samba - Jan 2026 - wbinfo only lists one DC and idmap troubles

On 1/11/26 22:14, Rowland Penny via samba wrote:
> First thoughts, what is in the /etc/resolv.conf file on the clients ?
> % cat /etc/resolv.conf 
> # Generated by resolvconf
> search xxx
> nameserver 192.168.0.5
> nameserver 192.168.0.6
These are not the DCs, but are two machines running BIND, which 
"forward" the local.xxxxxxx.it zone to Samba DC (one each).



BTW, today winbind chose the other DC:
> # wbinfo --dc-info local.xxxxxxx.it
> dc2.local.xxxxxxx.it (192.168.0.4) 
  bye & Thanks
	av.

On Mon, 12 Jan 2026 07:03:20 +0100
Andrea Venturoli via samba <samba at lists.samba.org> wrote:
> On 1/11/26 22:14, Rowland Penny via samba wrote:
> 
> > First thoughts, what is in the /etc/resolv.conf file on the clients
> > ?
> 
> > % cat /etc/resolv.conf 
> > # Generated by resolvconf
> > search xxx
> > nameserver 192.168.0.5
> > nameserver 192.168.0.6
> 
> These are not the DCs, but are two machines running BIND, which 
> "forward" the local.xxxxxxx.it zone to Samba DC (one each).
You are, in my opinion, doing it the wrong way around, your AD clients
should use the DCs as their nameservers and they should forward
anything outside the AD dns domain to your Bind9 dns servers.
> 
> 
> 
> BTW, today winbind chose the other DC:
> > # wbinfo --dc-info local.xxxxxxx.it
> > dc2.local.xxxxxxx.it (192.168.0.4) 
Well, yes, that is the way it is supposed to work, your clients contact
a DC, which finds out the best DC to use and returns that. The 'best'
DC can change.

I think what is happening to you is this:
Your clients are being told to use a DC,
You then turn off that DC
Your clients cannot find the DC because it is turned off, so they fall
back to the winbind cache and the cache does not contain the users home
directory and login shell, so they fall back to the template homedir
and shell lines in AD and they default to '/home/%D/%U' &
/bin/false'.

Rowland