It seems my filer (F720, ONTAP 5.3.6R2) caches NIS group lookups even if nis.group_update.enable is set to off.
This is what happens when I add the user "testuser" to the group "rally":
Initially both a Unix NIS client and the filer agree that the user isn't in the group:
UNIX: % ypmatch rally group UNIX: rally:*:31042:jfrid,leif
FILER: jar> ypgroup testuser FILER: User "testuser" belongs to the following group(s): FILER: name: testproj gid: 31038 FILER: name: testprod gid: 31039
Then I add the user to the group and do a ypmake. The Unix client immediately picks up the change:
UNIX: % ypmatch rally group UNIX: rally:*:31042:jfrid,leif,testuser
But the filer doesn't:
FILER: jar> ypgroup testuser FILER: User "testuser" belongs to the following group(s): FILER: name: testproj gid: 31038 FILER: name: testprod gid: 31039
The filer is supposed to not cache group lookups:
FILER: jar> options nis.group_update.enable FILER: nis.group_update.enable off
In this state, the user can access the group's files just fine from an NFS Unix client, but gets "permission denied" when attempting the same from a CIFS client.
Clearing the WCC cache with "wcc -x" doesn't help. Trying to manually force a group cache update doesn't work:
FILER: jar> options nis.group_update_schedule now FILER: Local NIS group update failed now. NIS group caching is not enabled.
The only way out of this state I've found is to enable group caching and then disabling it again. This forces a group update.
FILER: jar> options nis.group_update.enable on FILER: Fri Nov 23 14:24:21 MET [rc]: NIS: Group Caching has been enabled FILER: Fri Nov 23 14:24:21 MET [nis_grp_updater]: Local NIS group update successful. FILER: jar> options nis.group_update.enable off FILER: Fri Nov 23 14:24:27 MET [rc]: NIS: Group Caching has been disabled
Now the ypgroup command stops working:
FILER: jar> ypgroup testuser FILER: NIS Group cache not yet updated.
But at least the credential mapping is correct:
FILER: jar> wcc -u testuser FILER: (NT - UNIX) account name(s): (SOFTLAB.LIN\testuser - testuser) FILER: *************** FILER: UNIX uid = 31028 FILER: user is a member of group softlab (30100) FILER: user is a member of group rally (31042) FILER: user is a member of group testproj (31038) FILER: user is a member of group testprod (31039) FILER: FILER: NT membership FILER: SOFTLAB.LIN\testuser FILER: SOFTLAB.LIN\Domain Users FILER: SOFTLAB.LIN\Gemini FILER: BUILTIN\Users FILER: User is also a member of Everyone, Network Users, FILER: Authenticated Users FILER: ***************
Now the user can access the group's files over both NFS and CIFS. Can anyone make head or tail of this?
/Leif Nixon