winbindd_idmap.tdb recovery

Michael Steffens michael_steffens at hp.com
Wed Feb 6 01:43:03 GMT 2002 

Hi Don,

anything involving "wbinfo -u" or "wbinfo -g" is not an option
in our environment, due to the scaling problem you mentioned.

We are dealing with more than 80000 NT accounts spread across a
dozen trusted domains, and once I already regretted to have
invoked "wbinfo -u" for curiosity :-)

Fortunately, the "-u" and "-g" modes of wbinfo don't attempt
to map IDs, but you can be sure to have winbindd busy for at
least the next couple of hours...

It's quite essential for us to avoid such overall queries,
and to restrict winbindd to accounts and groups it is
specifically being asked for.

Cheers!
Michael

"MCCALL,DON (HP-USA,ex1)" wrote:
> 
> Hi Michael,
> Sorry I was in a bit of a rush when I sent you that cobbled together
> perl script.
> The idea behind the script is twofold:
> 1. If you use it immediately after joining the domain and starting
> winbindd, but BEFORE
> any connections are made to your system, then running the resultant
>    initialize_winbind_groups.sh
>       and
>    initialize_winbind_users.sh
> 
> should give you repeatable results, if you then took those scripts over
> to ANOTHER
> winbindd machine, and ran them after newly joining IT to the domain and
> starting up
> winbindd - That is to say, both machines would agree as to the uid and
> gid mapping to the
> WIN2k domain users and groups.  Of course, if new users are added, these
> machines could get
> out of sync, as the new users attached to each machine possibly in
> different order.
> 
> The other way I envisioned using these was more in a disaster recovery
> mode, as you mentioned.
> 
> Run these scripts every night as part of your backup, and you should
> generate a uid/username and gid/groupname log that you could then use
> with wbinfo to reassign mapping in the event of a loss/corruption of the
> tdb...
> 
> Hope this helps,
> Don
> 
> btw - I don't imagine this scales very well - I didn't write it for
> speed... ;->
> 
> -----Original Message-----
> From: Michael Steffens [mailto:michael_steffens at hp.com]
> Sent: Tuesday, February 05, 2002 5:43 AM
> To: samba-technical at samba.org
> Subject: winbindd_idmap.tdb recovery
> 
> Hi,
> 
> I'm a bit concerned about how to recover winbindd_idmap.tdb,
> in case it should ever be trashed, for whichever reason.
> 
> Are there any recommended or proposed ways for doing this?
> 
> What I'm dreaming of is a way of creating a plain text dump
> of this file, which can be backed up and be used for repairing
> winbindd_idmap.tdb in case of desaster.
> 
> Even better if winbindd could also log all newly created mappings
> in the same plain text format into an ID mapping log.
> 
> Using plain text for this purpose would have the advantage
> that merging, checking consistency, applying corrections, or
> chown'ing through the file system, could be done with standard
> Unix methods and adjusted to what has actually happened.
> 
> Cheers!
> Michael

More information about the samba-technical mailing list