Andrew Bartlett
2023-Sep-05 09:22 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote:> Thanks for checking. > > > It looks like there is no simple answer but it must be something in > my > new environment. I will do some more debugging later today.Are you really sure this is something in your new environment, not something odd about the old one? I've not followed this too closely, but the idea with the mode you selected is that the AD uidNumber and gidNumber are the correct values, not idmap.ldb values which should never be consulted for these users any more. Andrew, -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Kees van Vloten
2023-Sep-05 09:35 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Op 05-09-2023 om 11:22 schreef Andrew Bartlett:> On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote: >> Thanks for checking. >> It looks like there is no simple answer but it must be something in my >> new environment. I will do some more debugging later today. > > Are you really sure this is something in your new environment, not > something odd about the old one?Yes, it runs on a freshly deployed physical machine in a new lxc container. I am building up a completely new environment. I am using common Ansible code (roles and playbooks) but an inventory per environment. The only differences are names, networks etc. and of course upgrade history for the existing environments.> > I've not followed this too closely, but the idea with the mode you > selected is that the AD uidNumber and gidNumber are the correct > values, not idmap.ldb values which should never be consulted for these > users any more.The interesting observation is that my other domains are 15 - 40 months old but apart from that exactly the same (as far as I can see) and they behave very different in this id lookup on the dc. Rowland just mentioned the winbind cache (how can I check its content?), that is certainly something which is different. Also the content of idmap.ldb is much much bigger on the older domains.> > Andrew, > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead https://catalyst.net.nz/services/samba > Catalyst.Net Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > company > > Samba Development and Support: https://catalyst.net.nz/services/samba > > Catalyst IT - Expert Open Source Solutions