8

We have successfully deployed AD authentication using Samba and Winbind (idmap_ad) across six Centos 6 servers and have been running happily for a few months now.

One of the servers has stopped resolving one particular username (# id username), this AD user resolves on all other servers and all other users resolve on the problem server.

I think this may be caused by a corrupt winbindd_idmap.tdb. Now, the easiest way to check this is to stop winbind dlete the file, restart samb and start winbind, then try again. My problem is that there is currently a change freeze in place and we would have to raise RFC's etc to test the theory.

My question is: Is it possible to clear the winbind cache without restarting the service?

Or if you think it's something else, please feel free to step in!

Thanks


UPDATE:

Change freeze now finished.

I have deleted winbindd_idmap.tdb and also winbindd_cache.tdb and restarted winbind. This has not resolved it.

Also, the server does not resolve random new users (some it does, some it doesn't). I'm having trouble figuring this out.

Can anyone help?

Sven
  • 97,248
  • 13
  • 177
  • 225
malco
  • 465
  • 1
  • 7
  • 14

6 Answers6

19

Now resolved, this worked for me:

Cleared all Winbind caches and flushed net cache.

Remember to take a backup before deleting anything!

Stop the Winbind and Samba services:

service winbind stop
service smb stop

Clear the Samba Net cache:

net cache flush

Delete the Winbind caches:

rm -f /var/lib/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb

Start the Samba and then Winbind services - Note: The order is important

service smb start
service winbind start

Test it by trying to resolve a user.

John C
  • 103
  • 5
malco
  • 465
  • 1
  • 7
  • 14
  • NOTE: serverfault won't let me edit the above, but the dash in the "rm -f" commands is incorrectly a Unicode dash instead of an ASCII dash. When cut and pasting, be sure to replace the dash character. – dmansfield Jul 14 '16 at 15:52
  • Updated to replace the dash. – John C Sep 06 '16 at 08:45
  • That was very useful, thank you for sharing your experience! Just for me it was not needed to remove the winbond caches. – Mohammed Noureldin Dec 05 '16 at 14:38
5

May be net cache flush will do.

user9517
  • 114,104
  • 20
  • 206
  • 289
Edgardo
  • 51
  • 2
2

I had to delete /var/cache/samba as well, in addition to malco's answer (on Debian and Ubuntu)

movileanuv
  • 21
  • 2
2
service winbind stop
service stop samba
rm –rf /var/lib/samba
mkdir -p /var/lib/samba/private​
rm –rf /var/cache/samba 
net join ads –S "yourADserver" –U username
service winbind start
service samba start 
Tim
  • 30,383
  • 6
  • 47
  • 77
skyhawk
  • 21
  • 1
  • 3
    It would be useful if you added a bit of commentary around your answer, rather than just shell commands. – Tim Jun 15 '17 at 21:54
0

I might try testing the integrity of all the tdb files. There are a lot of tdb files.

The tdbbackup utility is a tool that may be used to backup samba tdb files. This tool may also be used to verify the integrity of the tdb files prior to Samba startup or during normal operation. If it finds file damage it will search for a prior backup the backup file from which the damaged tdb file will be restored. The tdbbackup utility can safely be run at any time. It was designed so that it can be used at any time to validate the integrity of tdb files, even during Samba operation.

  • Thanks, have installed tdb-tools and run tdbbackup -v *.tdb on the /var/lib/samba files including the secrets.tdb and get no errors. I really am stumped! – malco Mar 26 '13 at 17:00
0

Set 'winbind cache time' to a small value ( not 0, which seems not work) in smb.conf

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDCACHETIME

This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.

This does not apply to authentication requests, these are always evaluated in real time unless the winbind offline logon option has been enabled.

Default: winbind cache time = 300

vale
  • 1