samba - Jan 2026 - wbinfo only lists one DC and idmap troubles

On Mon, 12 Jan 2026 07:03:20 +0100
Andrea Venturoli via samba <samba at lists.samba.org> wrote:
> On 1/11/26 22:14, Rowland Penny via samba wrote:
> 
> > First thoughts, what is in the /etc/resolv.conf file on the clients
> > ?
> 
> > % cat /etc/resolv.conf 
> > # Generated by resolvconf
> > search xxx
> > nameserver 192.168.0.5
> > nameserver 192.168.0.6
> 
> These are not the DCs, but are two machines running BIND, which 
> "forward" the local.xxxxxxx.it zone to Samba DC (one each).
You are, in my opinion, doing it the wrong way around, your AD clients
should use the DCs as their nameservers and they should forward
anything outside the AD dns domain to your Bind9 dns servers.
> 
> 
> 
> BTW, today winbind chose the other DC:
> > # wbinfo --dc-info local.xxxxxxx.it
> > dc2.local.xxxxxxx.it (192.168.0.4) 
Well, yes, that is the way it is supposed to work, your clients contact
a DC, which finds out the best DC to use and returns that. The 'best'
DC can change.

I think what is happening to you is this:
Your clients are being told to use a DC,
You then turn off that DC
Your clients cannot find the DC because it is turned off, so they fall
back to the winbind cache and the cache does not contain the users home
directory and login shell, so they fall back to the template homedir
and shell lines in AD and they default to '/home/%D/%U' &
/bin/false'.

Rowland

On 1/12/26 11:10, Rowland Penny via samba wrote:
> You are, in my opinion, doing it the wrong way around, your AD clients
> should use the DCs as their nameservers and they should forward
> anything outside the AD dns domain to your Bind9 dns servers.
Hmm...
I cannot find this, but I remember I read a question (probably on this 
list) about what to choose between
a) pointing clients to Samba's internal DNS (which will forward 
everything it doesn't handle to BIND);
b) pointing client to BIND and let it contact Samba's internal DNS for 
AD zones.

The answer was "absolutely go for the latter" for performance reasons.
In any case I can change that, but does it matter WRT this problem?


> Well, yes, that is the way it is supposed to work, your clients contact
> a DC, which finds out the best DC to use and returns that. The
'best'
> DC can change.
So, back to my first question, it's normal that "wbinfo --dc-info 
local.xxxxxxx.it" only lists on DC. Right?


> I think what is happening to you is this:
> Your clients are being told to use a DC,
> You then turn off that DC
No.
The "on maintenance" DC was down before I turned on the client I
mainly
used for testing.


> Your clients cannot find the DC because it is turned off
There was the other DC running fine when the client I used for test was 
turned on.
That's the one winbind listed.


> directory and login shell, so they fall back to the template homedir
> and shell lines in AD and they default to '/home/%D/%U' &
/bin/false'.
This is what I thought (winbind was using the templates).



Still, there's some strangeness:
a) at power on there was a good DC and this was listed by "wbinfo 
--dc-info local.xxxxxxx.it";
b) that DC holded the right data, still winbind wasn't getting it!
c) After turning back on the other DC, everything started working again, 
but winbind was still listing the first DC.



  bye & Thanks
	av.