The network may be large, but the three servers noted are sitting
one on top of the other attached to the same Cisco 4507 switch.
They are also on the same subnet as the workstations. Due to a
bug I discovered related to users changing their passwords during
login, I am no longer replicating to my home directory server.
It is simply attached to the directory hosted on the authorization
server. And, as you see, the server does in fact know about the
change in permissions with a "memberd -r". I am
leaning towards an ACL issue. i.e. they may not be working.
So, my next effort will be to turn them off and see if I get the
results I desire with just POSIX permissions.
Since the homedir server is not a replica but attached to the
auth server for it's user/group information, that information should
be available instantaneously, or at the very least when memberd
updates. Providing memberd is the only process responsible for
the files system being made aware of who can do what.
My problem is that I have four buildings with over 1400 students
each. When I need to add/remove a student from a group I also
need their permissions to respond in a predictable manner. I
can't have a student who may be a problem maintaining their access to
certain server shares if it's not appropriate. You might think I
would disable their account. But what if just drop a class
because they are not happy with their instructor. They may try
to delete class related files if they are not removed from the class
group quickly. I had hoped to identify some method, command line
or otherwise, to do this. But, as you say, this may be operating
as designed.
BTW, I did try the homedir server as a replica before I posted
yesterday. Same results.
Dave Hunter
At 3:57 PM -0400 8/27/05, email@hidden wrote:
There's more to this than meets the
eye.
My suspicion is that your network is a
bit larger than what you've described? Even if not, the
statement "after more than an hour, the user does gain access"
suggests that the permissions are getting replicated during this
time. Where, exactly, I'm not sure.
But I can tell you that on my rather
large network, it always takes a while for the ACLs to work properly
after initial set up/changes.
And it sounds like, in fact, your network
is behaving itself.
On Aug 27, 2005, at 3:03 PM, David B.
Hunter wrote:
Aaron,
Thanks for the input!
In fact, memberd -r does refresh the
membership and shows the user's new group...See below
as I run
memberd -r after making jdoe a member of
yearbook-editors.
Unfortunately, even
though the server now knows the correct
group...this user *still* doesn't get access to the
yearbook-editors
folder. Though, after more than an hour, the
user does gain access.
Any idea what else might be in the middle of
this?
I haven't modified
/etc/memberd.conf yet. I figured memberd -r would
force any updates necessary.
Dave Hunter
At 1:25 AM -0400 8/27/05,
Aaron Rosenblum wrote:
>10.4 uses something called memberd to cache group
membership. It
>sometimes doesn't immediately recognize changes to
groups. In fact,
>it can take hours for the group membership cache
to be updated. You
>can try doing a "memberd -r" and see if
it helps. You can also
>tweak the memberd.conf file in /etc. The
times listed there are in
>seconds. You can make them shorter if you'd
like.
>
>Aaron
>
>On Aug 26, 2005, at 6:06 PM, David B. Hunter
wrote:
>
>>Question regarding folder access based on
group membership:
>>
>>I have three 10.4.2 servers with ACLs turned
on.
>>
>>1. auth - OD Master
>>2. ns1 - DNS/DHCP, OD Replica
>>3. homes - home directoires, directory
attached non-replica
>>
>>I have a folder mounted at login for my users
called "Classroom".
>>Inside I have several folders nested for
individual classes. A
>>students group has R/O access to the folder
and staff can R/W. I
>>also have nested departmental folders that
students selectively
>>have access to based on the class they are
taking and the group
>>they are assigned to...
>>
>>Classroom -> English-Dept ->
Yearbook
>>Classroom -> English-Dept ->
Yearbook-Editors
>>
>>I have two groups of the same name applied
each to Yearbook and
>>Yearbook-Editors folders to allow access in
addition to appropriate
>>POSIX permissions.
>>
>>the Yearbook and Yearbook-Editors groups have
R/W privileges to
>>Yearbook folder.
>>
>>The Yearbook group has Write ONLY privileges
to Yearbook-Editors
>>folder and the Yearbook-Editors group has
Read/Write privileges to
>>Yearbook-Editors.
>>
>>My problem is...when I add users to the
various groups, they do not
>>immediately have access to the folders.
In fact, I have to reboot
>>the home directory server in order for their
group membership and
>>subsequent access privileges to be recognized
allowing (or
>>dis-allowing as the case may be) access to the
folders.
>>
>>I have tried this with the homes server both
standalone and as a
>>replica. Same results. I've also
tried adding users to the groups
>>and doing a "lookupd -flushcache" on
the homedir server -- no luck.
>>Users logout, reboot and re-logon, no
luck!
>>
>>Any ideas on what is going on? Or of a
command I can issue in the
>>CLI to "refresh" the servers folder
privileges based on the group
>>memberships in the directory without a
reboot?
>>
>>Thanks for any advice!
>>
>>David B. Hunter
>>Networking Specialist
>>South Bend Community School
Corporation
>>South Bend, IN
>>email@hidden
>>
>>_______________________________________________
>>Do not post admin requests to the list. They
will be ignored.
>>Macos-x-server mailing
list (email@hidden)
>>Help/Unsubscribe/Update your
Subscription:
>>http://lists.apple.com/mailman/options/macos-x-server/arosenbl%40mac.com
>>
>>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
