access idmap cache directly from smbd

simo idra at
Tue Aug 26 22:36:55 GMT 2008

On Tue, 2008-08-26 at 14:22 -0700, Jeremy Allison wrote:
> On Tue, Aug 26, 2008 at 08:26:19PM +0000, simo wrote:
> > On the cache timeout:
> > 
> > Also the 1 full week positive caching is probably too much for a
> > default, although I agree we should probably change the cache to a few
> > hours and not just 15 minutes. Mapping for weeks is almost the same as
> > mapping forever.
> Yes, I agree.
> > The reason for positive mappings with a time limit is that this way
> > admins that uses ldap or ad backends can change these mappings and
> > expect the change to reflect in the server in a reasonable time.
> Ok, what about adding a control message to delete a cache
> entry ? How often do these things change ? Do they ever ?
> If changing a cache entry is really rare then why not
> cache forever and give admins a way to notify. Not trying
> to be difficult, just trying to understand the problem
> from the customer perspective.

Not sure how would you notify?

You can't assume the samba admin and the AD admin (that has control on
the rfc2307 attributes) are the same person. That's not true in many
organizations. And in some both admins do not have direct control over
these attributes but they are changed by provisioning software, which
may be controlled by some security officer for these attributes.

Also how would you propose to notify a farm of machines ?
Log in into each one and run a command ?

Not really what I would call friendly, although it would be a nice to
have in addition to the timeout for the small controlled environments
where you really want to have a long lived cache and manually refresh


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <simo at>

More information about the samba-technical mailing list