It would be useful if you could provide the output from:
http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag
fw02-2009Q2# klist -5
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0)
What's "-5"?
If you to see the idmap ccache, you should run `klist
/var/run/idmap/ccache`.
Let's verify your Kerberos setup on your Solaris system. Please run the
following commands:
(1) klist
bash-3.2# klist -ke
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
6 HOST/[email protected] (ArcFour with HMAC/md5)
6 HOST/[email protected] (DES cbc mode with CRC-32)
6 HOST/[email protected] (DES cbc mode with RSA-MD5)
6 host/[email protected] (ArcFour with HMAC/md5)
6 host/[email protected] (DES cbc mode with CRC-32)
6 host/[email protected] (DES cbc mode with RSA-MD5)
6 nfs/[email protected] (ArcFour with HMAC/md5)
6 nfs/[email protected] (DES cbc mode with CRC-32)
6 nfs/[email protected] (DES cbc mode with RSA-MD5)
6 HTTP/[email protected] (ArcFour with HMAC/md5)
6 HTTP/[email protected] (DES cbc mode with CRC-32)
6 HTTP/[email protected] (DES cbc mode with RSA-MD5)
6 root/[email protected] (ArcFour with HMAC/md5)
6 root/[email protected] (DES cbc mode with CRC-32)
6 root/[email protected] (DES cbc mode with RSA-MD5)
6 cifs/[email protected] (ArcFour with HMAC/md5)
6 cifs/[email protected] (DES cbc mode with CRC-32)
6 cifs/[email protected] (DES cbc mode with RSA-MD5)
(2) kinit -k HOST/<hostname.fqdn> something like:
bash-3.2# kinit -k HOST/pb-49.w2k3r2.com
bash-3.2# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HOST/[email protected]
Valid starting Expires Service principal
06/08/09 17:22:35 06/09/09 03:24:47 krbtgt/[email protected]
renew until 06/15/09 17:22:35
Regards,
Natalie
Malcolm Gibbs wrote:
Hi,
I am having great fun with the SS7000 Simulator and CIFS but need some
help.
I have the recent release of the SS7000 simulator running
2009.04.10.0.0,1-1.2 setup with a
Windows Server 2008 running Active Directory (with the prereq SS7000
Hotfix installed).
I successfully join the AD domain but when I go to create SS7000 CIFS
file-systems and
enter AD users and groups in the Root Directory Access ACL fields I get
the error
"User: Unknown or invalid user", when the user or group does indeed
exist (for example
"[email protected]")
Now I am presuming the CIFS idmap service is key to these lookups (NOTE
that I have not setup any
mapping rules I am simply using the default Ephemeral ID mapping)
Dropping into the SS7000 "shell" I can see the following errors
happening when I start the idmap service
Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 702911 auth.notice] GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Preauthentication failed)
Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 706612 daemon.info] LDAP
SASL bind to win2008-01.fishworks.com:389 failed (Local error)
Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 692716 daemon.debug] unable
to discover Forest Name
Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 966149 daemon.debug] unable
to discover Site Name
Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 520885 daemon.debug] unable
to discover Global Catalog
Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 638774 daemon.debug] unable
to discover Domains in the Forest
Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 767837 daemon.debug] unable
to discover Trusted Domains
Note the contents of the SS7000 krb5 setup but the ticket cache is
empty, like it has not done the pre-authentication
fw02-2009Q2# cat /etc/krb5/krb5.conf
#
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
[libdefaults]
default_realm = FISHWORKS.COM
[realms]
FISHWORKS.COM = {
kdc = win2008-01
kpasswd_server = win2008-01
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
.fishworks.com = FISHWORKS.COM
fishworks.com = FISHWORKS.COM
fw02-2009Q2# klist -5
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0)
This shows the idmap cache is empty
fw02-2009Q2# idmap dump -nv
This idmap command should force idmap to query the AD domain
fishworks.com and perform a temporary mapping but errors out
fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error: No AD servers
This shows I have joined a domain
fw02-2009Q2# smbadm list
[*] [FISHWORKS]
[*] [fishworks.com]
[+win2008-01.fishworks.com] [192.168.56.20]
[*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047]
[.] [FW02-2009Q2] [S-1-5-21-1009684547-3152003461-3128221115]
Same again different users
fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error: No AD servers
fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error: No AD servers
This is specifically using the Windows SID for [email protected]
fw02-2009Q2# idmap show -cv
usid:S-1-5-21-424206279-106027690-574836047-1104
Error: No AD servers
This is the idmap cache after I map a share from a Windows machine using
[email protected], note that it creates the temporary mapping but
does recognise it as [email protected]
fw02-2009Q2# idmap dump -nv
usid:S-1-5-21-424206279-106027690-574836047-1104 == uid:2147581953
Method: Ephemeral
usid:S-1-5-21-424206279-106027690-574836047-513 == gid:2147581954
Method: Ephemeral
wingroup:Authenticated Users == gid:2147581955
Method: Ephemeral
wingroup:Network == gid:2147581956
Method: Ephemeral
Any clues why this is broken?
Thanks
Malcolm
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
