen:

samba-4.22.4-6

How reproducible is this bug?:

Just upgrading to samba-4.22.4-6 causes this problem.

Expected results

Group resolution working fine. "id" should show all the groups, it works for a time, then it only shows "domain users" or primary group.

Actual results

Group resolution is working intermittently, after some time it stop working, causing authentication/authorization issues.

Workaround

• In one scenario, changing "winbind expand groups" from 1 to 0 fixed the issue
• Rolling back the upgrade fix the issue.

Additional notes

• This is seen using "autorid" or "rid" Winbind backends. We have not seen a case using TDB, ad or sss backends.