[Samba] winbind stop working

Kevin Elliott kevin_elliott at ci.juneau.ak.us
Fri May 4 15:47:10 MDT 2012

So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted?

Here's my idmap cache values:

        idmap backend = tdb
        idmap alloc backend = 
        idmap cache time = 604800
        idmap negative cache time = 120
        idmap uid = 10000-79999
        idmap gid = 10000-79999
        winbind separator = +
        winbind cache time = 300
        winbind reconnect delay = 30
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind expand groups = 1
        winbind nss info = template
        winbind refresh tickets = No
        winbind offline logon = No
        winbind normalize names = No

Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905

> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Gaiseric Vandal
> Sent: Friday, May 04, 2012 12:16 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] winbind stop working
> I had a problem with Samba 3.0.x on Solaris 10 some time 
> back.  The samba servers were DC's for the domain-  they were 
> not in an ADS domain.  However I did have domain trusts set 
> up so winbind was
> required.    Winbind would allocate uid's and gid's.   There 
> is a cache
> time value for either winbind or idmap (testparm -v will tell 
> you.) When the cache time expired the cached info was -  
> obviously -  invalid BUT samba/winbind would not refresh the 
> cache. Thus users from the
> trusted domain would loose access.   The cache files are local TDB
> files-  even tho (in case) the idmap and other account info 
> was in ldap.
> The cache issue was resolved when I upgraded to samba 3.4.x.  
>  However,
> it seems that winbind now can't even create new idmap entries.   Since
> there is practically no personnel change in the trusted ADS 
> domain this
> isn't really an issue-  I can always add the idmap entries in ldap. 
> Check your cache values.  Backup and delete the idmap cache 
> TBD files. 
> (Maybe the winbind cache files as well)  Restarting winbind and typing
> "getent passwd" and "getent group" should repopulate.    
> TDBDump command
> is useful for looking at the contents of the file if you aren't sure
> what the file is for.

More information about the samba mailing list