Frank Cusack wrote:
What is the difference between winuser: and winname: ? The idmap
man page has examples that show both uses.
That's a good question. I can't say that I've looked into it, but offhand
I can't think of a reason for the distinction. For UNIX names, the
distinction is important because the same name can be used for a user and
for a group, and the two are different. For Windows names, on the other
hand, a particular name is either a user or a group and there is no ambiguity.
The man page also says
If directory-based name mapping is not configured or if con-
figured but not found, then idmapd(1M) will process locally
stored name-based mapping rules.
however this is clearly not happening for me. I have disabled
directory-based mapping yet the local map is still not being used.
# idmap list
add winuser:*[email protected] unixuser:*
# idmap get-namemap winuser:frank.cusack
AD namemaps are not active.
Failed to get namemap info (Invalid argument).
#
idmap get-namemap retrieves directory-based name mapping information. It
does *not* do general mapping. What you want is idmap show, along the lines of
# idmap show -cv winuser:frank.cusack unixuser
The host is joined to the XYZ.COM domain, and I get the same error if I
append @XYZ.COM to the winuser. Now maybe get-namemap *only*
retrieves results from the directory but idmapd itself also appears
not to be using the local rules since I can't mount a CIFS share and
smbd complains that idmap failed. How can I turn on additional debugging
for idmap?
svccfg -s idmap setprop config/debug = boolean: true
svcadm refresh idmap
then look at /var/svc/log/system-idmap:default.log
However, there's not much debugging output on individual mapping requests.
(Yes, we know this makes it difficult to figure out why you're getting
unexpected mappings and mapping errors.)
Really I want to use directory based mapping but that doesn't seem to
be working either so let's start with just rules-based mapping.
If you're having trouble mapping shares, you should start with *no* mapping.
You only need mapping if you want your Windows users to correspond to UNIX
users, so that [email protected] (a Windows user) gets the same
access as fcusack (a UNIX user), so that files created by one are equally
owned by the other, and so on.
Without any explicit mapping, Windows users will be automatically mapped to
"ephemeral" user IDs, which will get mapped back into the Windows identity
at appropriate times. (You might see them as very large, ~2 billion, user
IDs in ls -l output. If you add the "ad" provider to your nsswitch.conf's
passwd and group lines, they'll be translated to u...@domain names.)
I think I see part of the problem back in one of your older messages. I'll
reply back in that thread.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
