Skip to main content
Start a Conversation

Solved!

Go to Solution

Closed

AndrewF76

46 Posts

484

June 21st, 2023 05:00

Onefs with Active Directory, sync the changes made in AD

Hi,

I have a cluster with OneFs 8.0.0.6 and a MS server 2022 with AD, the cluster is connected to the AD.

If I make changes in the AD, for example I add or remove a user from a group that has access to a folder the modification won't take effect until I unmount the share on the workstation or restart it.

Is there a way to modify the sync time between the Onefs and AD so that any change on the AD would be effective on the cluster too in a couple seconds ?

Thx

Best regards

DELL-Josh Cr

Moderator

 • 

8.6K Posts

June 21st, 2023 12:00

Hi,

Thanks for your question. I don’t think it is possible since access is determined when the connection to the share is made. https://dell.to/3r0XkrZ This is an AD limitation, you may be able to script the disconnect and reconnect of the share.

Let us know if there is anything else we can help you with.

CendresMetaux

1 Rookie

 • 

61 Posts

June 21st, 2023 23:00

Exactly! This is caused by the users Kerberos ticket. It contains the group membership details at the time the ticket was generated. This ticket is then presented by the user to the server (PowerScale) which in turn evaluates access against the ACL. The ticket does not contain the newely added group membership. A new ticket is generated after expiration time or at logon. After this the user will habe acess...

DELL-Josh Cr

Moderator

 • 

8.6K Posts

June 22nd, 2023 05:00

This article explains how to change the time. minimum is 10 minutes. https://dell.to/44ay3dl

AndrewF76

46 Posts

June 22nd, 2023 01:00

Hi,

Thx for the help.

One more question, is there a way to shorten (set/modify) the Kerberos ticket expiration time?

 

CendresMetaux

1 Rookie

 • 

61 Posts

June 22nd, 2023 07:00

Can be done (some even consider shortening the ticket lifetime a security/risk measure), but please beware that any change in the AD/DS Kerberos realm settings have domain-wide impact! And there *exist* systems/circumstances not adhering to kerberos standards that expect a certain lifetime and do not initiate renewal when needed (though that is rather rare as of my findings/encounters so far)

View More

View All

No Events found!

Top