Troubleshoot the AD Bridge Cache

If a cache becomes corrupted or if certain conditions occur, you may need to clear caches.

Clear the Authentication Cache

There are certain conditions under which you might need to clear the cache so that a user's ID is recognized on a target computer.

By default, the user's ID is cached for 4 hours. If you change a user's UID for an AD Bridge cell with AD Bridge Enterprise, during the 4 hours after you change the UID you must clear the cache on a target computer in the cell before the user can log on. If you do not clear the cache after changing the UID, the computer will find the old UID until the cache expires.

One AD Bridge Enterprise Group Policy setting can affect the cache time: Cache Expiration Time. This policy setting stores UID-SID mappings, user and group enumeration lists, getgrnam(), and getpwnam(). Its default expiration time is 4 hours.

For more information about this policy setting, see the AD Bridge Group Policy Reference Guide.

While you are deploying and testing AD Bridge Enterprise, set the cache expiration time of the AD Bridge Enterprise agent's cache to a short period of time, such as 1 minute.

Clear the Cache on a Unix or Linux Computer

To delete all the users and groups from the AD Bridge Enterprise AD provider cache on a Linux or Unix computer, execute the following command with superuser privileges:

/opt/pbis/bin/ad-cache --delete-all

You can also use the command to enumerate users in the cache, which may be helpful in troubleshooting. Here is an example:

[root@rhel5d bin]# ./ad-cache --enum-users
TotalNumUsersFound:      0
[root@rhel5d bin]# ssh example.com\\hab@localhost
Password: 
Last login: Tue Aug 11 15:30:05 2009 from rhel5d.example.com
[EXAMPLE\hab@rhel5d ~]$ exit
logout
Connection to localhost closed.
[root@rhel5d bin]# ./ad-cache --enum-users
User info (Level-0):
====================
Name:     EXAMPLE\hab
Uid:      593495196
Gid:      593494529
Gecos:    <null>Shell:    /bin/bash
Home dir: /home/EXAMPLE/hab
TotalNumUsersFound:      1
[root@rhel5d bin]# 

To view the command's syntax and arguments, execute the following command:

/opt/pbis/bin/ad-cache --help

Clear the Cache on a macOS Computer

On a macOS computer, clear the DirectoryService cache (not the AD Bridge Enterprise cache) by running the following command with superuser privileges in Terminal:

dscacheutil -flushcache

Clear a Corrupted SQLite Cache

To clear the cache when AD Bridge is caching credentials in its SQLite database and the entries in the cache are corrupted, use the following procedure for your type of operating system.

On a Mac, execute these commands as sudo. To do so, precede each command with sudo.

Clear the SQLite cache:

  1. Stop the AD Bridge Enterprise authentication service by executing the following command as root: /opt/pbis/bin/lwsm stop lsass.
  2. Clear the AD-provider cache and the local-provider cache by removing the following two files, subsituting a fully-qualified domain name for FQDN:
    • rm -f /var/lib/pbis/db/lsass-adcache.filedb.FQDN
      rm -f /var/lib/pbis/db/lsass-local.db

 

Do not delete the other .db files in the /var/lib/pbis/db directory.

  1. Start the AD Bridge Enterprise authentication service: /opt/pbis/bin/lwsm start lsass.