[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Kees van Vloten
keesvanvloten at gmail.com
Tue Sep 5 09:35:54 UTC 2023
Op 05-09-2023 om 11:22 schreef Andrew Bartlett:
> On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote:
>> Thanks for checking.
>> It looks like there is no simple answer but it must be something in my
>> new environment. I will do some more debugging later today.
> Are you really sure this is something in your new environment, not
> something odd about the old one?
Yes, it runs on a freshly deployed physical machine in a new lxc container.
I am building up a completely new environment. I am using common Ansible
code (roles and playbooks) but an inventory per environment. The only
differences are names, networks etc. and of course upgrade history for
the existing environments.
> I've not followed this too closely, but the idea with the mode you
> selected is that the AD uidNumber and gidNumber are the correct
> values, not idmap.ldb values which should never be consulted for these
> users any more.
The interesting observation is that my other domains are 15 - 40 months
old but apart from that exactly the same (as far as I can see) and they
behave very different in this id lookup on the dc.
Rowland just mentioned the winbind cache (how can I check its content?),
that is certainly something which is different. Also the content of
idmap.ldb is much much bigger on the older domains.
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> Samba Development and Support: https://catalyst.net.nz/services/samba
> Catalyst IT - Expert Open Source Solutions
More information about the samba