Quoting Jordan Brown <jordan.br...@oracle.com>:
Michael Anderson wrote:
We're migrating from a BSD Samba/NFS server to OpenSolaris CIFS/NFS,
using a W2k3 AD Server with MS SFU for auth and user database.
What build are you running?
# uname -a
SunOS opensolaris-svn 5.11 snv_111b i86pc i386 i86pc
and
SunOS nexenta2 5.11 NexentaOS_134b i86pc i386 i86pc Solaris
Both have showed the same behavior with regard to id-mapping.
Setting up LDAP with the SFU attributes works fine for NFS, but I cannot
figure out the CIFS side of things. I thought that something like:
svccfg -s svc:/system/idmap setprop
config/ds_name_mapping_enabled=boolean: true
svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring:
msSFU30Name
svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring:
msSFU30Group
would work but, but it does not.
What's interesting, is that:
svccfg -s svc:/system/idmap setprop
config/ds_name_mapping_enabled=boolean: true
svccfg -s svc:/system/idmap setprop
config/ad_unixuser_attr=astring:msSFU30Name
svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring:
msSFU30GidNumber
Seems to work one way:
# idmap get-namemap winuser:vuser1
Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'domain.com'
Found _ldap._tcp.dc._msdcs.domain.com 600 IN SRV [0][100] bdc2.domain.com:389
AD namemaps for winuser:vuser1
-> unixuser:vuser1
-> unixgroup:215
and
# idmap get-namemap wingroup:vmware
Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'domain.com'
Found _ldap._tcp.dc._msdcs.elego.de 600 IN SRV [0][100] bdc1.domain.com:389
AD namemaps for wingroup:vmware
-> unixuser:vmware
-> unixgroup:11000
but,
# idmap get-namemap unixuser:vuser1
Native ldap namemaps aren't active.
Failed to get namemap info (Invalid argument).
Shouldn't that be resolvable in AD?
and,
# idmap show winuser:vuser1
winuser:vuser1 -> uid:2147491841
returns an epemeral uid.
[_confused_]
I would indeed expect that to work, but I can't say that I've tried it.
The first thing that comes to mind as a possible problem is case
sensitivity issues; when I look at my IDMU-based entries msSFU30Name is
in mixed case, and that wouldn't tend to play nice with UNIX name
services.
Name-based mapping works, at least for uids, but would be too
cumbersome to maintain in our environment.
Has anybody gotten AD idmapping working with SFU?
Recent emphasis has been on IDMU support using the UID/GID supplied by
IDMU. (It might work for SFU too, but that wasn't a goal and hasn't
been tested.) That was delivered in build 124.
I'm pretty sure people have made the ds_name_mapping_enabled support
work with SFU, but that mostly predates my tenure as custodian of idmap.
--
Michael Anderson
IT Services & Support
elego Software Solutions GmbH
Gustav-Meyer-Allee 25
Building 12.3 (BIG) room 227
13355 Berlin, Germany
phone +49 30 23 45 86 96 michael.anderson at elegosoft.com
fax +49 30 23 45 86 95 http://www.elegosoft.com
Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin
Amtsgericht Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
