[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
abartlet at samba.org
Mon Sep 4 21:11:56 UTC 2023
On Mon, 2023-09-04 at 22:09 +0200, Kees van Vloten via samba wrote:
> Hi Team,
> I am setting up a new AD-domain, the first DC is just operational and
> some users and groups are created.
> This run on Debian 11, Samba 4.18.6 and it is set up with the same
> (but evolved) Ansible code I used for my other domains (all of them
> on different networks and independent of each other). The older
> domains were initially set up with Samba 4.14 and another with 4.15
> and upgraded many times since, the new setup with 4.18.6. In all
> places gets installed from the same debian packages.
> Due to the repeatable Ansible setup the /etc/samba/smb.conf is
> exactly the same (apart from the domain name etc.) on the existing
> domains and the new domain. And all domains were provisioned with '
> 'samba-tool processes | wc -l' is equal between old and new: 24
> lines. And ps aux | grep winbindd also shows an equal number of
> winbind processes.
> '/etc/nsswitch.conf' is also equal and includes winbind for passwd
> and group.
> Now the mystery starts: there is a difference in id (uid/gid) lookups
> on a DC between the older domains and the new domain.
> It looks like the new domain is not querying
> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas
> the older once are.
> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'
> On the old domain(s) this results (as expected) in:
> OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash
> But on the new domain the lookup has no result.
> Another indication that /var/lib/samba/private/idmap.ldb is not used
> comes from the group lookup of domain admins:
> getent group '<DOMAIN-NAME>\domain admins'
> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber
> in idmap.ldb)
> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in
> the ldap record of the group)
> Would could cause this different behaviour (on these 2 very similar
Did you bring the idmap.ldb from an earlier environment the first time,
or only set the IDs into LDAP later?
I don't recall how I set up the preference logic here, but it may have
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba