Re: [cifs-discuss] idmap and SFU

Thu, 20 May 2010 11:44:47 -0700 

Michael Anderson wrote:

What's interesting, is that:
svccfg -s svc:/system/idmap setprop config/ds_name_mapping_enabled=boolean: true svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring:msSFU30Name svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: msSFU30GidNumber 

Seems to work one way:

# idmap get-namemap winuser:vuser1
Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'domain.com'
Found _ldap._tcp.dc._msdcs.domain.com 600 IN SRV [0][100] bdc2.domain.com:389 
AD namemaps for winuser:vuser1
        ->    unixuser:vuser1
        ->    unixgroup:215

and

# idmap get-namemap wingroup:vmware
Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'domain.com'
Found _ldap._tcp.dc._msdcs.elego.de 600 IN SRV [0][100] bdc1.domain.com:389 
AD namemaps for wingroup:vmware
        ->    unixuser:vmware
        ->    unixgroup:11000

but,

# idmap get-namemap unixuser:vuser1
Native ldap namemaps aren't active.
Failed to get namemap info (Invalid argument).

Shouldn't that be resolvable in AD?
OK, first: get-namemap and set-namemap don't actually do mapping. They get and set directory-based mapping data. That's only one input to the mapping process. To actually test the mappings you need idmap show.
Second: Again, they don't do mapping. For "AD mode", there are UNIX-name entries in the AD record, and those entries are used for both directions. Get-namemap on a Windows name retrieves the UNIX entries in a specified AD record. On the other hand, for "Native LDAP" mode there are Windows-name entries in a generic LDAP record, and get-namemap on a UNIX name retrieves those entries. 


and,

# idmap show winuser:vuser1
winuser:vuser1 -> uid:2147491841

returns an epemeral uid.

[_confused_]


So mapping isn't working.
I believe that the problem is that msSFU30Name isn't exported to the Global Catalog, and the directory-based name mapping stuff requires that the data be visible in the Global Catalog.
Here's an article that says how to make an attribute visible in the Global Catalog: 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248717
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

Reply via email to