The cleanest way is to use AD_based IDMAP Therefore you should have at least a 2003-R2 so the services for unix would be available including the nis server, which extends your AD-LDAP with the needed fields for use as unix ldap. Then configure your solaris ldapclient and idmap accordingly. I may give you the needed configurations. This would also allow to use every user on a linux or unix box. Only caveat is the missing ability in solaris to recursively resolve groups in ldap using the DN. Maybe the winchester stuff would close this gap soon.
This runs quite fine here with our 2008 AD on 2008-r2 DCs. With 2008 there is currently a issue with the smb signing stuff, would may make you some pain. If there are some problems try looking at deamon.debug log, if there are messages like "bad signature" with strange message on win side try to disable it. To see the osol file server in domain browsing here the smb client on the file server has to be enabled. Florian Am 22.11.2009 14:43, schrieb Thanassis Tsiodras: > Hi, everyone. > > I have successfully joined an Opensolaris box to our company's Win 2003 > server domain. > > The machine is custom-built; Intel Atom-based (for energy efficiency > reasons) with 4GB ram, and 2x1.5TB drives set as a ZFS mirror. I also > updated from 2009.06 to svn_126 (in preparation for joining the final, > Windows Server 2008 domain ctrler - apparently I will need the updated > smb server, hence the update). > > I have also successfully exported a ZFS samba share from the 1.5TB pool > - and Windows machines from the domain can see it, and read/write files > inside it. Permissions seem to be ok - i did not use idmap to set custom > mappings, since the ephemeral ones seem to do the job just fine. I used > "idmap show -c winuser:<account>" to look at the ephemerally mapped UID, > and used /bin/chown and /bin/chmod to assign owners and ACLs. > > All is well... but I am afraid of something, and wanted to ask here in > cifs-discuss before I actually start using this machine as a 'file > server' in the domain. > > If I use the share from a Windows PC, where a domain user has logged in, > the generated folders/files indeed seem to belong to the same user (when > reviewed from another machine). The ACLs appear to survive reboots... > > Do they? i.e. is this guaranteed? > > The idmap documentation I read seems to suggest that even though idmap > attempts to retain the same ephemeral UID for the same Windows SID, this > is not guaranteed... the UID might change after a reboot of OpenSolaris. > If that is the case, what will happen,permission wise? If ZFS is storing > the ACLs using the (old) UID value prior to the reboot, and a new UID is > generated for the same windows user, he will suddenly lose the ability > to access his files, no? > > For the machine to play the role of a "Windows" file server, obviously > it has to be able to survive reboots - but from what I could gather with > Googling, after a reboot the files might end up as owned by 'nobody', > since the ephemeral UID may no longer be the same. > > What am I missing? Do I have to maintain "manual" idmap mappings between > Windows and the box, to guarantee "survival" of ACLs across reboots? > > P.S. I also tried "idmap add winuser:* unixuser:*", hoping that it would > "magically" mirror the win users into opensolaris.... but /bin/ls -V > continues to show the ephemeral UID as owner, not a "magically-made" > local user... hence my fear that ZFS is storing these ephemeral UIDs, > which might change after a reboot. > > Thanks in advance for any help, > > Thanasssis. > > -- > What I gave, I have; what I spent, I had; what I kept, I lost. -Old Epitaph > > > > _______________________________________________ > cifs-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
