Jordan Brown wrote:
However, in your case I don't think the cache entry ever times out. The
intent is that an ephemeral ID, once assigned, lasts until the system is
rebooted.
Sorry, that's only half right.
Ephemeral mappings sort of time out and sort of don't.
After about ten minutes, the rules (and domain-based mapping
information, though that is not relevant here) are once again consulted.
If they still yield no answer, the existing ephemeral mapping is
reused. If, on the other hand, they *do* yield a mapping, the new
mapping is used. The ephemeral mapping remains active to a limited
extent: it is still available to map the ephemeral ID back to a Windows
identity.
So, it appears that by now your new rules should have taken effect.
Here's the situation after that timer expired. (Please ignore the use
of an unqualified "administrator"; that's something special in the
experimental that I have installed on my test system.)
Before this sequence, I had established an ephemeral mapping and then
added a rule. Now, a while later...
$ idmap show -cv winname:administrator
winuser:administrator -> unixuser:root
Source: New
Method: Name Rule
Rule: add winname:administrator unixuser:root
[[ OK, good, the rule took effect ]]
$ idmap dump
usid:S-1-5-21-3282461207-1251754416-3263087731-500 <=
uid:2147483650
usid:S-1-5-21-3282461207-1251754416-3263087731-500 == uid:0
[[ and the ephemeral mapping is still present for UID->SID
mappings ]]
---
By the way, I really hate that ephemeral mappings and SIDs are as
visible as they are; my hope is that their use can be made almost
completely invisible. We're just not there yet.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
