[Samba] wbinfo -r 'username' displays inconsistent results across DC's

lingpanda101 lingpanda101 at gmail.com
Tue May 15 15:40:02 UTC 2018 

On 5/11/2018 12:18 PM, lingpanda101 wrote:
> Hello,
>
>     Looking up a users group membership I'm showing different results 
> on each DC. UID and GID mapping appears consistent but not all group 
> membership is displayed. I've verified idmap.ldb is backup up and 
> copied over to the other DC's. I do notice when taking a hot backup of 
> idmap.ldb, the file size is dramatically smaller than the original. 
> Using Microsoft RSAT to view group membership displays consistent 
> results. This behavior is not consistent for all users. Many show 
> consistent results while others do not. DC1 which is the first 
> provisioned DC appears to display all group membership accurately with 
> wbinfo -r.
>
> Ubuntu 14.04LTS
>
> Samba 4.7.5
>
> smb.conf (Consistent across all DC's)
>
> # Global parameters
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN.LOCAL
>         netbios name = DC1
>         server role = active directory domain controller
>         dns forwarder = 75.75.75.75 208.67.222.222
>         idmap_ldb:use rfc2307 = Yes
>         server services = -dns
>
>         log file = /usr/local/samba/var/log.samba
>         max log size = 5000
>         log level = 0 auth_audit:3
>         debug timestamp = Yes
>         debug uid = Yes
>         debug pid = Yes
>
>         load printers = No
>         printcap name = /dev/null
>         disable spoolss = Yes
>
>         tls enabled  = yes
>         tls keyfile  = tls/myKey.pem
>         tls certfile = tls/myCert.pem
>         tls cafile   =
>
>         ldap server require strong auth = no
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
> @DC2:~# wbinfo -r james
> 10000
> 3000141
> 3000223
> 3000224
> 10031
> 10004
> 3000363
> 3000030
> 3000004
> 3000005
> 3000008
> 10009
> 10053
> 10010
> 10011
> 10012
> 10013
> 10015
> 3000031
> 10034
> 10032
> 10033
> 3000440
> 10017
> 3000566
> 10019
> 10007
> 10022
> 10023
> 10024
> 3000009
> 3000034
> 3000000
>
> @DC1:~# wbinfo -r james
> 10000
> 3000141
> 3000223
> 3000224
> 10031
> 3000368
> 3000030
> 3000004
> 3000005
> 3000008
> 10043
> 10009
> 10053
> 10010
> 10011
> 10012
> 10013
> 10015
> 3000031
> 10034
> 10032
> 10033
> 3000451
> 10017
> 10019
> 10007
> 10022
> 10023
> 10024
> 10025
> 10026
> 10030
> 10036
> 10037
> 10038
> 10039
> 10040
> 3000007
> 10041
> 10042
> 10044
> 3000515
> 10045
> 3000584
> 3000009
> 3000034
> 3000000
>
I think I found the issue. It appears the idamp cache is not clearing.

If I execute 'wbinfo -a domain\\username' and successfully authenticate 
I get correct results. This overwrites the cache. I'm curious if others 
are experiencing this same result and if it's intended?

-- 
--
James

More information about the samba mailing list