Hi Aurélien! Am 09.01.19 um 11:48 schrieb Degremont, Aurelien: > When disabling identity_upcall on a MDT, you get this message in system > logs: > > lustre-MDT0000: disable "identity_upcall" with ACL enabled maybe cause > unexpected "EACCESS" > > I’m trying to understand what could be a scenario that shows this problem? > What is the implication, or rather, how identity_upcall works?
Without an identity_upcall, all Lustre users effectively lose their secondary group memberships. These are not passed in the RPCs, but evaluated on the MDS instead. The default l_getidentity receives a numeric uid, queries NSS to obtain the corresponding account's list of gids, and passes the list back to the kernel. As a test scenario, just try to access a file or directory from an account that only has access permissions via one of its secondardy groups. (The log message is a bit misleading--you don't actually need to use ACLs, ordinary group permissions are sufficient.) Kind regards, Daniel -- Daniel Kobras Principal Architect Puzzle ITC Deutschland +49 7071 14316 0 www.puzzle-itc.de -- Puzzle ITC Deutschland GmbH Sitz der Gesellschaft: Jurastr. 27/1, 72072 Tübingen Eingetragen am Amtsgericht Stuttgart HRB 765802 Geschäftsführer: Lukas Kallies, Daniel Kobras, Mark Pröhl _______________________________________________ lustre-discuss mailing list lustre-discuss@lists.lustre.org http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org