LUM enabled user that receives rights from higher in the tree loose access to NSS volumes after 14 days.

  • 7015510
  • 12-Aug-2014
  • 12-Aug-2014

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1

Situation

Larger environments where many servers may exist without any eDirectory replica's, and LUM enabled users are used to perform server specific tasks. Such users can be (but are not restricted to) for example backup users.

These specific users do not have explicit file system rights assigned directly to their account but receive the same from assignments given out higher in the tree.

It has been observed that after approximately 14 days of operation, these user accounts can no longer authenticate to eDirectory to perform their assigned tasks.

Resolution

This has been resolved in Novell Open Enterprise Server 11 Support Pack 2 (FCS).

It would be possible to provide a PTF for this problem based on a specific Novell Open Enterprise Server 11 Support Pack 1 Scheduled Maintenance patch level by logging a SR with Novell Technical Support, so we can build a module that matches the operating environment.

Cause

The root cause for this problem is that the LUM enabled users authenticate to a server with no replica, and the user's External Reference is deleted.

The process for this is as follows :
  1. Initially, when the user first logs in (NSS initiates this) an ExtRef gets created .
  2. After 5 days, the NSS background checker thread runs and updates the ExtRef's access time (through a NCPMapDNToGUID call) for all the users in the user tree - GUID/DN mapping. (The User's DN should be in the user tree, when a user would have modified/created one or more files/folders.)
  3. After another 8 days & 30 minutes the ExtRef expires, and is ready to be cleaned by the eDir backlinker process.
  4. The backlinker process runs every 13 hrs, which deletes an ExtRef if it happens to be expired. 

So the External Reference will be deleted after about 13 days and 13 hrs.  Once the External Reference for hat user has been deleted, the NCPMapDNToSEV code fails to get the SEV lists, and NSS will clear the SEV list when the NSS's SEV background thread runs (which in turn runs every 2 hrs).

The user will have lost it's access beyond this point.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.