Re: [OpenIndiana-discuss] ZFS CIFS share bound to a specific interface?

[Günther Alka]

I have added a feature request about this.
Lets hope and wait

https://www.illumos.org/issues/12483

Gea


In several cases i needed to seperate NFS traffic to one link and SMB to
another as well.

G'day,
I never found a good answer to this with Googling.
I want to run a CIFS share using ZFS not samba, but bind it to a
specific address and/or interface.  I know I can use a firewall to
prevent connections to it, but is it possible to do so at the ZFS
level as well?

Thank you!

Carl

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] minIO on OpenIndiana

[Günther Alka]

**minIO on OpenIndiana***

*MinIO is a Amazon S3 compatible ultrafast cloud service and supported 
by napp-it 19.12/ 20.x as a filesystem property. It is included in the 
OmniOS extra repository. From first tests, the OmniOS binaries are 
working on OpenIndiana and Solaris, 
https://www.napp-it.org/doc/downloads/minio.zip


Copy the /opt/* files to /opt/ and set the binaries for minio, minio 
client and rclone to executable
more, 
https://forums.servethehome.com/index.php?threads/amazon-s3-compatible-zfs-cloud-with-minio.27524/ 


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Duplicate devices in zpool, degraded

[Günther Alka]

Hello David
If you want to move disks around with a controller port based detection, 
you should not just move the disk but insert a new disk on a new 
location followed by a disk replace for a bad disk.


You can replace a disk in the same port but should not insert the 
removed disk in another port (or do a pool export, switch disk and a 
pool import to read new locations)


In your case I would power off and switch the disk in port c2t0d0 to 
another conroller port. After a power on every disk should be on a 
different port what allows a remove of the faulted disk.


If you will find a pool with two missing disks, do a pool export + 
import to re-read all disks with their positions.


Gea
@napp-it.org


Am 01.11.2017 um 07:27 schrieb David Koski:
The boot drive had uncorrectable errors but still not faulted.  I put 
the mirrored drive into the boot drive position (c2t1d0s0 into slot of 
c2t0d0s0) and put a new drive in place of the drive that was moved 
into the boot position, then booted the machine and resilvered.  
However, the boot drive has a strange status where it appears twice in 
the zpool status, once faulted and once not:


# zpool status -x
  pool: syspool
 state: DEGRADED
status: One or more devices could not be used because the label is 
missing or

    invalid.  Sufficient replicas exist for the pool to continue
    functioning in a degraded state.
action: Replace the device using 'zpool replace'.
   see: http://www.sun.com/msg/ZFS-8000-4J
 scan: scrub repaired 0 in 0h3m with 0 errors on Tue Oct 31 21:59:25 2017
config:

    NAME  STATE READ WRITE CKSUM
    syspool   DEGRADED 0 0 0
  mirror-0    DEGRADED 0 0 0
    c2t0d0s0  FAULTED  0 0 0  corrupted data
    c2t0d0s0  ONLINE   0 0 0
    c2t1d0s0  ONLINE   0 0 0

errors: No known data errors

Any ideas how to correct this and is it of concern?

Regards,
David Koski


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ZFS and encryption

[Günther Alka]

There is currently no ZFS encryption outside Oracle Solaris,
only encryprtion on underlying disks and devices but the mechanism are 
incompatible between BSD, Illumos or ZoL.


Datto  is working on it for ZoL based on the last free bits from 
Solaris. It's not ready but you can expect it on any OpenZFS platform 
when its ready.


Gea
@napp-it.org


Am 24.07.2017 um 21:15 schrieb Kai Windle:

Thanks, I'll install to a vm and see what I can come up with.


Many thanks.


Kai.


On 24/07/2017 19:55, Alexander Lesle wrote:

Hello Kai,

sorry I don't know.
If you use napp-it from @gea you can fiddle with snapraid but
I had never done it.

On Juli, 24 2017, 20:44  wrote in [1]:


Hello,
Thank you for the fast replies.
Other than the link that Andrew provided how do people using Illumos based
distributions go about using encryption for their hard drives?
Thanks
Kai.
On 24 July 2017 at 19:22, Alexander Lesle 
wrote:

Hallo Kai,

all Illumos based distributions have no ZFS encryption at the
moment.

On Juli, 24 2017, 19:48  wrote in [1]:


Hi all,
I'm just making a quick inquiry as to whether ZFS has encryption built

into

OI?
I've tried googling around but nothing appears to be giving me a

definitive

yes or no answer.
If encryption is not supported via ZFS how would I go about encrypting my
entire hard drive?
Sorry I'm still new to Openindiana
Many thanks
Kai.
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

--
Best Regards
Alexander
Juli, 24 2017

[1] mid:CAG838zjnN-baTmyocTT1gVH6HNWaFYsMY0e=9h3pdtoduix...@mail.gmail.com



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss




___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] About OpenIndiana and napp-it

[Günther Alka]

About OpenIndiana and napp-it
https://forums.servethehome.com/index.php?threads/omnios-151022-long-term-stable.14367/page-4

Gea
@napp-it.org


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] To the OmniOS, OI and SmartOS community

[Günther Alka]

hello Till

My napp-it storage appliance add-on is currently running and supported 
on OmniOS, OpenIndiana Hipster, Solaris and partly ZoL. I would be very 
glad to add SmartOS but this would require a mechanism to  install 
storage services to global zone, load settings like users or (SMB) 
groups on powerup from datapool and save them on demand to make them 
persistent.


If you ask what I and many users need or want from a free distribution 
compared to OpenIndiana, the answer is a Illumos distribution with 
stables and long term stables, each based on its own repository with 
backported security fixes on the long term stable. This allows to 
evaluate a release and use it with the option to add security or 
bugfixes without jumping to a newer release with newer features and 
possible incompatibilities or new bugs. This is what OmniOS is and for 
me this is what I and many users want. My hope is that this will be 
based on OI snapshots in future as I do not believe that a second fully 
independent community backed Illumos distribution can survice on the 
long run. It will only weaken Illumos in case of a failure and OI in the 
meantime.


SmartOS with a solid commercial background and one additional community 
based Illumos alternative is what I hope for. And the last can only mean 
OpenIndiana + stable add-on.


best regards


Gea

Am 18.05.2017 um 18:31 schrieb Till Wegmüller:

Hello Guenther

I would pretty much suggest using OpenIndiana to develop solutions 
like napp-it on top of.


Main reason being that appart from certain vlan taging and lx zone 
features we have all the technical bells ans whistels that OmniOs and 
SmartOS have. We just have some different tools. We use the ones 
Solaris used and don't have high level wrappers like vmadm.



If you want to use it to base your napp-it I definately would support 
you with what I know about the distribution. I could tell you about 
the Image creation system and other stuff. And I'm sure that others 
would help out with insights aswell.


What would you need from a Distribution to build your Application on 
top? Would be interesting to know.


---
Greetings
Till

On 15.05.2017 13:58, Guenther Alka wrote:

*Its time to consider pla**n**B/C ??*
to: omnios-discuss, openindiana-discuss, smartos-discuss

The announcement of OmniTi to cancel OmniOS from now to then is a 
real disaster not only for OmniOS users but for the whole Illumos 
platform. Many users who want a free Solaris based OS especially in 
production environments selected OmniOS as their preferred Illumos 
platform mainly with use cases storage and general server applications.


The reasons:*OmniOS=**Up to date Illumos*
+ commercial support option (although way too expensive)
+ own developments like LX zones integration from SmartOS or drivers
+ stables/long term stables with very experienced full time staff 
(thanks to Dan and Dale again)


As OmniTi has released a new stable 151022, I/we have some time maybe 
to the end of the year unless OmniOS is out of sync with Illumos in a 
non tolerable amount.  Bugfixes of serious problems may be the case 
until then (hope so).


What are the/my options


*Plan A*
Hope for a continuation of OmniOS as a well maintained 
community/commercial project with further development, ongoing 
stables and bugfixes optionally with some paid contributions under 
the umbrella of a firm or at least with some experienced members that 
were already resonsible for OmniOS or an Illumos distribution and 
that can be trusted for next years.


While I hope for this, I doubt that this is a serious option. I 
switched from OpenIndiana to OmniOS three years ago as the OI 
community was too weak and development nearly stalled at that time. I 
am not interested in a new weak OmniOS community for a distribution 
that should be used as a production system. The OmniOS community will 
be propably too small forever as we already have the Illumos 
community project OpenIndiana nearly identical to OmniOS from 
distribution, features and use cases. And a very important thing: The 
brand OmniOS has already a very bad name as a dead/failed project in 
the press mostly affecting Illumos as well.



*Plan B*
OpenIndiana is a quite established community project for an up to 
date Illumos distribution. I would say its nearly identical to OmniOS 
beside the missing LX improvements from OmniOS but with an additional 
GUI option. I hope to see LX zones upstreamed to Illumos. OpenIndiana 
currently offers a rolling development of newest Illumos bits with 
snapshots every 6 months but without an additional stable repository 
with backported security fixes. Every update give you the newest 
Illumos fixes and features but also the newest bugs (ongoing dev, 
unstable).


If OmniOS has to become a community project, I undoubtly would prefer 
a merge of the two distributions up from next releases. OpenIndiana 
with a stable repo for every snapshot and with a repo as development 
path would give me 

Re: [OpenIndiana-discuss] identify drive

[Günther Alka]

hello Bob
sas2ircu can also switch the backplane alert led on/off

Gea

Am 17.04.2017 um 15:42 schrieb Bob Friesenhahn:

On Mon, 17 Apr 2017, Günther Alka wrote:


For my napp-it appliance software, I use dd to identify a disk
based on activity and and the LSI tool sasircu to create a map
of storage bays with the inserted disks and their WWN numbers.


I used the tedious dd approach recently.  It is best done in advance 
of deployment when the system is idle.


I found that 'cfgadm -al' (or something like 'cfgadm -al c17' once the 
controller has been identified) is useful since it provides 
identifying information which can be correlated with 'zpool status' 
and 'iostat -Ei'.


While replacing a failed drive on my 20 drive server, I realized that 
it is wise to figure everything out in advance while everything is 
working properly.


Having to do this is really crummy.  It would be nice to have a way to 
turn the location LED on for popular server platforms.


Bob




___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] identify drive

[Günther Alka]

For my napp-it appliance software, I use dd to identify a disk
based on activity and and the LSI tool sasircu to create a map
of storage bays with the inserted disks and their WWN numbers.

Gea


Am 17.04.2017 um 14:17 schrieb Alexander Pyhalov:

Hello.

Is there any supported way to identify drive on OI?
I have 14 drives attached to MegaRAID SAS 9361-8i controller.
How can I map OS disk to physical disk location in the server?
Evidently, luxadm led_blink or cfgadm unconfigure don't work...




___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Problem with Hipster 2016.10 GUI on ESXi 6.5

[Günther Alka]

In my own setups I mostly use the text edition of OI/OmniOS
but this was due a request of a user that wants a napp-it All-In-One setup
not only with the Web-Gui but a local desktop for easier local 
filemanagement.
On Solaris I also prefer the "desktop" edition even on a server for the 
same reason.


This ESXi situation is not yet common but even to evaluate a Hipster setup
it would be highly desirable when the mouse would work. As the problem was
there immediatly after first bootup it cannot be solved with vmware tools
as you usually need the mouse to setup OI to a disk or for any other
interactions.


Gea/ Guenther
napp-it.org


Am 10.12.2016 um 12:46 schrieb Till Wegmüller:

Hi Guenther

This really much Sounds like our version of VMmouse Driver is too old.
Have you tried the Virtual Maschine Tools Additions ISO in VMware yet? 
or has that been removed too.

Do you need the GUI on an the OI machines?
Could you dedicate some time Updating open-vm-tools in OI userland? 
This would help all VMware users.


Greetings
Till

Am 10.12.2016 um 10:27 schrieb Guenther Alka:

hello Till


Am 08.12.2016 um 16:29 schrieb Till Wegmüller:

Hi Guenther


What Happens when you use a ESXi 6.0 with HTML5 GUI ?



same or even more problems (this one was really buggy)
With OI, you have a mouse there but quite inresponsive with a "second 
shadow mouse pointer"




Is the Vsphere Client Really not usable anymore with 6.5? ESX 
Usually has Backwards compatibility. Even if not supported.


Basic settings and console is working with 6.0 vsphere, others like 
the vsphere filebrowser with upload not. Windows Vsphere is definitly 
EoL.





It could be that the VMware Tools need an Update. Have you tried to 
install vmware tools on the Guest via Text Console?


I installed the tools on ESXi 6.0u2 via pkg install open-vm-tools but 
no difference regarding mouse




You say that the First installation Step worked. Was Mouse Freezing 
after a while or was the whole Screen Freezing?


you can bootup OI live with the GUI. A mouse right click gives you a 
property menu where you can navigate with keyboard. Left mouse key or 
mouse pointer not working/visible.








Greetings

Till

Am 08.12.2016 um 12:59 schrieb Guenther Alka:
I wanted to install Hipster 2016.10 GUI on the new ESXi 6.5 free 
where the new local html-5 webconsole is the only management 
option. The old Windows vsphere client is no longer supported. 
First setup setup step was ok but I was not able to get a working 
mouse so installation from the GUI was not possible.


No problem when using an older ESXi 6.0 with Windows Vsphere or 
using a text edition.


Gea

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss





___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss


--

Guenther Alka, Dipl.-Ing. (FH)
Leiter des Rechenzentrums
head of computer center

Tel 07171 602 627
Fax 07171 69259
guenther.a...@hfg-gmuend.de
http://rz.hfg-gmuend.de


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] SATA Expansion cards

[Günther Alka]

Both are bad choices especially the Vantec.
The LSI 1064 will work but is quite old (max 2 TB disks)

If you have an empty PCI-e slot, use
- IBM M1015 or LSI 9211 (flash LSI 9211-IT firmware on either)
- LSI 9207


 Am 01.02.2015 um 00:35 schrieb Rainer Heilke rhei...@dragonhearth.com:
 
 Greetings;
 
 I need to build a new home server, but I need to get all 8 drives internal. 
 Will Illumos/OpenIndiana support the Vantec UGT-ST310R SATA card? If not, 
 will it support the Asus PIKE Technology 1064E card? I am trying to find 
 something that can just present the extra drives as SATA drives to use ZFS.
 
 TIA,
 Rainer
 
 ___
 openindiana-discuss mailing list
 openindiana-discuss@openindiana.org
 http://openindiana.org/mailman/listinfo/openindiana-discuss


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Recommendations for fast storage

[Günther Alka]

I would think about the following

- yes, i would build that from SSD
- build the pool from multiple 10 disk Raid-Z2 vdevs,

- use as much RAM as possible to serve most of reads from RAM
example a dual socket 2011 system with 256 GB RAM

- if you need sync writes/ disabled LU write back cache, use dedicated 
DRAM based log-devices (ZEUSRAM)
For multiple 10 Gbe you may need several of them or disable sync/enable 
LU cache when possible,
I would calculate one ZEUSRAM per 10 GBe adapter (about 2000$ each), 
analyze ZIL usage first.


- if possible, avoid expander with Sata disks

- do not fill a pool above 50% if you need max performance
read about fillrate vs throughput: 
http://blog.delphix.com/uday/2013/02/19/78/


- tune ip (Jumboframes, MPIO, Trunking) and iSCSI blocksize

- think about using OmniOS (a little more up to date than OI)


The rest is some math,you need:

a case (like a 50 x 3,5 bay Chenbro or a up to 72 bay SuperMicro)
with a 7 x pci-e mainboard, CPU, RAM, 3 x SAS2 HBA controller,
4 x dual 10 Gbe adapters:

ex: Chenbro 50 x 3,5 case without expander:
4 x dual 10 Gbe + 3 x LSI 16 channel HBA

or Supermicro cases with expander, up to 72 x 2,5 bays
with up to 3 x 8-16 channel HBA

say 1 $


The rest is for SSD and ZIL
If you like to use 10 TB and want to have 20TB capacity for performance 
reasons:

with your 800GB Intel, you have about 6,5 TB usable for 10 disks (Z2)
You need 30 of them ex 2000$ per SSD: 6$ (without ZIL and spare),

gives a total o 7$ without ZIL and spare.

other Option:
use 500-600 GB SSD like Intel 320 or 520.
You need more of them but they are cheaper regarding TB/$

allow 80% SSD usage, check ARC usage to eventually reduce amount if SSD
(RAM is cheaper than using only 50% of SSD capacity)

keep enough slots free to optionally add more SSD for better performance 
or higher capacity

care about needed capacity for snaps
add 10% spare disks.




On 14.04.2013 17:15, Wim van den Berge wrote:

Hello,

  


We have been running OpenIndiana (and its various predecessors) as storage
servers in production for the last couple of years. Over that time the
majority of our storage infrastructure has been moved to Open Indiana to the
point where we currently serve (iSCSI, NFS and CIFS) about 1.2PB from 10+
servers in three datacenters . All of these systems are pretty much the
same, large pool of disks, SSD for root, ZIL and L2ARC, 64-128GB RAM,
multiple 10Gb uplinks. All of these work like a charm.

  


However the next system is  going to be a little different. It needs to be
the absolute fastest iSCSI target we can create/afford. We'll need about
10-12TB of capacity and the working set will be 5-6TB and IO over time is
90% reads and 10% writes using 32K blocks but this is a data analysis
scenario so all the writes are upfront. Contrary to previous installs, money
is a secondary (but not unimportant) issue for this one. I'd like to stick
with a SuperMicro platform and we've been thinking of trying the new Intel
S3700 800GB SSD's which seem to run about $2K. Ideally I'd like to keep
system cost below $60K.

  


This is new ground for us. Before this one, the game has always been
primarily about capacity/data integrity and anything we designed based on
ZFS/Open Solaris has always more than delivered in the performance arena.
This time we're looking to fill up the dedicated 10Gbe connections to each
of the four to eight processing nodes as much as possible. The processing
nodes have been designed that they will consume whatever storage bandwidth
they can get.

  


Any ideas/thoughts/recommendations/caveats would be much appreciated.

  


Thanks

  


W

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss




___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] DLNA server

[Günther Alka]

Info:
Another new option for a DLNA mediaserveris Mediatomb
(ready to use with online installer script for OpenIndiana and OmniOS)

http://www.napp-it.org/doc/manuals/Mediatomb AddOn for napp-it.pdf 
http://www.napp-it.org/doc/manuals/Mediatomb_AddOn_for_napp-it.pdf




On 09.03.2013 08:23, Michelle Knight wrote:

Thanks all,

I'll give these a shot tonight.

I also took the chickens way out and emailed Humax asking them to
include an SMB option :-) ... they're considering it.

Michelle.

On Fri, 08 Mar 2013 10:13:24 +0100
Hans J. Albertsson hans.j.alberts...@branneriet.se wrote:


Indeed, this works well.
First you must say xhost + or xhost +host in a term window on the
display host, then do the ssh -X ...

You can even say:

ssh -X
username@serviio.server /dir/where/serviio/is/installed/bin/serviio-console.sh
and it will display after a few seconds.

The library database on the server for serviio must be writable (and
accessible) for username



On 2013-03-08 09:02, Andrej Javoršek wrote:

Hello,
@Michelle: if your workstation/desktop is some-kind of UNIX/X11
compatibile you can use X11 forwarding by using
ssh -X username@serviio.server
than run Serviio console and it will show on your
workstation/desktop (I believe I have tried in the past end it
worked.).

Regards
Andrej





___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss



___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Sending our zpool offsite using encrypted USB HDDs

[Günther Alka]

You may

- create encrypted devices from files with lofiadm with any size, even 2 
GB to backup the files on any filesystem

- create an encrypted ZFS pool from these devices (works with OI and ZFS 28)

backup such a pool: copy the files to any backup device (cloud, other 
NAS, even USB disks, sticks)
if you use a Raid-Z2 vdev, you are even protected from multiple file 
corruption on unsecure filesystems like FAT


read more
http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools

from tests, this works even with large pools and is about 20% slower 
than Solaris 11 and its encrypted pools
but much more flexible because you can backup the encrypted pool itself 
by just copying the files it is build on.
I have included this mechanism into the napp-it Web-GUI under menu pools 
(create/import encrypted pools)



On 30.08.2012 13:37, Edward Ned Harvey (openindiana) wrote:

From: Jan Owoc [mailto:jso...@gmail.com]

My personal opinion is that a variant on the way you described it in
your original mail is the best:
zfs send your_data | your_favourite_compression |
your_favourite_encryption  /usb_fs/backup.gz.gpg

I still say, don't receive into a file.  This is an obvious best practice 
suggestion that's written in all the manuals and all over every wiki, including 
the zfs best practices guide and solaris administration guide.

lofiadm supports encryption.  (At least, in openindiana.)

Make an unencrypted, uncompressed zpool.
Inside there, create a huge file.
Use lofiadm to encrypt the huge file, and make the decrypted version available 
as a lofi device.
(In fact, maybe you can apply the encryption directly to the raw device, skip 
the huge file?  That would be nice.)
zpool create, compression=on, using the decrypted lofi device.

Now you're able to do incremental receives, into a compressed zfs filesystem, 
which is stored in an encrypted file (or encrypted raw device).


___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss



___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)

[Günther Alka]

with SAMBA and winbind you may loose:

- snaps via Windows previous version
- Windows compatible ntfs4 ACL (only Posix ACL ?)
- SMB as a ZFS property
- interoperability with NFS4
- movable pools that keep ACL intact
- performance, kernel based CIFS server is mostly faster
- CIFS is managed by Illumos, not a third party product that cares mostly about 
Linux
- napp-it integration

From Windows and interoperability view CIFS is much better.
A minimal solution may be using at least the UID/GID provided by idmap for 
already created AD users, optionally add a SID-UID/GID entry in this database.

In this case, you do not write proper ACL but use at least the same UID/GID 
like CIFS
I have not tried if CIFS is using the proper SID via idmap when there is only a 
UID/GID entry in files.




Am 13.08.2012 um 12:24 schrieb James Relph:

 I would say, OpenIndiana/ Solaris  (as a fileserver) is useless without its 
 Windows compatible
 Snap, ACL and CIFS features. These are the killer arguments to use OI/ 
 Solaris widely - the most compatible
 Windows-server on Unix.
 
 I think the only thing you're missing moving to SAMBA+winbindd is the VSS 
 integration?  The snapshots are still there and all the other ZFS features, 
 you just lose the right-click - restore previous versions option (which most 
 enterprises seem to disable for clients anyway).
 
 James.
 
 
 
 ___
 OpenIndiana-discuss mailing list
 OpenIndiana-discuss@openindiana.org
 http://openindiana.org/mailman/listinfo/openindiana-discuss


___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)

[Günther Alka]

On 12.08.2012 19:42, Frank Lahm wrote:

*sigh*
I was just giving a pointer to some doc I have spent considerable time
and effort to provide a consolidated ressource for anybody facing this
problem.
You may notice that using idmu is one the things explained in great length.
Feel free to add links and add enhancements.
-f


IDMU seems not really helpful.
If one wants to provide a transparent multiprotokoll server (CIFS + AFP + AD +
ACL support)
on OpenIndiana, it must be fully integrated into the builtin CIFS mechanism
without the need to add
anything to AD - with CIFS you need no IDMU due to ephemeral mappings.

Netatalk needs to use the (by the CIFS service) already created idmappings or it
must create
a similar ephemeral mapping for new users (transparent for the next CIFS user).

Netatalk uses standard UNIX APIs for user and group identication,
authentication and authorization. That boils down to PAM and nsswitch.
So the question is not how to adapt Netatalk to undocumented and
private APIs, but how to configure PAM or in this case
name-service-switch.


How can that be done?

You may try substituting idmap with winbind. idmap ephemeral mappings
are useless for for every UNIX process beside CIFS and NFS servers
because

To prevent aliasing problems, all file systems, archive and backup
formats, and protocols must store SIDs or map all UIDs and GIDs in the
231 to 232 - 2 range to the nobody user and group.

http://docs.oracle.com/cd/E23824_01/html/821-1462/idmap-1m.html

-f


Maybee the point of view is the core of the problem.
You wrote ephemeral mappings are useless beside CIFS and NFS

I would say, OpenIndiana/ Solaris  (as a fileserver) is useless without 
its Windows compatible
Snap, ACL and CIFS features. These are the killer arguments to use OI/ 
Solaris widely - the most compatible

Windows-server on Unix.

All persons that I know that use OI/ Solaris in an Active Directory 
environment as a filer
do not want to care about the Unix base but use it because of the hassle 
free AD integration
- indeed they use it like a Windows filer without the need do modify any 
Unix specific settings on the
AD server (they may even get troubles with their admins when asking 
about modifying AD settings)


If AFP on OI/Solaris could not be integrated within the default CIFS 
mechanism then is not the best option
in nearly all Active Directory environments. AD + netatalk only (without 
CIFS and a different permission
mechanism) is  not the most wanted solution as well as the need to 
modify anything only because netatalk

is not able to cooperate with AD+CIFS.

Other options like winbind + SAMBA means to abandon the magic of 
OI/Solaris. Its then just another Unix server that
can be connected from Windows without the essential features that allows 
to replace real Windows servers with CIFS.


So indeed, I  am interested in AD /CIFS/ Windows compatibility of all 
fileservices - not Unix compatibility.
This is really a pity. With netatalk 2, it was a pain to share a dataset 
via CIFS and AFP because of the additional AFP files -
they are now invisible with netatalk3. No the view from both is quite 
the same. You can even authenticate from AD

but the successfully authenticated user it not used for file-access.

Most of the problems to build  a Windows compatible and fully integrated 
multiprotokollserver  (like old Windows2000 servers)
are solved. Whats missing is the mini-jump to the Windows SID/ idmap 
compatibility.


So I hope for a way to do it more easily in future.


Gea
napp-it.org

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss