access idmap cache directly from smbd

simo idra at
Tue Aug 26 20:26:19 GMT 2008

On Tue, 2008-08-26 at 13:16 -0700, Jeremy Allison wrote:
> On Tue, Aug 26, 2008 at 04:07:53PM -0400, simo wrote:
> > I still do not agree to increase the time to a full week.
> > I'd prefer a few hours a day at most, but up to you.
> What does making this a week hurt ?

This is what I wrote in this thread 10 days ago.


On the cache timeout:

Also the 1 full week positive caching is probably too much for a
default, although I agree we should probably change the cache to a few
hours and not just 15 minutes. Mapping for weeks is almost the same as
mapping forever.

The reason for positive mappings with a time limit is that this way
admins that uses ldap or ad backends can change these mappings and
expect the change to reflect in the server in a reasonable time.

Because it is an exposed configuration option, of course any admin can
tune it to whatever value they want, even months or years, so I'd leave
longer periods as something to set as a local tuning.

Of course someone could argue that being a tunable then admins that
expect to change mappings could tune it down, but because the expiration
time is written in the cache they would still have to wait a full week
after they change the parameter to a lesser value, so by the time they
realize they have to change a mapping it would be just too much with a
default configuration and they would be forced to either stop the server
and wipe the cache or try to manipulate it manually somehow.
In contrast, if someone has performance problems and realize that this
is because of excessive lookups they can easily tune up the cache time
and they would see their change to be immediately applied as soon as the
entry expire (15 min to a few hours depending on what we settle down



Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <simo at>

More information about the samba-technical mailing list