Win ACL and Group membership limits? (10.3)


Im editing the top post with updates for those that already read this all but found it too boring to reply.

I still have questions about Win ACLs on 10.3, but HERE IS THE REAL ISSUE that I'm dealing with. Basically, if I add users to groups in WM, or remove users from groups, it doesn't seem to be reflected from a shell prompt in any kind of realtime. If I loop through 'id' lookups while making WM group entries, nothing changes. If I logout and in from the shell, I will see a different list, but it is rarely correct. In this case I was seeing 16 of 21 groups associated with a user. One of the groups that wasn't showing in the shell is directly associated with the inability to get into the group directory. So I tried deleting several other groups that did show in shell, logged out and in and what did I see? The three I deleted were no longer showing, and one of the 5 that were missing had appeared. (and now she can get into the directory in question...) (but not the ones I removed, doh!)

So what's going on? At first I thought it was "first sixteen groups" as a limit, but for others it might be 4, 7, or other random numbers. What is the linkage betwee Open Directory and the lookupd that supposedly returns this info?

Original Post --- (for reference)

We are having issues with group folders where some group members don't get access and others do. Creating new folders and new groups isn't helping for certain users. All groups for this user show in Workgroup Manager. (21) However... I set shell access for this user, SSH'd in and used the 'groups' command, and only received 16 groups back. Is there some limit on group membership, or is it a limit of the shell? Oh yes, and the id command returns the same.

Also, on the way to finding out the above, I notice in Win2K clients that if you select properties on a folder and go to Security, you see three entries. (Owner, Group, World, right?) However, the group is displayed as a user, in particular the user with a UID = to the GID of the correct group. Making me crazy. Is this a known issue?

Here are some more observations. I have a Mickey Mouse account. (mmouse) I log into the server as mmouse, and simultaneously as a shell account. In WM I variously add and remove him from groups, and in the shell id command I rarely see the same thing twice. Usually if I logout and in it *might* change, but not always. I see about half a dozen group memberships, even if there are a dozen in WM. My ability to access group directories from shell are mostly related to what I see in id.

Meanwhile, from Windows there definitely is a lag from whatever I'm doing in shell. Right now, the following is tru:

WM shows mmouse as belonging to group Alpha, Beta and Delta

Shell prompt shows Alpha and Beta only. I cannot get into Delta, as I would expect.

Windows: I can still get into Delta. Maybe if I reboot it will change.

Sooo... What is going on between OpenDir groups and local groups, and why is the behaviour inconsistant. Why can one user belong to 16 groups in shell and 21 in OD, but another stops at 6 or so in shell? Very strange...
Just bumping to get folks to read the edited top post. Has anybody else experienced this 'disconnect' between WM and a shell prompt?