After a long delay (for which I apologize) I wanted to ask: Did you figure this out? We've tested "smbadm join" with recent Samba AD servers and it worked OK for us.
On Wed, Oct 11, 2017 at 6:09 PM, Andrew Martin <[email protected]> wrote: > Hello, > > I'm attempting to setup an OpenSolaris-based fileserver to serve > files over NFS and CIFS, authenticating users from Samba Active > Directory using the Solaris CIFS Service: > http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html > > The Solaris CIFS service, aka smb/server, is joined to the domain > with "smbadm join -u Administrator example.com" and once joined you > can query AD users using "idmap show -cV [email protected]". By > default, idmapd uses "Ephemeral mapping", so AD users are represented > locally by a randomly-chosen, high-numbered uid rather than their > actual uid as stored in uidNumber or elsewhere in AD. This is > undesirable, so I have reconfigured idmap to use > "directory-based mapping" instead: > http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html > https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html > > This allows me to set some properties in idmap to tell it which AD > attribute (CN) to query to find out how to map AD users to local users: > svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: cn > svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: cn > svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: > name > svcadm refresh idmap > > At this point smb/server and idmap should be able to look up AD users and > map them to a local user whose username is the same as the user's CN field > in AD. I then populate all of the AD users in the local nsswitch database > by running "ldapclient" and telling it which AD attributes to map to each > property in the nsswitch database: > https://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html > > I have two problems, both of which I think may be related to the same > underlying issue of not being able to communicate with the Samba DC: > * idmap cannot query user's CN values for "directory-based mapping" > * ldapclient cannot query users to populate the nsswitch database > > I think both of these are related to the "sasl/GSSAPI bind" error that > I see in the logs: > ldapclient[11878]: [ID 293258 user.error] libsldap: Status: 0 Mesg: Unable > to set value: invalid authenticationMethod (GSSAPI) > host ldapclient[12192]: [ID 293258 user.error] libsldap: Status: 0 Mesg: > Unable to set value: invalid authenticationMethod (GSSAPI) > host ldap_cachemgr[12544]: [ID 293258 daemon.warning] libsldap: Status: 7 > Mesg: openConnection: GSSAPI bind failed - 82 Local error > host ldap_cachemgr[12544]: [ID 545954 daemon.error] libsldap: makeConnection: > failed to open connection using sasl/GSSAPI to dc.example.com:3268 > host ldap_cachemgr[12544]: [ID 687686 daemon.warning] libsldap: Falling back > to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: GSSAPI > bind failed - 82 Local error > host ldap_cachemgr[12544]: [ID 293258 daemon.warning] libsldap: Status: 7 > Mesg: openConnection: GSSAPI bind failed - 82 Local error > > After joining this machine with smbadm join, I used to have a valid > host Kerberos ticket that I could use to query AD with ldapclient > however now I need to manually run "kinit" in the console before I > can get a Kerberos ticket. Can someone explain how idmap's > directory-based mapping and Kerberos host tickets are supposed to work > on Illumos, OpenIndiana or other OpenSolaris forks? > > Thanks, > > Andrew ------------------------------------------ illumos-discuss Archives: https://illumos.topicbox.com/groups/discuss/discussions/T945f5a11784dfb5d-M8fbe0f6e9893764dd76c3af7 Powered by Topicbox: https://topicbox.com
