winbind cache issue for NDR entries

[Rowland penny]

On 29/01/2021 14:09, Shilpa K via samba-technical wrote:
> Hello,
>
> We had a customer report that the users were not able to login for about
> 30minutes and the problem cleared itself in almost about 30minutes. They
> are using Samba as a member server in a domain which has 2 way trust with
> another domain (say ABC.COM). Upon investigation, we found that there was a
> problem with trusted domain DCs for a very short duration as per the event
> log on the DC of the primary domain. This problem seems to have been
> cleared away after a short duration. Around the same time, a user belonging
> to a trusted domain mapped Samba share and encountered a problem. At this
> time, looks like NDR cache entry for trusted domain group "Domain Users"
> was added in winbindd_cache.tdb to indicate that there was a lookup problem
> and the status NT_STATUS_TRUSTED_DOMAIN_FAILURE was stored as part of this
> entry. Once the issue with trusted domain DC was cleared and the domain was
> back online, when users tried to login, PAM_AUTH was successful for the
> users but getpwnam failed while looking up SID for "Domain Users". This
> failure was returned from the entry in the winbindd_cache.tdb as
> wcache_fetch_ndr() succeeded for this entry. Due to this, users belonging
> to the trusted domain were not able to login. Once the cache was expired,
> getpwnam succeeded for trusted domain users and the shares could be mapped.
> In order to resolve this issue, should we not refresh the sequence number
> when the domain goes online? Btw, we are using "winbind cache time = 1800".
>
> Thanks,
> Shilpa

Hi Shilpa, not sure about the NDR part of this but you say that once the 
cache expires, everything works again, but you have problems for about 
30 minutes and that you have 'winbind cache time = 1800' set in 
smb.conf. Are you aware that 1800 / 60 equals '30' ? Try removing that 
line and revert to 5 mins cache, it might just fix your problem 😁

Rowland