Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1 with in smb.conf server services = -dns +winbindd -winbind Of i set it to server services = -dns -winbindd +winbind it does work again. with 4.1.17 the solution was simple.. we stop samba on both servers. scp /var/lib/samba/private/idmap.ldb root@192.168.0.2:/var/lib/samba/private/ started samba on both servers and id administrator gave the same id's for all groups. Now on 4.2.1 DC1: id administrator uid=0(root) gid=100(users) groups=0(root),100(users), 3000004(group policy creator owners), 3000006(enterprise admins), 3000008(domain admins), 3000007(schema admins), 3000005(denied rodc password replication group), 3000009(BUILTIN\users), 3000000(BUILTIN\administrators) id administrator uid=0(root) gid=100(users) groups=0(root),100(users), 3000011(group policy creator owners), 3000010(enterprise admins), 3000007(domain admins), 3000009(schema admins), 3000008(denied rodc password replication group), 3000001(BUILTIN\users), 3000000(BUILTIN\administrators)
this is not a supported thing to do, so this is not a valid bug. winbindd has a different way of caching (investigate gencache for example) entries and this is probably what makes that hack stop working for you with winbindd.
This is not invalid and it is not solved! like sysvol, idmap.ldb is not replicated to any other DCs. Prior to 4.2.0 the cure for this was to manually replicate idmap.ldb between DCs, this gave consistent IDs across DCs, just like the consistent IDs you get on member servers using the 'rid' backend. If you now want to have consistent IDs on sysvol using 4.2.x, you have to use 'winbind' instead of 'winbindd', this in my mind is a regression and makes all of the work done by Andrew Bartlett pointless.
As extra comment. which makes this more strange.. so yesterday i did copy idmap.ldb to the other dc. output was different, so i switched back to winbind. over night i was thinking about this, and tested today a bit again. so i switched back to winbindd without the idmap copy, this was yesterday already done. restarted samba on both servers, did run : net cache flush again and.. very strange, but now, i have same ids on both servers again . which makes this even more stranger. Are we just to quick with checking which results in different outputs.