On Wed, Apr 02, 2008 at 07:07:27PM -0400, Leopold, Corey wrote:
>
>
> > -----Original Message-----
> > From: Nicolas Williams [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, April 02, 2008 5:52 PM
> > To: Leopold, Corey
> > Cc: [email protected]
> > Subject: Re: [storage-discuss] CIFS behavior when AD is unavailiable
> >
> >
> > No. Ephemeral UIDs/GIDs will be continue to be mapped as before since
> > those are cached until either: a) the system reboots, or b) idmapd has
> > some sort of catastrophic crash where it loses the contents of
> > /var/run/idmap/idmap.db (or the sysadmin blows it away).
> >
>
> So as long as you have an authenticated CIFS connection before loosing
> connection to AD, it should pretty much work as normal for Ephemeral
> users?
As long as all the relevant SIDs have already been mapped, yes.
> I haven't tried an Ephemeral user yet, probably will tomorrow, but when
> I did this with a non-ephemeral user earlier today, it worked great for
> the first five minutes or so, and then started taking a long time to
> start accessing a file or open directories, which I assume is because it
> was attempting to validate the SID, and once it failed it gave access.
>
> It would seem to follow that SID validation would cause the same issues
> for Ephemeral users also. I would vote for being able to turn that off,
> or at least make it less aggressive by adding a feature where on failure
> to contact AD it does not try again for some configurable period of
> time.
I believe that idmapd should only try AD lookups if: a) they are needed
for a new mapping of any kind (except some[*]), b) an existing,
non-ephemeral but otherwise perfectly OK mapping is expired. I.e., if
"idmap dump" lists all the SIDs that you're interested in and they are
all mapped to ephemeral IDs (because someone or something requested them
earlier), then I _think_ idmapd won't try to talk to AD. But I could be
wrong, in which case I'd consider behaviour of idmapd's to be a bug.
[*] Some well-known SIDs, as well as all SIDs that are relative to the
server's computer SID are always mapped without talking to AD.
Nico
--
_______________________________________________
storage-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
