Hi, I am having great fun with the SS7000 Simulator and CIFS but need some help.
I have the recent release of the SS7000 simulator running 2009.04.10.0.0,1-1.2 setup with a Windows Server 2008 running Active Directory (with the prereq SS7000 Hotfix installed). I successfully join the AD domain but when I go to create SS7000 CIFS file-systems and enter AD users and groups in the Root Directory Access ACL fields I get the error "User: Unknown or invalid user", when the user or group does indeed exist (for example "[email protected]") Now I am presuming the CIFS idmap service is key to these lookups (NOTE that I have not setup any mapping rules I am simply using the default Ephemeral ID mapping) Dropping into the SS7000 "shell" I can see the following errors happening when I start the idmap service Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 702911 auth.notice] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Preauthentication failed) Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 706612 daemon.info] LDAP SASL bind to win2008-01.fishworks.com:389 failed (Local error) Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 692716 daemon.debug] unable to discover Forest Name Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 966149 daemon.debug] unable to discover Site Name Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 520885 daemon.debug] unable to discover Global Catalog Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 638774 daemon.debug] unable to discover Domains in the Forest Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 767837 daemon.debug] unable to discover Trusted Domains Note the contents of the SS7000 krb5 setup but the ticket cache is empty, like it has not done the pre-authentication fw02-2009Q2# cat /etc/krb5/krb5.conf # # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # [libdefaults] default_realm = FISHWORKS.COM [realms] FISHWORKS.COM = { kdc = win2008-01 kpasswd_server = win2008-01 kpasswd_protocol = SET_CHANGE } [domain_realm] .fishworks.com = FISHWORKS.COM fishworks.com = FISHWORKS.COM fw02-2009Q2# klist -5 klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0) This shows the idmap cache is empty fw02-2009Q2# idmap dump -nv This idmap command should force idmap to query the AD domain fishworks.com and perform a temporary mapping but errors out fw02-2009Q2# idmap show -cv [email protected] winname:[email protected] -> uid:60001 Error: No AD servers This shows I have joined a domain fw02-2009Q2# smbadm list [*] [FISHWORKS] [*] [fishworks.com] [+win2008-01.fishworks.com] [192.168.56.20] [*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047] [.] [FW02-2009Q2] [S-1-5-21-1009684547-3152003461-3128221115] Same again different users fw02-2009Q2# idmap show -cv [email protected] winname:[email protected] -> uid:60001 Error: No AD servers fw02-2009Q2# idmap show -cv [email protected] winname:[email protected] -> uid:60001 Error: No AD servers This is specifically using the Windows SID for [email protected] fw02-2009Q2# idmap show -cv usid:S-1-5-21-424206279-106027690-574836047-1104 Error: No AD servers This is the idmap cache after I map a share from a Windows machine using [email protected], note that it creates the temporary mapping but does recognise it as [email protected] fw02-2009Q2# idmap dump -nv usid:S-1-5-21-424206279-106027690-574836047-1104 == uid:2147581953 Method: Ephemeral usid:S-1-5-21-424206279-106027690-574836047-513 == gid:2147581954 Method: Ephemeral wingroup:Authenticated Users == gid:2147581955 Method: Ephemeral wingroup:Network == gid:2147581956 Method: Ephemeral Any clues why this is broken? Thanks Malcolm _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
