[Samba] wbinfo -r 'username' displays inconsistent results across DC's
lingpanda101
lingpanda101 at gmail.com
Tue May 15 15:40:02 UTC 2018
On 5/11/2018 12:18 PM, lingpanda101 wrote:
> Hello,
>
> Looking up a users group membership I'm showing different results
> on each DC. UID and GID mapping appears consistent but not all group
> membership is displayed. I've verified idmap.ldb is backup up and
> copied over to the other DC's. I do notice when taking a hot backup of
> idmap.ldb, the file size is dramatically smaller than the original.
> Using Microsoft RSAT to view group membership displays consistent
> results. This behavior is not consistent for all users. Many show
> consistent results while others do not. DC1 which is the first
> provisioned DC appears to display all group membership accurately with
> wbinfo -r.
>
> Ubuntu 14.04LTS
>
> Samba 4.7.5
>
> smb.conf (Consistent across all DC's)
>
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 75.75.75.75 208.67.222.222
> idmap_ldb:use rfc2307 = Yes
> server services = -dns
>
> log file = /usr/local/samba/var/log.samba
> max log size = 5000
> log level = 0 auth_audit:3
> debug timestamp = Yes
> debug uid = Yes
> debug pid = Yes
>
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
>
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
>
> ldap server require strong auth = no
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
> @DC2:~# wbinfo -r james
> 10000
> 3000141
> 3000223
> 3000224
> 10031
> 10004
> 3000363
> 3000030
> 3000004
> 3000005
> 3000008
> 10009
> 10053
> 10010
> 10011
> 10012
> 10013
> 10015
> 3000031
> 10034
> 10032
> 10033
> 3000440
> 10017
> 3000566
> 10019
> 10007
> 10022
> 10023
> 10024
> 3000009
> 3000034
> 3000000
>
> @DC1:~# wbinfo -r james
> 10000
> 3000141
> 3000223
> 3000224
> 10031
> 3000368
> 3000030
> 3000004
> 3000005
> 3000008
> 10043
> 10009
> 10053
> 10010
> 10011
> 10012
> 10013
> 10015
> 3000031
> 10034
> 10032
> 10033
> 3000451
> 10017
> 10019
> 10007
> 10022
> 10023
> 10024
> 10025
> 10026
> 10030
> 10036
> 10037
> 10038
> 10039
> 10040
> 3000007
> 10041
> 10042
> 10044
> 3000515
> 10045
> 3000584
> 3000009
> 3000034
> 3000000
>
I think I found the issue. It appears the idamp cache is not clearing.
If I execute 'wbinfo -a domain\\username' and successfully authenticate
I get correct results. This overwrites the cache. I'm curious if others
are experiencing this same result and if it's intended?
--
--
James
More information about the samba
mailing list