[Samba] NEG_CONN_CACHE questions

Jeremy Allison jra at samba.org
Wed May 27 23:21:31 UTC 2020

On Wed, May 27, 2020 at 12:54:49PM -0700, Alexey A Nikitin via samba wrote:
> I've tried searching manuals and wiki, but I can't seem to find any specifics about NEG_CONN_CACHE entries other than 'idmap negative cache time' option in smb.conf, which refers to SID/UID/GID queries and not unavailable DCs.
> Specifically the issue I've ran into recently is that with 'winbind max domain connections' set to 10 I saw Winbind had single active connection to the DC on port 49159 (RPC pipe from LSA/SAM/NetLogon, from what I understand), but it was trying to establish a second connection to serve incoming auth request and it was failing to do so during DC location, because at some point it tried to do NetLogon ping to both DCs (doman has only two) and for both the ping timed out, and then it put both DCs into negative cache and during DC location process was left with no candidate DCs after negative cache entry elimination from the list. So my questions are:
> 1. What's the default NEG_CONN_CACHE TTL?

60 seconds.


> 2. Is there a way to control NEG_CONN_CACHE, either TTL or contents? Is there a way to force Winbind to try connecting to the DCs it didn't have success with before? 'net cache flush' didn't seem to have much effect.
> 3. Are the rules for how a DC gets put into NEG_CONN_CACHE documented anywhere besides the code itself, or wading through the code is my only option of getting to know the criteria?

Only in the code I think, added in:


Can be cleared by:

flush_negative_conn_cache_for_domain(), which is triggered
by winbindd getting a request to go online.

More information about the samba mailing list