Hello, I'm attempting to setup an OpenSolaris-based fileserver to serve files over NFS and CIFS, authenticating users from Samba Active Directory using the Solaris CIFS Service: http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html
The Solaris CIFS service, aka smb/server, is joined to the domain with "smbadm join -u Administrator example.com" and once joined you can query AD users using "idmap show -cV [email protected]". By default, idmapd uses "Ephemeral mapping", so AD users are represented locally by a randomly-chosen, high-numbered uid rather than their actual uid as stored in uidNumber or elsewhere in AD. This is undesirable, so I have reconfigured idmap to use "directory-based mapping" instead: http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html This allows me to set some properties in idmap to tell it which AD attribute (CN) to query to find out how to map AD users to local users: svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: cn svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: cn svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: name svcadm refresh idmap At this point smb/server and idmap should be able to look up AD users and map them to a local user whose username is the same as the user's CN field in AD. I then populate all of the AD users in the local nsswitch database by running "ldapclient" and telling it which AD attributes to map to each property in the nsswitch database: https://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html I have two problems, both of which I think may be related to the same underlying issue of not being able to communicate with the Samba DC: * idmap cannot query user's CN values for "directory-based mapping" * ldapclient cannot query users to populate the nsswitch database I think both of these are related to the "sasl/GSSAPI bind" error that I see in the logs: ldapclient[11878]: [ID 293258 user.error] libsldap: Status: 0 Mesg: Unable to set value: invalid authenticationMethod (GSSAPI) host ldapclient[12192]: [ID 293258 user.error] libsldap: Status: 0 Mesg: Unable to set value: invalid authenticationMethod (GSSAPI) host ldap_cachemgr[12544]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: openConnection: GSSAPI bind failed - 82 Local error host ldap_cachemgr[12544]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection using sasl/GSSAPI to dc.example.com:3268 host ldap_cachemgr[12544]: [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: GSSAPI bind failed - 82 Local error host ldap_cachemgr[12544]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: openConnection: GSSAPI bind failed - 82 Local error After joining this machine with smbadm join, I used to have a valid host Kerberos ticket that I could use to query AD with ldapclient however now I need to manually run "kinit" in the console before I can get a Kerberos ticket. Can someone explain how idmap's directory-based mapping and Kerberos host tickets are supposed to work on Illumos, OpenIndiana or other OpenSolaris forks? Thanks, Andrew ------------------------------------------ illumos-discuss Archives: https://illumos.topicbox.com/groups/discuss/discussions/T945f5a11784dfb5d-M05ac83f07324f04f2d21497f Powered by Topicbox: https://topicbox.com
