+1
Thank you for the explanation.
Regards,
Michael
On 4/16/2010 10:36 AM, Jordan Brown wrote:
[ You'll probably want a wide window to view the output lines here. I
could probably have the program break them up a bit, but some of the
data fields are pretty long and might wrap anyway, and it's not clear
that multiline entries would be more readable. ]
Michael Kearney wrote:
I note that the show option already has a lowercase -v option.
The -v option shows how the mapping was generated and also
whether the mapping was just generated or was retrieved from the cache.
How are -v and -V different?
-v reports the _one_ mechanism chosen and some data about it. It does
not report the other mechanisms attempted, or the possibly convoluted
path that led from the input to the output. While it's helpful, it
has proven inadequate.
For instance, given a Windows user [email protected] and a mapping rule
$ idmap list
add winname:[email protected] unixuser:badunix
idmap show -cv says:
$ idmap show -cv [email protected]
winuser:[email protected] -> uid:60001
Error: Mapping not found or inhibited
Failed Method: Name Rule
Rule: add winname:[email protected] unixuser:badunix
That's actually not too bad; although it doesn't point straight at the
problem, it at least reports the name that couldn't be found.
-V, on the other hand, documents each step in the mapping process.
idmap show -cV says the following. (Note that since it's an error
case you get the "-v" output for free.)
$ idmap show -cV [email protected]
winuser:[email protected] -> uid:60001
Error: Mapping not found or inhibited
Failed Method: Name Rule
Rule: add winname:[email protected] unixuser:badunix
winname [email protected] -> unknown - Start mapping
winname [email protected] -> unixname - Not a well-known account
winname [email protected] -> unixname - Not a local SID
winname [email protected] -> unixname - Not found in mapping
cache
winname [email protected] -> unixname - Not found in name cache
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - AD lookup
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - Matching
rule: [email protected] -> badunix
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - badunix
not found, error
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - Rule-based
mapping error=-9981
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser 60001 Error
-9981 - Done
Here's a more subtle case. Given this rule:
$ idmap list
add winname:*[email protected] unixuser:*
$ idmap show -cv [email protected]
winuser:[email protected] -> uid:2147516418
Source: New
Method: Ephemeral
Note that -v doesn't tell us why we ended up with an Ephemeral mapping
instead of using the rule.
$ idmap show -cV [email protected]
winuser:[email protected] -> uid:2147516419
[[ BTW: it's a different ephemeral ID because I wiped the
cache between the two examples ]]
Trace:
winname [email protected] -> unknown - Start mapping
winname [email protected] -> unixname - Not a well-known
account
winname [email protected] -> unixname - Not a local SID
winname [email protected] -> unixname - Not found in
mapping cache
winname [email protected] -> unixname - Not found in name
cache
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - AD lookup
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - Matching
rule: *[email protected] -> *
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - jordan not
found, continuing
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser - No
matching rule
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser 2147516419 -
Ephemeral mapping
winuser [email protected]
S-1-5-21-3591674789-480817656-4239000414-1106 -> unixuser 2147516419 -
Done
While my hypothetical Windows username is "jordan", my UNIX username
is "jb25718", and so the wild-card rule couldn't be used. (A
variation on this is a real customer case; their name service wasn't
set up right and UNIX users weren't getting looked up properly.)
Or suppose I've transcribed my SID incorrectly (and unresolvable SID
mapping is enabled, as it is by default these days):
$ idmap list
add winname:[email protected] unixuser:jb25718
$ idmap show -cv sid:S-1-5-21-3591674780-480817656-4239000414-1106
unixuser
usid:S-1-5-21-3591674780-480817656-4239000414-1106 -> uid:2147516421
Source: New
Method: Ephemeral
$ idmap show -cV sid:S-1-5-21-3591674780-480817656-4239000414-1106
unixuser
usid:S-1-5-21-3591674780-480817656-4239000414-1106 -> uid:2147516422
Trace:
winname S-1-5-21-3591674780-480817656-4239000414-1106 ->
unknown - Start mapping
winname S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser - Not a well-known account
winname S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser - Not a local SID
winname S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser - Not found in mapping cache
winname S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser - Not found in name cache
winname S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser Error -9976 - AD lookup
winuser S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser Error -9976 - Must map unresolvable SID to user
winuser S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser 2147516422 Error -9976 - Ephemeral mapping
winuser S-1-5-21-3591674780-480817656-4239000414-1106 ->
unixuser 2147516422 - Done
The idea is that -V doesn't just document the result; it documents
each piece of information, where it came from, and what decisions were
made based on that data.
--
<http://www.sun.com> * Michael Kearney *
Principal Software Engineer
*Oracle Corp.*
MS UBRM05-390, 500 Eldorado Blvd
Broomfield, CO 80021 US
Phone 303-272-2402
Fax 303-272-6554
Email [email protected]
_______________________________________________
opensolaris-arc mailing list
[email protected]
