Nextcloud version: 21.0.3
Operating system and version: Debian 10 (buster)
nginx version: nginx/1.14.2
PHP version: 7.3
We are using Nextcloud as a kind of front-end for our samba shares, which, for the most part, works quite well. Basically, we have the LDAP/AD integration app installed, which lets users authenticate against the AD provided by our samba instance. Then, shares are mounted as external storages, through SMB/CIFS globally. What a given user can see is controlled by ACLs managed in Windows.
Nextcloud seems to handle this quite well, it shows only the files that a user has permissions to see and in general behaves almost perfectly.
There is just the slight problem of changes in permissions and the like.
-
For example, I noticed that when a user is granted permission to a new directory somewhere in the samba share, the change is not immediately visible in Nextcloud. I have since found a solution to this by reading the documentation. Now I run
files_external:notify
in the background constantly (as a systemd service) and it seems to be working. -
The new problem I am facing is what happens when a user is granted additional permissions (or has lost permissions) due to a change in the groups they are in.
files_external:notify
does not pick up this change, since no file permissions or contents change. It is merely that a user is now a member of a group it previously was not. It seems that Nextcloud only picks up the change after I do a complete file scan for the user (iefile:scan myuser
). -
What is funny is that it seems that directories in the root of the shares immediately show up and disappear in Nextcloud as I add/remove the user from the group that has permissions for the directory. However, this does not happen already in a subdirectory only one level down from the root. Only
file:scan
helps.
I do not really want to execute a file:scan --all
via cron every so often, since these external storages are quite huge and each scan takes forever. Isn’t there another way to make Nextcloud realize new directories / files are accessible since the group membership change?
Thanks in advance.