--unixmap-domains 'sirius(10000-20000)' specifies that for the domain SIRIUS, all uid and gids are stored as rfc2307 attributes in the user and group objects in AD. If "id Sirius\\administrator" does not work, that might already point to missing data in AD. The requirement is that the user has a uidNumber defined, and the user's primary group in AD has to have a gidNumber defined. Note that a gidNumber defined for the user is not read by Spectrum Scale at this point. All uidNumber and gidNumber attributes have to fall in the defined range (10000-20000).
If verifying the above points does not help, then a winbindd trace might help to point to the missing step: /usr/lpp/mmfs/bin/smbcontrol winbindd debug 10 id Sirius\\administrator /usr/lpp/mmfs/bin/smbcontrol winbindd debug 1 /var/adm/ras/log.winbindd-idmap is the log file for the idmap queries; it might show a failing ldap query in this case. Regards, Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ [email protected] || +1-520-799-2469 (T/L: 321-2469) From: "[email protected]" <[email protected]> To: gpfsug main discussion list <[email protected]> Date: 02/27/2017 12:41 PM Subject: [gpfsug-discuss] SMB and AD authentication Sent by: [email protected] For some reason, I just can’t seem to get this to work. I have configured my protocol nodes to authenticate to AD using the following mmuserauth service create --type ad --data-access-method file --servers 192.168.88.3 --user-name administrator --netbios-name scale --idmap-role master --password ********* --idmap-range-size 1000000 --idmap-range 10000000-299999999 --enable-nfs-kerberos --unixmap-domains 'sirius(10000-20000)' All goes well, I see the nodes in AD and all of the wbinfo commands show good (id Sirius\\administrator doesn’t work though), but when I try to mount an SMB share (after doing all the necessary mmsmb export stuff) I get permission denied. I’m curious if I missed a step (followed the docs pretty much to the letter). I’m trying Administrator, mark.bush, and a dummy aduser I created. None seem to gain access to the share. Protocol gurus help! Any ideas are appreciated. Mark R. Bush| Storage Architect Mobile: 210-237-8415 Twitter: @bushmr | LinkedIn: /markreedbush 10100 Reunion Place, Suite 500, San Antonio, TX 78216 www.siriuscom.com |[email protected] This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. This message may be viewed by parties at Sirius Computer Solutions other than those named in the message header. This message does not contain an official representation of Sirius Computer Solutions. If you have received this communication in error, notify Sirius Computer Solutions immediately and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. Sirius Computer Solutions _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
