[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb

Kees van Vloten keesvanvloten at gmail.com
Tue Sep 5 09:35:54 UTC 2023

Op 05-09-2023 om 11:22 schreef Andrew Bartlett:
> On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote:
>> Thanks for checking.
>> It looks like there is no simple answer but it must be something in my
>> new environment. I will do some more debugging later today.
> Are you really sure this is something in your new environment, not 
> something odd about the old one?

Yes, it runs on a freshly deployed physical machine in a new lxc container.

I am building up a completely new environment. I am using common Ansible 
code (roles and playbooks) but an inventory per environment. The only 
differences are names, networks etc. and of course upgrade history for 
the existing environments.

> I've not followed this too closely, but the idea with the mode you 
> selected is that the AD uidNumber and gidNumber are the correct 
> values, not idmap.ldb values which should never be consulted for these 
> users any more.

The interesting observation is that my other domains are 15 - 40 months 
old but apart from that exactly the same (as far as I can see) and they 
behave very different in this id lookup on the dc.

Rowland just mentioned the winbind cache (how can I check its content?), 
that is certainly something which is different. Also the content of 
idmap.ldb is much much bigger on the older domains.

> Andrew,
> -- 
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group 
> company
> Samba Development and Support: https://catalyst.net.nz/services/samba
> Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list