Can I get a +1, please? Jordan Brown wrote:
Template Version: @(#)sac_nextcase 1.70 03/30/10 SMI This information is Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 1. Introduction 1.1. Project/Component Working Name: idmap show -V mapping trace mechanism 1.2. Name of Document Author/Supplier: Author: Jordan Brown 1.3 Date of This Document: 09 April, 2010 4. Technical DescriptionSUMMARY Provide a mechanism whereby an administrator can examine in detail the steps used to map a Windows identity to a UNIX identity, or vice versa. BACKGROUND The idmap subsystem provides a mechanism to map Windows identities to UNIX identities, and vice versa, using a mixture of hardcoded data, rules, directory-based information, and algorithms. The "idmap show" command allows the administrator to determine the mapping resulting for any given input identity and to determine the mapping mechanism finally used, but does not reveal, for instance, why other mapping mechanisms were not chosen. PROBLEM Existing tools do not provide enough information to enable easily diagnosing why a particular mapping does not yield the expected result. PROPOSAL When requested using "idmap show -V", during each step of the processing of a mapping, record the state of the mapping process and a message describing the results of the particular step. Provide this recorded data as part of the output from the command. DETAILS Add a new "-V" option to idmap show. When specified, this option causes all significant decision points in the processing to be recorded and, on completion of the request, reported to the user. Sample output: $ idmap show -cV [email protected] winuser:[email protected] -> uid:2147491841 Trace: winname [email protected] -> unknown - Start mapping winname [email protected] -> unixname - Not a well-known account winname [email protected] -> unixname - Not a local SID winname [email protected] -> unixname - Not found in mapping cache winname [email protected] -> unixname - Not found in name cache winuser [email protected] S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser - AD lookup winuser [email protected] S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser - No matching rule winuser [email protected] S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser 2147491841 - Ephemeral mapping winuser [email protected] S-1-5-21-3591674789-480817656-4239000414-500 -> unixuser 2147491841 - Done COMMENTS Implementation note: It is trivial to add or remove these trace points and easy to add additional data to be recorded. It is also possible to configure the tool so that all mappings (not just idmap show requests) will yield trace output, with the output directed to the SMF service log. However, those debug mechanisms are as yet private. DELIVERY VEHICLE Solaris RELEASE Patch COMMITMENT LEVEL -V option Uncommitted Trace points reported Not-an-interface Output format Not-an-interface Data reported Not-an-interface In other words, what is committed is that idmap show -V will produce some sort of human-readable trace output, but nothing of that output is committed. 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: ON 6.5. ARC review type: FastTrack 6.6. ARC Exposure: open
_______________________________________________ opensolaris-arc mailing list [email protected]
