On 08/29/11 12:16, Marc Bevand wrote:
As Jordan concluded, not having a Unix account "myuser" is officially
unsupported, and my strange observation is explained by the fact there
_is_ a code path (affecting both tmpfs and ZFS, but Jordan did not say
where exactly) mapping myu...@example.com to nobody.

I didn't say because it didn't seem like it'd be a useful piece of information, but it's in the macro VOPXID_MAP_CR in usr/src/uts/common/fs/vnode.c, used in quite a number of file-oriented operations. It uses a dummy "nobody" credential when the file system in question doesn't advertise support for SIDs and the process credential has a SID.

I wish Oracle would
fix this. In the mean time I can live with having to create the local
Unix account to prevent files owned by nobody.

As Nico said, we'd like to fix it too - or, rather, we'd like to add the feature of allowing Windows users to log in - but there's a bunch of issues and it just hasn't made it to the top of the stack.

Note that if you're careful you can configure your system to use your AD server as its UNIX LDAP server, which brings you closer to being able to support these users without manually creating UNIX users.

With that explained, what about NFS (I use that too)? To summarize the
tests I ran (when there is no Unix account "myuser"):

1. A file created remotely via CIFS (as myu...@example.com) ends up
owned by myu...@example.com (good, as supported)

Yes.

2. A file created locally (after su - myu...@example.com) ends up owned by 
nobody
(unsupported scenario; caused by the code path mentioned by Jordan; but
creating a Unix account myuser makes the file owned by myuser)

Yes, this is what we've been discussing.

3. A file created remotely via NFSv4 (by a Kerberized NFS client authenticated 
as
myu...@example.com) ends up owned by nobody instead of
myu...@example.com (but creating a Unix account myuser makes the file
owned by myuser)

What explains #3? Is this a supported scenario? I assume not, given that
the same workaround (creating a Unix account myuser) is required to
prevent files owned by nobody.

Is example.com your AD domain?

If so, I believe this is intended to work, but I can't say that it's been exercised as much as one might like.

Also: if your NFSv4 domain has the same name as your AD domain, there's a conflict of sorts. Names in that domain will be interpreted as UNIX names (rather than as AD names) and so if they don't exist in the UNIX namespace it's an error and they turn into "nobody".
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

Reply via email to