[Samba] Winbind and caching - idmap, DC

Alexey A Nikitin nikitin at amazon.com
Fri Oct 18 20:20:32 UTC 2019 

On Friday, 18 October 2019 13:11:55 PDT Ralph Böhme wrote:
> 
> > Am 18.10.2019 um 21:38 schrieb Alexey A Nikitin <nikitin at amazon.com>:
> > 
> > On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote:
> >> You won't loose connectivity anyway. winbindd will just have to go
> >> through DC lookup again in certain scenarios.
> > 
> > This is exactly what I'd like to avoid.
> 
> as long as you don't restart winbindd it will continue to use the currently selected DC.
> 
> > As I wrote in another message in this thread, it appears that switching DC shortly after domain join causes machine authentication failures until the new machine account gets replicated.
> 
> yes, we've seen that too iirc. So again, if you just run net cache flush *without restarting winbindd* you should be fine.
> 
K, if I can't get autorid range pre-allocation to work I'll see if I can flush the cache without winbindd restart. In the past that didn't seem to have an effect on SID-to-UID mapping, I was still getting old UID from tdb instead of new UID based on rid config, but maybe there is something else I was missing.

> > If I'm not mistaken, I can use 'wbinfo --ping-dc' to find out the DC that winbindd is currently connected to. Is there a way for me to use that info then to force winbindd to connect to the same DC after restart?
> 
> Hm, you could try to set that entry in the cache. Isn't there a net cache set?
> 
K, I'll look into that as well if I can't get even the cache flush without restart to give me what I want.

> > Alternatively,
> > 
> > On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote:
> >> There's no tool to do that currently, but it would be trivial to write one.
> > 
> > would you be able to point someone unfamiliar with the Samba codebase where they should start looking to figure out how to do that?
> 
> https://git.samba.org/?p=samba.git;a=blob;f=source3/utils/net_cache.c;h=5691f04d8d6827db011e308c7da7615085c96b6f;hb=HEAD#l335
> 
> Implement a similar function with a iterate callback that looks at the key prefix.
> 
Awesome, thank you very much, that certainly saves me some time!

Thanks again, you guys are awesome!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20191018/7fc34d44/signature.sig>

More information about the samba mailing list