Quoting Jordan Brown <jordan.br...@oracle.com>:
Michael Anderson wrote:
What's interesting, is that:
svccfg -s svc:/system/idmap setprop
config/ds_name_mapping_enabled=boolean: true
svccfg -s svc:/system/idmap setprop
config/ad_unixuser_attr=astring:msSFU30Name
svccfg -s svc:/system/idmap setprop
config/ad_unixuser_attr=astring: msSFU30GidNumber
Seems to work one way:
# idmap get-namemap winuser:vuser1
Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'domain.com'
Found _ldap._tcp.dc._msdcs.domain.com 600 IN SRV [0][100]
bdc2.domain.com:389
AD namemaps for winuser:vuser1
-> unixuser:vuser1
-> unixgroup:215
and
# idmap get-namemap wingroup:vmware
Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'domain.com'
Found _ldap._tcp.dc._msdcs.domain.com 600 IN SRV [0][100]
bdc1.domain.com:389
AD namemaps for wingroup:vmware
-> unixuser:vmware
-> unixgroup:11000
but,
# idmap get-namemap unixuser:vuser1
Native ldap namemaps aren't active.
Failed to get namemap info (Invalid argument).
Shouldn't that be resolvable in AD?
OK, first: get-namemap and set-namemap don't actually do mapping.
They get and set directory-based mapping data. That's only one input
to the mapping process. To actually test the mappings you need idmap
show.
Second: Again, they don't do mapping. For "AD mode", there are
UNIX-name entries in the AD record, and those entries are used for both
directions. Get-namemap on a Windows name retrieves the UNIX entries
in a specified AD record. On the other hand, for "Native LDAP" mode
there are Windows-name entries in a generic LDAP record, and
get-namemap on a UNIX name retrieves those entries.
So, this means that the entries are being found in the directory, but
for some reason aren't being or can't be used for mapping - is that
correct?
and,
# idmap show winuser:vuser1
winuser:vuser1 -> uid:2147491841
returns an epemeral uid.
[_confused_]
So mapping isn't working.
I believe that the problem is that msSFU30Name isn't exported to the
Global Catalog, and the directory-based name mapping stuff requires
that the data be visible in the Global Catalog.
Here's an article that says how to make an attribute visible in the
Global Catalog:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248717
Hmm, I tried that, but it didn't seem to help.
I'm wondering if I should extend the AD schema as described in the
CIFS docs. Although it would seem redundant, since the desired data is
already in the SFU extensions.
Thanks for all the assistance. Very helpful.
--
Michael Anderson
IT Services & Support
elego Software Solutions GmbH
Gustav-Meyer-Allee 25
Building 12.3 (BIG) room 227
13355 Berlin, Germany
phone +49 30 23 45 86 96 michael.anderson at elegosoft.com
fax +49 30 23 45 86 95 http://www.elegosoft.com
Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin
Amtsgericht Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
