Bug 11241 - different ids even when idmap.ldb copied.
Summary: different ids even when idmap.ldb copied.
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.2.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-04-29 08:51 UTC by Louis
Modified: 2015-04-30 08:29 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Louis 2015-04-29 08:51:03 UTC
Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1
with in smb.conf 
server services = -dns +winbindd -winbind
Of i set it to 
server services = -dns -winbindd +winbind 
it does work again. 

with 4.1.17 the solution was simple.. we stop samba on both servers. 
scp /var/lib/samba/private/idmap.ldb root@
started samba on both servers and 
id administrator gave the same id's for all groups. 

Now on 4.2.1
DC1:  id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),
3000004(group policy creator owners),
3000006(enterprise admins),
3000008(domain admins),
3000007(schema admins),
3000005(denied rodc password replication group),

id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),
3000011(group policy creator owners),
3000010(enterprise admins),
3000007(domain admins),
3000009(schema admins),
3000008(denied rodc password replication group),
Comment 1 Björn Jacke 2015-04-29 15:51:22 UTC
this is not a supported thing to do, so this is not a valid bug. winbindd has a different way of caching (investigate gencache for example) entries and this is probably what makes that hack stop working for you with winbindd.
Comment 2 Rowland Penny 2015-04-30 08:07:36 UTC
This is not invalid and it is not solved!

like sysvol, idmap.ldb is not replicated to any other DCs. Prior to 4.2.0 the cure for this was to manually replicate idmap.ldb between DCs, this gave consistent IDs across DCs, just like the consistent IDs you get on member servers using the 'rid' backend.

If you now want to have consistent IDs on sysvol using 4.2.x, you have to use 'winbind' instead of 'winbindd', this in my mind is a regression and makes all of the work done by Andrew Bartlett pointless.
Comment 3 Louis 2015-04-30 08:29:57 UTC
As extra comment. 

which makes this more strange..  

so yesterday i did copy idmap.ldb to the other dc. 
output was different, so i switched back to winbind. 

over night i was thinking about this, and tested today a bit again.
so i switched  back to winbindd without the idmap copy, 
this was yesterday already done. 

restarted samba on both servers, 
did run :  net cache flush again and.. 
very strange, but now, i have same ids on both servers again .

which makes this even more stranger. 

Are we just to quick with checking which results in different outputs.