samba - Jan 2026 - wbinfo only lists one DC and idmap troubles

On Mon, 12 Jan 2026 12:17:27 +0100
Andrea Venturoli via samba <samba at lists.samba.org> wrote:
> On 1/12/26 11:10, Rowland Penny via samba wrote:
> 
> > You are, in my opinion, doing it the wrong way around, your AD
> > clients should use the DCs as their nameservers and they should
> > forward anything outside the AD dns domain to your Bind9 dns
> > servers.
> 
> Hmm...
> I cannot find this, but I remember I read a question (probably on
> this list) about what to choose between
> a) pointing clients to Samba's internal DNS (which will forward 
> everything it doesn't handle to BIND);
> b) pointing client to BIND and let it contact Samba's internal DNS
> for AD zones.
> 
> The answer was "absolutely go for the latter" for performance
reasons.
> In any case I can change that, but does it matter WRT this problem?
I do not know where you found that, but all Samba AD DCs are
authoritative for the AD dns domain and should be your first port of
call, anything they do not know (outside the AD dns domain) should be
forwarded to another dns server.
> 
> 
> 
> > Well, yes, that is the way it is supposed to work, your clients
> > contact a DC, which finds out the best DC to use and returns that.
> > The 'best' DC can change.
> 
> So, back to my first question, it's normal that "wbinfo --dc-info 
> local.xxxxxxx.it" only lists on DC. Right?
That is correct and it may not always be the same DC.
> 
> 
> 
> > I think what is happening to you is this:
> > Your clients are being told to use a DC,
> > You then turn off that DC
> 
> No.
> The "on maintenance" DC was down before I turned on the client I
> mainly used for testing.
Doesn't matter, if your Samba client is told to use a DC and that DC is
down, it will fall back to cache (if there is one) and for anything not
in the cache, it will rely on any settings in the smb.conf file,
these may be default settings (which appears to be what you are
getting).
> 
> 
> 
> > Your clients cannot find the DC because it is turned off
> 
> There was the other DC running fine when the client I used for test
> was turned on.
> That's the one winbind listed.
> 
> 
> 
> > directory and login shell, so they fall back to the template homedir
> > and shell lines in AD and they default to '/home/%D/%U' &
> > /bin/false'.
> 
> This is what I thought (winbind was using the templates).
> 
> 
> 
> Still, there's some strangeness:
> a) at power on there was a good DC and this was listed by "wbinfo 
> --dc-info local.xxxxxxx.it";
> b) that DC holded the right data, still winbind wasn't getting it!
> c) After turning back on the other DC, everything started working
> again, but winbind was still listing the first DC.
I think you may be hitting this bug:
https://bugzilla.samba.org/show_bug.cgi?id=14597

Rowland

On 1/12/26 12:41, Rowland Penny via samba wrote:
> I do not know where you found that, but all Samba AD DCs are
> authoritative for the AD dns domain and should be your first port of
> call, anything they do not know (outside the AD dns domain) should be
> forwarded to another dns server.
OK.
I'll look into this.




>> So, back to my first question, it's normal that "wbinfo
--dc-info
>> local.xxxxxxx.it" only lists on DC. Right?
> 
> That is correct and it may not always be the same DC.
OK. Fine.


> Doesn't matter, if your Samba client is told to use a DC and that DC is
> down,
Told by whom?
I expected at boot Winbind would look for the list of DCs, eventually 
try to contact one and, if that fails, contact the other.
(Which, BTW, I think it did, because that's what was listed and I saw 
traffic from the client to the working DC).



> I think you may be hitting this bug:
> https://bugzilla.samba.org/show_bug.cgi?id=14597
Thanks.
At first sight, there's some slight differences ("getent group"
worked
for me), but I'll look into this.



  bye & Thanks
	av.

On Mon, Jan 12, 2026 at 3:42?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 12 Jan 2026 12:17:27 +0100
> Andrea Venturoli via samba <samba at lists.samba.org> wrote:
>
> > On 1/12/26 11:10, Rowland Penny via samba wrote:
> >
> > > You are, in my opinion, doing it the wrong way around, your AD
> > > clients should use the DCs as their nameservers and they should
> > > forward anything outside the AD dns domain to your Bind9 dns
> > > servers.
> >
> > Hmm...
> > I cannot find this, but I remember I read a question (probably on
> > this list) about what to choose between
> > a) pointing clients to Samba's internal DNS (which will forward
> > everything it doesn't handle to BIND);
> > b) pointing client to BIND and let it contact Samba's internal DNS
> > for AD zones.
> >
> > The answer was "absolutely go for the latter" for
performance reasons.
> > In any case I can change that, but does it matter WRT this problem?
>
> I do not know where you found that, but all Samba AD DCs are
> authoritative for the AD dns domain and should be your first port of
> call, anything they do not know (outside the AD dns domain) should be
> forwarded to another dns server.
>
>From a technical perspective, IT DOES NOT MATTER which is first, the BIND
server or the DC name server - *as long as all the queries for DC
"answers"
goes to the DC name servers.*

I don't trust the AD name servers to be reliable enough to serve a large
network and keep working properly. (I use the internal Samba AD name
server, and no, it's not very reliable. Quite regularly it quits handling
DNS queries, but since I have several DCs, it's not a huge issue - I just
have to restart the box and it rights itself, but it's clearly not as bomb
proof as BIND.)

So, I run a pair of plain BIND servers as my primary and only name source
for the clients. But all the AD DNS is in a zone - eg. *.
ad.myspecialdomain.com - and BIND is instructed to forward all queries for
*.ad.myspecialdomain.com to the Samba AD name servers. It works perfectly
fine.

A small fraction of my DNS lookups are AD related, so it makes, IMO, much
more sense to have BIND as the primary. (On top of the reliability issues
noted previously.)

So, I'll just say that I think Rowland is tilting at windmills here.
Again, it's fine EITHER WAY, as long as all the DNS queries for AD zones
get answers from the AD name servers, even if that's a "forwarded"
response.

(If AD queries aren't reliably getting handled, or somehow getting answered
by non AD servers, then obviously it's going to be bad and break things.
Thus, if you put BIND as the primary, you need to be sure it's properly
configured, just like everything else. This is perhaps the one place where
Rowland has a point. If the AD servers are primary DNS for the clients, and
forward everything they aren't authoritative for, there's less to break,
or
misconfigure. But that certainly doesn't mean it doesn't work, or that
there aren't very valid reasons for doing it that way.)