Kees van Vloten
2023-Sep-05 09:35 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Op 05-09-2023 om 11:22 schreef Andrew Bartlett:> On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote: >> Thanks for checking. >> It looks like there is no simple answer but it must be something in my >> new environment. I will do some more debugging later today. > > Are you really sure this is something in your new environment, not > something odd about the old one?Yes, it runs on a freshly deployed physical machine in a new lxc container. I am building up a completely new environment. I am using common Ansible code (roles and playbooks) but an inventory per environment. The only differences are names, networks etc. and of course upgrade history for the existing environments.> > I've not followed this too closely, but the idea with the mode you > selected is that the AD uidNumber and gidNumber are the correct > values, not idmap.ldb values which should never be consulted for these > users any more.The interesting observation is that my other domains are 15 - 40 months old but apart from that exactly the same (as far as I can see) and they behave very different in this id lookup on the dc. Rowland just mentioned the winbind cache (how can I check its content?), that is certainly something which is different. Also the content of idmap.ldb is much much bigger on the older domains.> > Andrew, > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead https://catalyst.net.nz/services/samba > Catalyst.Net Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > company > > Samba Development and Support: https://catalyst.net.nz/services/samba > > Catalyst IT - Expert Open Source Solutions
Rowland Penny
2023-Sep-05 09:55 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On Tue, 5 Sep 2023 11:35:54 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > Op 05-09-2023 om 11:22 schreef Andrew Bartlett: > > On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote: > >> Thanks for checking. > >> It looks like there is no simple answer but it must be something > >> in my new environment. I will do some more debugging later today. > > > > Are you really sure this is something in your new environment, not > > something odd about the old one? > > Yes, it runs on a freshly deployed physical machine in a new lxc > container. > > I am building up a completely new environment. I am using common > Ansible code (roles and playbooks) but an inventory per environment. > The only differences are names, networks etc. and of course upgrade > history for the existing environments. > > > > > I've not followed this too closely, but the idea with the mode you > > selected is that the AD uidNumber and gidNumber are the correct > > values, not idmap.ldb values which should never be consulted for > > these users any more. > > The interesting observation is that my other domains are 15 - 40 > months old but apart from that exactly the same (as far as I can see) > and they behave very different in this id lookup on the dc. > > Rowland just mentioned the winbind cache (how can I check its > content?), that is certainly something which is different. Also the > content of idmap.ldb is much much bigger on the older domains. >You can see the contents of the cache with: net cache list Rowland