DC affinity for winbind

[Isaac Boukris]

Hello,

I am trying to restrict winbind to only authenticate users against one
given DC, by specifying the DC in smb.conf option 'password server'.

According to the doc:
By specifying the name of a domain controller with this option, and
using security = [ads|domain] it is possible to get Samba to do all
its username/password validation using a specific remote server.

This works fine, however, it seems that winbind saves the old DC in
cache, so if I shutdown winbind, change 'password server' to a new DC,
and restart winbind, then it still uses the old DC.

The debugs shows as follows:
wb.networking:22436:1512636602.818817:Thu Dec  7 10:50:02 2017:
connection_ok: Connection to (null) for domain NETWORKING is not
connected
wb.networking:22436:1512636602.818879:Thu Dec  7 10:50:02 2017:
Opening cache file at /usr/var/cache/gencache.tdb
wb.networking:22436:1512636602.818965:Thu Dec  7 10:50:02 2017:
Opening cache file at
/usr/var/lib/samba/.networking/gencache_notrans.tdb
wb.networking:22436:1512636602.819031:Thu Dec  7 10:50:02 2017: Adding
cache entry with key=[SAFJOIN/DOMAIN/NETWORKING] and timeout=[Thu Jan
1 02:00:00 AM 1970 IST] (-1512636601 seconds in the past)
wb.networking:22436:1512636602.819097:Thu Dec  7 10:50:02 2017: Could
not get allrecord lock on gencache_notrans.tdb: Locking error
wb.networking:22436:1512636602.819157:Thu Dec  7 10:50:02 2017:
saf_fetch: Returning "NDC3.networking.lab.com" for "NETWORKING" domain
wb.networking:22436:1512636602.819219:Thu Dec  7 10:50:02 2017: Adding
cache entry with
key=[NEG_CONN_CACHE/NETWORKING,NDC3.networking.lab.com] and
timeout=[Thu Jan  1 02:00:00 AM 1970 IST] (-1512636601 seconds in the
past)

To workaround this issue, I use 'net cache del ..' to clear the cache
before restarting winbind.

Is this a bug? If so, how best to address it?

Thanks,
Isaac B.