So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted?
Here's my idmap cache values: idmap backend = tdb idmap alloc backend = idmap cache time = 604800 idmap negative cache time = 120 idmap uid = 10000-79999 idmap gid = 10000-79999 winbind separator = + winbind cache time = 300 winbind reconnect delay = 30 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 1 winbind nss info = template winbind refresh tickets = No winbind offline logon = No winbind normalize names = No -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 > -----Original Message----- > From: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal > Sent: Friday, May 04, 2012 12:16 PM > To: samba@lists.samba.org > Subject: Re: [Samba] winbind stop working > > I had a problem with Samba 3.0.x on Solaris 10 some time > back. The samba servers were DC's for the domain- they were > not in an ADS domain. However I did have domain trusts set > up so winbind was > required. Winbind would allocate uid's and gid's. There > is a cache > time value for either winbind or idmap (testparm -v will tell > you.) When the cache time expired the cached info was - > obviously - invalid BUT samba/winbind would not refresh the > cache. Thus users from the > trusted domain would loose access. The cache files are local TDB > files- even tho (in case) the idmap and other account info > was in ldap. > > > The cache issue was resolved when I upgraded to samba 3.4.x. > However, > it seems that winbind now can't even create new idmap entries. Since > there is practically no personnel change in the trusted ADS > domain this > isn't really an issue- I can always add the idmap entries in ldap. > > Check your cache values. Backup and delete the idmap cache > TBD files. > (Maybe the winbind cache files as well) Restarting winbind and typing > "getent passwd" and "getent group" should repopulate. > TDBDump command > is useful for looking at the contents of the file if you aren't sure > what the file is for. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba