Template Version: @(#)sac_nextcase 1.70 03/30/10 SMI
This information is Copyright (c) 2010, Oracle and/or its affiliates. All
rights reserved.
1. Introduction
1.1. Project/Component Working Name:
idmap show -V mapping trace mechanism
1.2. Name of Document Author/Supplier:
Author: Jordan Brown
1.3 Date of This Document:
09 April, 2010
4. Technical Description
SUMMARY
Provide a mechanism whereby an administrator can examine in
detail the steps used to map a Windows identity to a UNIX
identity, or vice versa.
BACKGROUND
The idmap subsystem provides a mechanism to map Windows
identities to UNIX identities, and vice versa, using a mixture
of hardcoded data, rules, directory-based information, and
algorithms. The "idmap show" command allows the administrator
to determine the mapping resulting for any given input identity
and to determine the mapping mechanism finally used, but does
not reveal, for instance, why other mapping mechanisms were not
chosen.
PROBLEM
Existing tools do not provide enough information to enable
easily diagnosing why a particular mapping does not yield the
expected result.
PROPOSAL
When requested using "idmap show -V", during each step of the
processing of a mapping, record the state of the mapping
process and a message describing the results of the particular
step. Provide this recorded data as part of the output from
the command.
DETAILS
Add a new "-V" option to idmap show. When specified, this
option causes all significant decision points in the processing
to be recorded and, on completion of the request, reported to
the user.
Sample output:
$ idmap show -cV [email protected]
winuser:[email protected] -> uid:2147491841
Trace:
winname [email protected] -> unknown - Start mapping
winname [email protected] -> unixname - Not a
well-known account
winname [email protected] -> unixname - Not a local SID
winname [email protected] -> unixname - Not found in
mapping cache
winname [email protected] -> unixname - Not found in
name cache
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser - AD lookup
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser - No matching rule
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser 2147491841 - Ephemeral
mapping
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser 2147491841 - Done
COMMENTS
Implementation note: It is trivial to add or remove these
trace points and easy to add additional data to be recorded.
It is also possible to configure the tool so that all mappings
(not just idmap show requests) will yield trace output, with
the output directed to the SMF service log. However, those
debug mechanisms are as yet private.
DELIVERY VEHICLE
Solaris
RELEASE
Patch
COMMITMENT LEVEL
-V option Uncommitted
Trace points reported Not-an-interface
Output format Not-an-interface
Data reported Not-an-interface
In other words, what is committed is that idmap show -V will
produce some sort of human-readable trace output, but nothing of
that output is committed.
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
_______________________________________________
opensolaris-arc mailing list
[email protected]
