[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb

Rowland Penny rpenny at samba.org
Tue Sep 5 09:55:44 UTC 2023

On Tue, 5 Sep 2023 11:35:54 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> Op 05-09-2023 om 11:22 schreef Andrew Bartlett:
> > On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote:
> >> Thanks for checking.
> >> It looks like there is no simple answer but it must be something
> >> in my new environment. I will do some more debugging later today.
> >
> > Are you really sure this is something in your new environment, not 
> > something odd about the old one?
> Yes, it runs on a freshly deployed physical machine in a new lxc
> container.
> I am building up a completely new environment. I am using common
> Ansible code (roles and playbooks) but an inventory per environment.
> The only differences are names, networks etc. and of course upgrade
> history for the existing environments.
> >
> > I've not followed this too closely, but the idea with the mode you 
> > selected is that the AD uidNumber and gidNumber are the correct 
> > values, not idmap.ldb values which should never be consulted for
> > these users any more.
> The interesting observation is that my other domains are 15 - 40
> months old but apart from that exactly the same (as far as I can see)
> and they behave very different in this id lookup on the dc.
> Rowland just mentioned the winbind cache (how can I check its
> content?), that is certainly something which is different. Also the
> content of idmap.ldb is much much bigger on the older domains.

You can see the contents of the cache with:

net cache list


More information about the samba mailing list