[Samba] TDB Corruption.

Linux Addict linuxaddict7 at gmail.com
Thu Jan 8 15:18:33 GMT 2009 

Michael Adam wrote:
> Linux Addict wrote:
>   
>> Hello, I have relatively a large setup where RHEL 4 authenticating MS 
>> W2K3 R2. Every often a host may not be able to authenticate due tdb 
>> corruption and we had to rm the *.tdb and files and restart the winbind 
>> which would  create fresh tdb files.  I guess Redhat acknowledged  the  
>> issue here. http://kbase.redhat.com/faq/docs/DOC-4842    My question is, 
>> is this something caused by samba itself or the underlying OS. If samba, 
>> are we tracking this?  I know I can use LDAP backend, but I am using RID 
>> to eliminate layer of admin work by not entering UIDs for each user.
>> Any hint is appreciated.
>>     
>
> How do you tell it is tdb corruption?
> Are all tdbs corrputed or just some?
> (Or why do you erase all of the tdb files?...)
>   
The user may not be able to login or get a message like "No Such UID". 
Once tdb(all) files are cleared, then it will start working.

> TDB corruption has been seen on various versions of the reiser
> file system due to broken implementations of memory mapping.
> If your tdb files do reside on a reiser partition you might
>
>   1. move them to some other partition (ext3, xfs, ...) or
>   

We use ext3
>   2. set "use mmap = no" in the [global] section of smb.conf,
>      trading speed for reliability.
>   

I am going to try this.
> Generally, it is a good idea to run "tdbbackup" regularly on the
> important tdb files (secrets.tdb, passdb.tdb, winbindd_idmap.tdb, ...)
>
> Then you can simply restore your backup with "tdbbackup -v" if
> corruption occurs. Also for doing file system backups, these
> tdbbackup files are useful.
>   
Currently we delete the tdb files and restart the winbind to create new 
ones. Is it not the same as restoring from backup?

My smb.conf file below. Let me know if its not optimal.

[global]
        workgroup = DOMAIN-A
        realm = DOMAIN-A.COM
        server string = RHEL 4 x86_64
        security = ADS
        obey pam restrictions = Yes
        client NTLMv2 auth = Yes
        log level = 5
        log file = /var/log/winbind
        local master = No
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap domains = default, DOMAIN-A, DOMAIN-B
        idmap alloc backend = tdb
        idmap uid = 10000 - 99999
        idmap gid = 10000 - 99999
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind expand groups = 10
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config DOMAIN-B:range = 10000 - 99999
        idmap config DOMAIN-B:backend = rid
        idmap config DOMAIN-A:range = 100000 - 199999
        idmap config DOMAIN-A:backend = rid
        idmap config default:default = Yes
        invalid users = root
> Cheers - Michael
>
>

More information about the samba mailing list