Hi Afshin,
Testing this setting now.
One more observation, when I run idmap show for my test users, I'm getting
'Error: Domain not found.'
$ idmap show -c -v unixuser:dguser1
unixuser:dguser1 -> usid:S-1-5-21-3528854772-1994345751-4234447534-2002
Error: Domain not found
Failed Method: Name Rule
Rule: add winname:[email protected] unixuser:dguser1
$ idmap show -c -v unixuser:admin
unixuser:admin -> usid:S-1-5-21-3528854772-1994345751-4234447534-2000
Error: Domain not found
Failed Method: Name Rule
Rule: add winname:[email protected] unixuser:admin
Is this part of my problem?
________________________________
From: Afshin Salek [mailto:[email protected]]
Sent: Fri 4/17/2009 2:04 PM
To: Matt Feightner
Cc: [email protected]
Subject: Re: [cifs-discuss] idmap failures causing interruptions in
CIFSshareaccess
The access token of the user might contain SIDs that idmap cannot
resolve them. Try this on your box and see if the problem goes away:
# svccfg -s idmap setprop config/unresolvable_sid_mapping = boolean: true
# svcadm refresh idmap
Afshin
Matt Feightner wrote:
> Correction: I've confirmed the Nexenta box (dev-cask) can get to the other
> DCs. So why do the id mappings fail? Is it simply because the Nexenta box
> is connecting to the wrong DC and the wrong domain?
>
>
> ________________________________
>
> From: [email protected] on behalf of Matt Feightner
> Sent: Fri 4/17/2009 10:29 AM
> To: [email protected]
> Subject: [cifs-discuss] idmap failures causing interruptions in CIFS
> shareaccess
>
>
>
> Hello,
> I am running latest version of NexentaStor v1.1.7, and I have experienced an
> ongoing issue where access to CIFS shares from Windows is failing
> intermittently.
>
> I found the source of the problem during my testing yesterday. Share access
> was failing from 1:32pm until 1:45:55pm.
> I noticed that when I ran 'dmesg', I kept seeing idmap failures for
> Administrator.
>
> Here is output from /var/adm/messages:
> Apr 13 20:21:46 dev-cask idmap[298]: [ID 873961 daemon.info] change
> global_catalog=dev-vmfrdc1.liquor.dev port=3268
> Apr 13 20:21:46 dev-cask idmap[298]: [ID 873961 daemon.info] change
> global_catalog=dev-vmbwdc1.bourbon.liquor.dev port=3268
> Apr 13 20:21:46 dev-cask idmap[298]: [ID 873961 daemon.info] change
> global_catalog=dev-vmbstopdc1.bstop.liquor.dev port=3268
> Apr 13 20:21:46 dev-cask idmap[298]: [ID 452674 daemon.info] change
> domains_in_forest=liquor.dev
> Apr 13 20:21:46 dev-cask idmap[298]: [ID 868507 daemon.info] change
> trusted_domains=scotch.liquor.dev direction=bi-directional
> Apr 13 20:21:46 dev-cask idmap[298]: [ID 868507 daemon.info] change
> trusted_domains=bourbon.liquor.dev direction=bi-directional
> Apr 13 20:21:46 dev-cask idmap[298]: [ID 868507 daemon.info] change
> trusted_domains=bstop.liquor.dev direction=bi-directional
> Apr 13 20:23:46 dev-cask smbd[1140]: [ID 775558 daemon.debug]
> smb_door_srv_func: execute server routine(opcode=0)
> Apr 13 20:23:46 dev-cask smbd[1140]: [ID 395423 daemon.debug]
> smbrdr_ntcreatex: 18 \netlogon
> Apr 13 20:23:47 dev-cask smbd[1140]: [ID 528497 daemon.debug] SmbRdrNtCreate:
> fid=16388
> Apr 13 20:23:47 dev-cask idmap[298]: [ID 821686 daemon.debug] Using global
> catalog server dev-vmbstopdc1.bstop.liquor.dev:3268
> Apr 13 20:23:47 dev-cask smbd[1140]: [ID 702911 daemon.debug] [0]
> ^H\226^N^H\310\227^N^H-513 (-9976)
> Apr 13 20:23:47 dev-cask smbd[1140]: [ID 266262 daemon.error]
> BOURBON\Administrator: idmap failed
>
> Share access was restored immediately after I ran the command: # svcadm
> refresh idmap
>
> Why is the Nexenta box trying to use a DC that's outside of its own domain?
> Why does it need to get to all DCs?
> The only servers that can talk to all DCs currently are the DCs themselves.
> Do I need to open up communication to all DCs for the Nexenta box?
>
> -----------------------------------------
>
>
> -----------------------------------------
> Please consider the environment before printing this e-mail
>
> CONFIDENTIALITY NOTICE: This message and any attached documents may
> contain confidential information from Hyland Software, Inc. The
> information is intended only for the use of the individual or
> entity named above. If the reader of this message is not the
> intended recipient, or an employee or agent responsible for the
> delivery of this message to the intended recipient, the reader is
> hereby notified that any dissemination, distribution or copying of
> this message or of any attached documents, or the taking of any
> action or omission to take any action in reliance on the contents
> of this message or of any attached documents, is strictly
> prohibited. If you have received this communication in error,
> please notify the sender immediately by e-mail or telephone, at
> (440) 788-5000, and delete the original message immediately. Thank
> you.
> _______________________________________________
> cifs-discuss mailing list
> [email protected]
> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
