On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote:> You won't loose connectivity anyway. winbindd will just have to go > through DC lookup again in certain scenarios.This is exactly what I'd like to avoid. As I wrote in another message in this thread, it appears that switching DC shortly after domain join causes machine authentication failures until the new machine account gets replicated. If I'm not mistaken, I can use 'wbinfo --ping-dc' to find out the DC that winbindd is currently connected to. Is there a way for me to use that info then to force winbindd to connect to the same DC after restart? Alternatively, On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote:> There's no tool to do that currently, but it would be trivial to write one.would you be able to point someone unfamiliar with the Samba codebase where they should start looking to figure out how to do that? Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20191018/98872b68/signature.sig>
> Am 18.10.2019 um 21:38 schrieb Alexey A Nikitin <nikitin at amazon.com>: > > On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote: >> You won't loose connectivity anyway. winbindd will just have to go >> through DC lookup again in certain scenarios. > > This is exactly what I'd like to avoid.as long as you don't restart winbindd it will continue to use the currently selected DC.> As I wrote in another message in this thread, it appears that switching DC shortly after domain join causes machine authentication failures until the new machine account gets replicated.yes, we've seen that too iirc. So again, if you just run net cache flush *without restarting winbindd* you should be fine.> If I'm not mistaken, I can use 'wbinfo --ping-dc' to find out the DC that winbindd is currently connected to. Is there a way for me to use that info then to force winbindd to connect to the same DC after restart?Hm, you could try to set that entry in the cache. Isn't there a net cache set?> Alternatively, > > On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote: >> There's no tool to do that currently, but it would be trivial to write one. > > would you be able to point someone unfamiliar with the Samba codebase where they should start looking to figure out how to do that?https://git.samba.org/?p=samba.git;a=blob;f=source3/utils/net_cache.c;h=5691f04d8d6827db011e308c7da7615085c96b6f;hb=HEAD#l335 Implement a similar function with a iterate callback that looks at the key prefix. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
On Friday, 18 October 2019 13:11:55 PDT Ralph B?hme wrote:> > > Am 18.10.2019 um 21:38 schrieb Alexey A Nikitin <nikitin at amazon.com>: > > > > On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote: > >> You won't loose connectivity anyway. winbindd will just have to go > >> through DC lookup again in certain scenarios. > > > > This is exactly what I'd like to avoid. > > as long as you don't restart winbindd it will continue to use the currently selected DC. > > > As I wrote in another message in this thread, it appears that switching DC shortly after domain join causes machine authentication failures until the new machine account gets replicated. > > yes, we've seen that too iirc. So again, if you just run net cache flush *without restarting winbindd* you should be fine. >K, if I can't get autorid range pre-allocation to work I'll see if I can flush the cache without winbindd restart. In the past that didn't seem to have an effect on SID-to-UID mapping, I was still getting old UID from tdb instead of new UID based on rid config, but maybe there is something else I was missing.> > If I'm not mistaken, I can use 'wbinfo --ping-dc' to find out the DC that winbindd is currently connected to. Is there a way for me to use that info then to force winbindd to connect to the same DC after restart? > > Hm, you could try to set that entry in the cache. Isn't there a net cache set? >K, I'll look into that as well if I can't get even the cache flush without restart to give me what I want.> > Alternatively, > > > > On Friday, 18 October 2019 12:24:46 PDT Ralph Boehme wrote: > >> There's no tool to do that currently, but it would be trivial to write one. > > > > would you be able to point someone unfamiliar with the Samba codebase where they should start looking to figure out how to do that? > > https://git.samba.org/?p=samba.git;a=blob;f=source3/utils/net_cache.c;h=5691f04d8d6827db011e308c7da7615085c96b6f;hb=HEAD#l335 > > Implement a similar function with a iterate callback that looks at the key prefix. >Awesome, thank you very much, that certainly saves me some time! Thanks again, you guys are awesome! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20191018/7fc34d44/signature.sig>