Caches and Databases in AD Bridge
To maintain the current state and to improve performance, the AD Bridge authentication service (lsass) caches information about users and groups in memory.
You can change the cache to store the information in an SQLite database.
For more information, see the AD Bridge Administration Guide.
The AD Bridge site affinity service, netlogon, caches information about the optimal domain controller and global catalog in the AD Bridge registry.
The following files are in /var/lib/pbis/db:
| File | Description |
|---|---|
|
registry.db |
The SQLite 3.0 database in which the AD Bridge registry service, lwreg, stores data. |
|
sam.db |
Repository managed by the local authentication provider to store information about local users and groups. |
|
lwi_events.db |
The database in which the event logging service, eventlog, records events. |
|
lsass-adcache.filedb.FQDN |
Cache managed by the Active Directory authentication provider to store user and group information. The file is in /var/lib/pbis/db. In the name of the file, FQDN is replaced by your fully qualified domain name. |
Since the default UIDs that AD Bridge generates are large, the entries made by the operating system in the lastlog file when AD users log in make the file appear to increase to a large size. This is normal and are not cause for concern. The lastlog file (typically /var/log/lastlog) is a sparse file that uses the UID and GID of the users as disk addresses to store the last login information. Because it is a sparse file, the actual amount of storage used by it is minimal.
Additional information about a computer's Active Directory domain name, machine account, site affinity, domain controllers, forest, the computer's join state, and so forth is stored in the AD Bridge registry. Here is an example of the kind of information that is stored under the netlogon key:
[HKEY_THIS_MACHINE\Services\netlogon\cachedb\example.com-0] "DcInfo-ClientSiteName"="Default-First-Site-Name" "DcInfo-DCSiteName"="Default-First-Site-Name" "DcInfo-DnsForestName"="example.com" "DcInfo-DomainControllerAddress"="192.168.92.20" "DcInfo-DomainControllerAddressType"=dword:00000017 "DcInfo-DomainControllerName"="w2k3-r2.example.com" "DcInfo-DomainGUID"=hex:71,c1,9e,b5,18,35,f3,45,ba,15,05,95,fb,5b,62,e3 "DcInfo-Flags"=dword:000003fd "DcInfo-FullyQualifiedDomainName"="example.com" "DcInfo-LMToken"=dword:0000ffff "DcInfo-NetBIOSDomainName"="EXAMPLE" "DcInfo-NetBIOSHostName"="W2K3-R2" "DcInfo-NTToken"=dword:0000ffff "DcInfo-PingTime"=dword:00000006 "DcInfo-UserName"="" "DcInfo-Version"=dword:00000005 "DnsDomainName"="example.com" "IsBackoffToWritableDc"=dword:00000000 "LastDiscovered"=hex:c5,d9,86,4b,00,00,00,00 "LastPinged"=hex:1b,fe,86,4b,00,00,00,00 "QueryType"=dword:00000000 "SiteName"=""
Name Service Caching Daemon (NSCD)
If nscd is not disabled, clear the cache after a domain join by restarting the service: service nscd restart/reload.
For optimal efficiency, AD Bridge best practice is to disable the nscd cache from the configuration file /etc/nscd.conf. For any issues on systems running nscd, it should be turned off.
Cached Credentials
AD Bridge caches credentials so that users can log on when their Linux or Unix computer is disconnected from the network or if their Active Directory services are unavailable.
