Rowland Penny
2023-Sep-05 09:55 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On Tue, 5 Sep 2023 11:35:54 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > Op 05-09-2023 om 11:22 schreef Andrew Bartlett: > > On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote: > >> Thanks for checking. > >> It looks like there is no simple answer but it must be something > >> in my new environment. I will do some more debugging later today. > > > > Are you really sure this is something in your new environment, not > > something odd about the old one? > > Yes, it runs on a freshly deployed physical machine in a new lxc > container. > > I am building up a completely new environment. I am using common > Ansible code (roles and playbooks) but an inventory per environment. > The only differences are names, networks etc. and of course upgrade > history for the existing environments. > > > > > I've not followed this too closely, but the idea with the mode you > > selected is that the AD uidNumber and gidNumber are the correct > > values, not idmap.ldb values which should never be consulted for > > these users any more. > > The interesting observation is that my other domains are 15 - 40 > months old but apart from that exactly the same (as far as I can see) > and they behave very different in this id lookup on the dc. > > Rowland just mentioned the winbind cache (how can I check its > content?), that is certainly something which is different. Also the > content of idmap.ldb is much much bigger on the older domains. >You can see the contents of the cache with: net cache list Rowland
Kees van Vloten
2023-Sep-07 19:12 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb (solved)
On 05-09-2023 11:55, Rowland Penny via samba wrote:> On Tue, 5 Sep 2023 11:35:54 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 05-09-2023 om 11:22 schreef Andrew Bartlett: >>> On Tue, 2023-09-05 at 11:10 +0200, Kees van Vloten via samba wrote: >>>> Thanks for checking. >>>> It looks like there is no simple answer but it must be something >>>> in my new environment. I will do some more debugging later today. >>> Are you really sure this is something in your new environment, not >>> something odd about the old one? >> Yes, it runs on a freshly deployed physical machine in a new lxc >> container. >> >> I am building up a completely new environment. I am using common >> Ansible code (roles and playbooks) but an inventory per environment. >> The only differences are names, networks etc. and of course upgrade >> history for the existing environments. >> >>> I've not followed this too closely, but the idea with the mode you >>> selected is that the AD uidNumber and gidNumber are the correct >>> values, not idmap.ldb values which should never be consulted for >>> these users any more. >> The interesting observation is that my other domains are 15 - 40 >> months old but apart from that exactly the same (as far as I can see) >> and they behave very different in this id lookup on the dc. >> >> Rowland just mentioned the winbind cache (how can I check its >> content?), that is certainly something which is different. Also the >> content of idmap.ldb is much much bigger on the older domains. >> > You can see the contents of the cache with: > > net cache list > > RowlandI found the issue, as expected: too silly to talk about :-) After installing the debian packages, "samba-tool domain provision" and adding a lot of settings to smb.conf, one *must* restart samba-ad-dc and only then uid/gid resolving of domain user/group names starts to work ... The Ansible code is now updated to restart samba before the first name lookup takes place. Rowland and Andrew thanks for your help!