[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb (solved)
Kees van Vloten
keesvanvloten at gmail.com
Thu Sep 7 19:12:00 UTC 2023
On 05-09-2023 11:55, Rowland Penny via samba wrote:
> On Tue, 5 Sep 2023 11:35:54 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Op 05-09-2023 om 11:22 schreef Andrew Bartlett:
>>> On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote:
>>>> Thanks for checking.
>>>> It looks like there is no simple answer but it must be something
>>>> in my new environment. I will do some more debugging later today.
>>> Are you really sure this is something in your new environment, not
>>> something odd about the old one?
>> Yes, it runs on a freshly deployed physical machine in a new lxc
>> container.
>>
>> I am building up a completely new environment. I am using common
>> Ansible code (roles and playbooks) but an inventory per environment.
>> The only differences are names, networks etc. and of course upgrade
>> history for the existing environments.
>>
>>> I've not followed this too closely, but the idea with the mode you
>>> selected is that the AD uidNumber and gidNumber are the correct
>>> values, not idmap.ldb values which should never be consulted for
>>> these users any more.
>> The interesting observation is that my other domains are 15 - 40
>> months old but apart from that exactly the same (as far as I can see)
>> and they behave very different in this id lookup on the dc.
>>
>> Rowland just mentioned the winbind cache (how can I check its
>> content?), that is certainly something which is different. Also the
>> content of idmap.ldb is much much bigger on the older domains.
>>
> You can see the contents of the cache with:
>
> net cache list
>
> Rowland
I found the issue, as expected: too silly to talk about :-)
After installing the debian packages, "samba-tool domain provision" and
adding a lot of settings to smb.conf, one *must* restart samba-ad-dc and
only then uid/gid resolving of domain user/group names starts to work ...
The Ansible code is now updated to restart samba before the first name
lookup takes place.
Rowland and Andrew thanks for your help!
More information about the samba
mailing list