Re: [cifs-discuss] using windows users/groups for ACLs?

Mon, 11 Jan 2010 14:14:30 -0800

On January 11, 2010 11:37:28 AM -0800 Jordan Brown <[email protected]> wrote: 
The RFC 2307 attribute for group name is "cn", not "gid".


Yep, my mistake.  [quick double check ...] my config is ok, I just
misremembered the attribute name.


On January 11, 2010 11:48:38 AM -0800 Jordan Brown <[email protected]> 
wrote:

idmap get-namemap retrieves directory-based name mapping information.  It
does *not* do general mapping.  What you want is idmap show, along the
lines of

# idmap show -cv winuser:frank.cusack unixuser


That is helpful.  But then why doesn't this produce the result I want:

 # idmap list
 add     winuser:*[email protected]      unixuser:*
 # idmap show -cv winuser:frank.cusack unixuser
 winuser:frank.cusack -> uid:60001
 Error:  No AD servers
 # id frank.cusack
 uid=501(frank.cusack) gid=500(staff) groups=500(staff)

Note that the result of 'id' is coming from ldap (via nsswitch) querying
AD, binding anonymously.

a) idmap is not mapping to the unix uid associated with the username
b) idmap *is* mapping to some uid yet i cannot mount the share


If you're having trouble mapping shares, you should start with *no*
mapping.

You only need mapping if you want your Windows users to correspond to
UNIX users, so that [email protected] (a Windows user) gets the
same access as fcusack (a UNIX user), so that files created by one are
equally owned by the other, and so on.

Without any explicit mapping, Windows users will be automatically mapped
to "ephemeral" user IDs, which will get mapped back into the Windows
identity at appropriate times.  (You might see them as very large, ~2
billion, user IDs in ls -l output.  If you add the "ad" provider to your
nsswitch.conf's passwd and group lines, they'll be translated to
u...@domain names.)


ephemeral meaning: won't be persistent across reboots?  that's ok as
long as files created get ACLs associated with the user's name/groups
and not with these ephemeral uids (or do we have to say uidNumbers, ugh).
but since it's easy enough to have a unix uid associated with all windows
users i'd much prefer to have a mapping to a persistent uid.

I didn't try the "ad" provider since ldap is working fine otherwise.  How
would the ad provider be able to map ephemeral uids though?

-frank
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss






















					Reply via email to