On Wed, Apr 02, 2008 at 06:34:52PM -0400, Leopold, Corey wrote: > So if I understand that if I have a Non-ephemeral UIDs/GIDs they will > work like normal for the first 0 to 5 minutes after lost connection.
Yes. But a more precise re-statement is needed: - Established connections continue to work as before connectivity to AD is lost, but only with respect to access controls. - User and group references in ACLs viewed or changed on the wire in the SMB protocol will get mapped to "nobody" within 0 to 5 minutes, even in connections that had been established prior to losing connectivity. > Ephermeral UIDs/GIDs will read and write files as "nobody"? No. Ephemeral UIDs/GIDs will be continue to be mapped as before since those are cached until either: a) the system reboots, or b) idmapd has some sort of catastrophic crash where it loses the contents of /var/run/idmap/idmap.db (or the sysadmin blows it away). > Instead of the fully enumerating domain users and groups across the > forest like you talked about in the other e-mail, I would be happy where > only UIDs/GIDs that have been recently utilized on the CIFS share cached > for usage if AD becomes unavailable. I'm really considering the case of > transient network outages of less than an hour or so for remote offices > with less than 10 users, not independent operation. OK, good to know. I don't think I could stomach fully enumerating... But I do want us to add the option for not validating SIDs when only ephemeral mapping is configured (since that is feasible, and it would make such configurations significantly more robust in the face of AD connectivity loss). Nico -- _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
