UID still used as fileowner after the user is de-LUMenabled

  • 7005487
  • 16-Mar-2010
  • 27-Apr-2012


Novell Open Enterprise Server 2 (OES 2) Linux
Novell Linux User Management (LUM)
Novell Account Management (NAM).
Novell Core Protocol (NCP).
Novell Storage Services (NSS). 


After a user account is de-LUMenabled the owner for files created over NCP on either NSS or a Native Linux Filesystem is still the old UID of the user.
Similar phenomena occurs even when simply changing the UID to an other value.

A namconfig cache_refresh and / or a nsscon /ResetIDCache, even when followed by a full reboot does not seem to solve the issue.


This issue is addressed in later NCP modules, released for OES2SP1 and OES2SP2 on the NCC channels named Maintenance Patch 20100130.
After the server is updated with the patches available on the channels and one or more users are de-LUMenabled these additional steps are needed:
1. Clear the Novell Account Management cache by executing namconfig cache_refresh from the server prompt.
2. Restart the ncp2nss process executing /etc/init.d/ncp2nss restart
3. After 30 minutes or more, clear the NSS ID Cache using nsscon /ResetIDCache
The NCPserver has a DirCacheMaintenanceEvent which runs in a loop and triggers UpdateUIDmapping routine approx every 30 minutes. So it can last up to 30 minutes before the UID of the unLUMed users is completely cleared.
If step 3. is skipped, NSS takes up to 25 hours to clear it's cache.

Additional Information

These are the steps needed to  de-LUMenable a user:
1. Remove the users membership from the LUM group for the server or servers where the users are LUNenabled.
2. Delete the user's posixAccount and uamPosixUser class attributes.
A Request for Enhancement has been filed to have an option to de-LUMenable a user or a group of users in iManager.
The cause of the issue:
NSS has the file owner's GUID and does a GUID to ID translation using eDirectory APIs via NCP. This call is apparently returning a valid UID for this user despite de-LUMenabling and removing the posixAccount and uamPosixUser class attributes.
NCPEngine has a persistent cache to map the UID to EntryID and GUID and like. This cache is  stored in  /opt/novell/ncpserv/UIDMapping. When the ncp requests for a GUID to UID or DN to UID conversion, it is always hitting this cache and the request was never going to eDirectory.