Hello, I have relatively a large setup where RHEL 4 authenticating MS W2K3 R2. Every often a host may not be able to authenticate due tdb corruption and we had to rm the *.tdb and files and restart the winbind which would create fresh tdb files. I guess Redhat acknowledged the issue here. http://kbase.redhat.com/faq/docs/DOC-4842 My question is, is this something caused by samba itself or the underlying OS. If samba, are we tracking this? I know I can use LDAP backend, but I am using RID to eliminate layer of admin work by not entering UIDs for each user. Any hint is appreciated. Thanks. ~LA
Linux Addict wrote:> Hello, I have relatively a large setup where RHEL 4 authenticating MS > W2K3 R2. Every often a host may not be able to authenticate due tdb > corruption and we had to rm the *.tdb and files and restart the winbind > which would create fresh tdb files. I guess Redhat acknowledged the > issue here. http://kbase.redhat.com/faq/docs/DOC-4842 My question is, > is this something caused by samba itself or the underlying OS. If samba, > are we tracking this? I know I can use LDAP backend, but I am using RID > to eliminate layer of admin work by not entering UIDs for each user. > Any hint is appreciated.How do you tell it is tdb corruption? Are all tdbs corrputed or just some? (Or why do you erase all of the tdb files?...) TDB corruption has been seen on various versions of the reiser file system due to broken implementations of memory mapping. If your tdb files do reside on a reiser partition you might 1. move them to some other partition (ext3, xfs, ...) or 2. set "use mmap = no" in the [global] section of smb.conf, trading speed for reliability. Generally, it is a good idea to run "tdbbackup" regularly on the important tdb files (secrets.tdb, passdb.tdb, winbindd_idmap.tdb, ...) Then you can simply restore your backup with "tdbbackup -v" if corruption occurs. Also for doing file system backups, these tdbbackup files are useful. Cheers - Michael -- Michael Adam <ma@sernet.de> <obnox@samba.org> SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20090108/bb54aa49/attachment.bin
Michael Adam wrote:> Linux Addict wrote: > >> Hello, I have relatively a large setup where RHEL 4 authenticating MS >> W2K3 R2. Every often a host may not be able to authenticate due tdb >> corruption and we had to rm the *.tdb and files and restart the winbind >> which would create fresh tdb files. I guess Redhat acknowledged the >> issue here. http://kbase.redhat.com/faq/docs/DOC-4842 My question is, >> is this something caused by samba itself or the underlying OS. If samba, >> are we tracking this? I know I can use LDAP backend, but I am using RID >> to eliminate layer of admin work by not entering UIDs for each user. >> Any hint is appreciated. >> > > How do you tell it is tdb corruption? > Are all tdbs corrputed or just some? > (Or why do you erase all of the tdb files?...) >The user may not be able to login or get a message like "No Such UID". Once tdb(all) files are cleared, then it will start working.> TDB corruption has been seen on various versions of the reiser > file system due to broken implementations of memory mapping. > If your tdb files do reside on a reiser partition you might > > 1. move them to some other partition (ext3, xfs, ...) or >We use ext3> 2. set "use mmap = no" in the [global] section of smb.conf, > trading speed for reliability. >I am going to try this.> Generally, it is a good idea to run "tdbbackup" regularly on the > important tdb files (secrets.tdb, passdb.tdb, winbindd_idmap.tdb, ...) > > Then you can simply restore your backup with "tdbbackup -v" if > corruption occurs. Also for doing file system backups, these > tdbbackup files are useful. >Currently we delete the tdb files and restart the winbind to create new ones. Is it not the same as restoring from backup? My smb.conf file below. Let me know if its not optimal. [global] workgroup = DOMAIN-A realm = DOMAIN-A.COM server string = RHEL 4 x86_64 security = ADS obey pam restrictions = Yes client NTLMv2 auth = Yes log level = 5 log file = /var/log/winbind local master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap domains = default, DOMAIN-A, DOMAIN-B idmap alloc backend = tdb idmap uid = 10000 - 99999 idmap gid = 10000 - 99999 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 10 winbind refresh tickets = Yes winbind offline logon = Yes idmap config DOMAIN-B:range = 10000 - 99999 idmap config DOMAIN-B:backend = rid idmap config DOMAIN-A:range = 100000 - 199999 idmap config DOMAIN-A:backend = rid idmap config default:default = Yes invalid users = root> Cheers - Michael > >