lingpanda101
2018-May-11 16:18 UTC
[Samba] wbinfo -r 'username' displays inconsistent results across DC's
Hello, Looking up a users group membership I'm showing different results on each DC. UID and GID mapping appears consistent but not all group membership is displayed. I've verified idmap.ldb is backup up and copied over to the other DC's. I do notice when taking a hot backup of idmap.ldb, the file size is dramatically smaller than the original. Using Microsoft RSAT to view group membership displays consistent results. This behavior is not consistent for all users. Many show consistent results while others do not. DC1 which is the first provisioned DC appears to display all group membership accurately with wbinfo -r. Ubuntu 14.04LTS Samba 4.7.5 smb.conf (Consistent across all DC's) # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = DC1 server role = active directory domain controller dns forwarder = 75.75.75.75 208.67.222.222 idmap_ldb:use rfc2307 = Yes server services = -dns log file = /usr/local/samba/var/log.samba max log size = 5000 log level = 0 auth_audit:3 debug timestamp = Yes debug uid = Yes debug pid = Yes load printers = No printcap name = /dev/null disable spoolss = Yes tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile ldap server require strong auth = no [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No @DC2:~# wbinfo -r james 10000 3000141 3000223 3000224 10031 10004 3000363 3000030 3000004 3000005 3000008 10009 10053 10010 10011 10012 10013 10015 3000031 10034 10032 10033 3000440 10017 3000566 10019 10007 10022 10023 10024 3000009 3000034 3000000 @DC1:~# wbinfo -r james 10000 3000141 3000223 3000224 10031 3000368 3000030 3000004 3000005 3000008 10043 10009 10053 10010 10011 10012 10013 10015 3000031 10034 10032 10033 3000451 10017 10019 10007 10022 10023 10024 10025 10026 10030 10036 10037 10038 10039 10040 3000007 10041 10042 10044 3000515 10045 3000584 3000009 3000034 3000000 -- -- James
lingpanda101
2018-May-15 15:40 UTC
[Samba] wbinfo -r 'username' displays inconsistent results across DC's
On 5/11/2018 12:18 PM, lingpanda101 wrote:> Hello, > > Looking up a users group membership I'm showing different results > on each DC. UID and GID mapping appears consistent but not all group > membership is displayed. I've verified idmap.ldb is backup up and > copied over to the other DC's. I do notice when taking a hot backup of > idmap.ldb, the file size is dramatically smaller than the original. > Using Microsoft RSAT to view group membership displays consistent > results. This behavior is not consistent for all users. Many show > consistent results while others do not. DC1 which is the first > provisioned DC appears to display all group membership accurately with > wbinfo -r. > > Ubuntu 14.04LTS > > Samba 4.7.5 > > smb.conf (Consistent across all DC's) > > # Global parameters > [global] > workgroup = DOMAIN > realm = DOMAIN.LOCAL > netbios name = DC1 > server role = active directory domain controller > dns forwarder = 75.75.75.75 208.67.222.222 > idmap_ldb:use rfc2307 = Yes > server services = -dns > > log file = /usr/local/samba/var/log.samba > max log size = 5000 > log level = 0 auth_audit:3 > debug timestamp = Yes > debug uid = Yes > debug pid = Yes > > load printers = No > printcap name = /dev/null > disable spoolss = Yes > > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/myCert.pem > tls cafile > > ldap server require strong auth = no > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > @DC2:~# wbinfo -r james > 10000 > 3000141 > 3000223 > 3000224 > 10031 > 10004 > 3000363 > 3000030 > 3000004 > 3000005 > 3000008 > 10009 > 10053 > 10010 > 10011 > 10012 > 10013 > 10015 > 3000031 > 10034 > 10032 > 10033 > 3000440 > 10017 > 3000566 > 10019 > 10007 > 10022 > 10023 > 10024 > 3000009 > 3000034 > 3000000 > > @DC1:~# wbinfo -r james > 10000 > 3000141 > 3000223 > 3000224 > 10031 > 3000368 > 3000030 > 3000004 > 3000005 > 3000008 > 10043 > 10009 > 10053 > 10010 > 10011 > 10012 > 10013 > 10015 > 3000031 > 10034 > 10032 > 10033 > 3000451 > 10017 > 10019 > 10007 > 10022 > 10023 > 10024 > 10025 > 10026 > 10030 > 10036 > 10037 > 10038 > 10039 > 10040 > 3000007 > 10041 > 10042 > 10044 > 3000515 > 10045 > 3000584 > 3000009 > 3000034 > 3000000 >I think I found the issue. It appears the idamp cache is not clearing. If I execute 'wbinfo -a domain\\username' and successfully authenticate I get correct results. This overwrites the cache. I'm curious if others are experiencing this same result and if it's intended? -- -- James