On Wed, Apr 02, 2008 at 05:22:07PM -0400, Leopold, Corey wrote: > What is the expected behavior of CIFS when joined Active Directory and > all Active Directory servers become unavailable due to network outage?
Domain user/group SIDs seen on the wire are mapped to "nobody" UIDs/GIDs. Non-ephemeral UIDs/GIDs are mapped to RIDs relative to the server's computer SID. > We are considering/prototyping using this as storage at remote sites > that do not have a local AD server. That's probably not a good idea... We'll be looking at improving disconnected operation. If there are no name-based mapping rules and directory-based name mapping is not configured we could skip AD lookups for SIDs and just always map them to ephemeral IDs. We'd want to have an option to validate allocated RID ranges per-domain in the forest, to prevent ephemeral ID consumption DoS attacks from SMB clients. Of course, that would only work for SMB. For NFSv4 we might need to introduce an on-the-wire encoding of SIDs. Other options include periodically enumerating domain users and groups across the forest (i.e., in the global catalog) and caching that. But that sounds rather heavyweight. > It appears that we can continue to access the share after the AD server > become unavailable. I could not find any documentation relating to > limits of cached credentials, or other features. Cached mappings should survive for a while. Established connections should stay up. Nico -- _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
