samba - Jan 2026 - wbinfo only lists one DC and idmap troubles

On 1/12/26 11:10, Rowland Penny via samba wrote:
> You are, in my opinion, doing it the wrong way around, your AD clients
> should use the DCs as their nameservers and they should forward
> anything outside the AD dns domain to your Bind9 dns servers.
Hmm...
I cannot find this, but I remember I read a question (probably on this 
list) about what to choose between
a) pointing clients to Samba's internal DNS (which will forward 
everything it doesn't handle to BIND);
b) pointing client to BIND and let it contact Samba's internal DNS for 
AD zones.

The answer was "absolutely go for the latter" for performance reasons.
In any case I can change that, but does it matter WRT this problem?


> Well, yes, that is the way it is supposed to work, your clients contact
> a DC, which finds out the best DC to use and returns that. The
'best'
> DC can change.
So, back to my first question, it's normal that "wbinfo --dc-info 
local.xxxxxxx.it" only lists on DC. Right?


> I think what is happening to you is this:
> Your clients are being told to use a DC,
> You then turn off that DC
No.
The "on maintenance" DC was down before I turned on the client I
mainly
used for testing.


> Your clients cannot find the DC because it is turned off
There was the other DC running fine when the client I used for test was 
turned on.
That's the one winbind listed.


> directory and login shell, so they fall back to the template homedir
> and shell lines in AD and they default to '/home/%D/%U' &
/bin/false'.
This is what I thought (winbind was using the templates).



Still, there's some strangeness:
a) at power on there was a good DC and this was listed by "wbinfo 
--dc-info local.xxxxxxx.it";
b) that DC holded the right data, still winbind wasn't getting it!
c) After turning back on the other DC, everything started working again, 
but winbind was still listing the first DC.



  bye & Thanks
	av.

On Mon, 12 Jan 2026 12:17:27 +0100
Andrea Venturoli via samba <samba at lists.samba.org> wrote:
> On 1/12/26 11:10, Rowland Penny via samba wrote:
> 
> > You are, in my opinion, doing it the wrong way around, your AD
> > clients should use the DCs as their nameservers and they should
> > forward anything outside the AD dns domain to your Bind9 dns
> > servers.
> 
> Hmm...
> I cannot find this, but I remember I read a question (probably on
> this list) about what to choose between
> a) pointing clients to Samba's internal DNS (which will forward 
> everything it doesn't handle to BIND);
> b) pointing client to BIND and let it contact Samba's internal DNS
> for AD zones.
> 
> The answer was "absolutely go for the latter" for performance
reasons.
> In any case I can change that, but does it matter WRT this problem?
I do not know where you found that, but all Samba AD DCs are
authoritative for the AD dns domain and should be your first port of
call, anything they do not know (outside the AD dns domain) should be
forwarded to another dns server.
> 
> 
> 
> > Well, yes, that is the way it is supposed to work, your clients
> > contact a DC, which finds out the best DC to use and returns that.
> > The 'best' DC can change.
> 
> So, back to my first question, it's normal that "wbinfo --dc-info 
> local.xxxxxxx.it" only lists on DC. Right?
That is correct and it may not always be the same DC.
> 
> 
> 
> > I think what is happening to you is this:
> > Your clients are being told to use a DC,
> > You then turn off that DC
> 
> No.
> The "on maintenance" DC was down before I turned on the client I
> mainly used for testing.
Doesn't matter, if your Samba client is told to use a DC and that DC is
down, it will fall back to cache (if there is one) and for anything not
in the cache, it will rely on any settings in the smb.conf file,
these may be default settings (which appears to be what you are
getting).
> 
> 
> 
> > Your clients cannot find the DC because it is turned off
> 
> There was the other DC running fine when the client I used for test
> was turned on.
> That's the one winbind listed.
> 
> 
> 
> > directory and login shell, so they fall back to the template homedir
> > and shell lines in AD and they default to '/home/%D/%U' &
> > /bin/false'.
> 
> This is what I thought (winbind was using the templates).
> 
> 
> 
> Still, there's some strangeness:
> a) at power on there was a good DC and this was listed by "wbinfo 
> --dc-info local.xxxxxxx.it";
> b) that DC holded the right data, still winbind wasn't getting it!
> c) After turning back on the other DC, everything started working
> again, but winbind was still listing the first DC.
I think you may be hitting this bug:
https://bugzilla.samba.org/show_bug.cgi?id=14597

Rowland