[ Accumulating responses to several messages ]
Frank wrote:
For idmap, why isn't simply using rfc2307 a strategy? Adding some wonky
attribute such as unixUserName just doesn't make sense to me. My windows
users already possess a complete rfc2307 attribute set and use that to
get unix rights when logging in.
There's no problem with setting the directory-based mapping parameters to
use existing (RFC 2307 or otherwise) attributes. You don't need to create
new attributes.
Alan wrote:
The only time you need to a local UNIX group is when you want to
create a local SMB group on the OpenSolaris box. smbadm will not
let you create the SMB group unless a UNIX group already exists
by the same name.
Well, and when you want a Windows group to correspond to some existing UNIX
group.
Frank wrote:
svccfg -s svc:/system/idmap setprop config/ds_name_mapping_enabled=boolean: true
svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: uid
svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: gid
The RFC 2307 attribute for group name is "cn", not "gid". RFC 2307 does
not define the attribute "gid". (I suspect that there is a sordid history
there, probably starting with X.500 using "uid" to refer to a username,
while UNIX would rather use that to refer to a UNIX numeric user id.)
# idmap get-namemap frank.cusack
No identity type determined.
This is a command parsing error. (Yes, it is a simply awful message. I've
filed 6915792.) It is complaining that it cannot tell what kind of name
you have given it, whether it is a Windows name that should be assumed to
be in the default domain or a UNIX name.
Try
# idmap get-namemap winname:frank.cusack
My unix usernames and windows usernames are identical, so I could just
try to use the one-to-one rule-based mapping as documented but I'd like
to have the flexibility of windows users that don't have rfc2307
attributes being refused cifs service.
We won't refuse them service. They just won't be mapped to UNIX users;
their Windows identity will be used. Any authenticated Windows user (and,
in some configurations, unauthenticated ones) can get basic access to the
CIFS server. Use share and file system ACLs to control which users get
what kind of access.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
