On Fri, Feb 08, 2008 at 08:13:13AM +1000, James C. McPherson wrote: > Nicolas Williams wrote: > >On Thu, Feb 07, 2008 at 11:41:47PM +1000, James C. McPherson wrote: > >>Nicolas Williams wrote: > >>>You don't have to do anything at all for idmap to be in AD-only mode. > >>>By default it only does ephemeral ID mapping (for SID->UID/GID mapping) > >>>and local SID mapping (for non-ephemeral UID/GID->SID mapping). > >>Is this the compulsory mode of operation now? I noticed that since > >>going from 77 to 81, I am no longer able to connect from my win-XP > >>or win-Vista systems. The message I see is > > > >No, ephemeral mapping is just the default. > > So do I still need the explicit "idmap add winuser:* unixuser:*" ?
ONLY IF you want to do name-based mapping. Cutting to the chase: in workgroup mode idmapd only supports local-sid mappings -- see way below. I.e., if you have a Unix name service environment where Unix users and groups exist where they correspond to Windows users and groups and you want to make sure that this equivalence carries over to file ACLs. AD w/ SFU does count as a "Unix name service environment", but the other stipulation is up to you. Also, what you'd want is more like this: idmap add winname:[EMAIL PROTECTED] unixuser:* idmap add winname:[EMAIL PROTECTED] unixgroup:* > >>Feb 6 15:33:12 farnarkle idmap[7189]: [ID 678313 daemon.error] Failed to > >>create request for AD lookup by winname > > > >Possible problems (I know, we should have beeter logging, but the > >information here could be buried many layers deep, so it's hard to get): > > > > - your /etc/krb5/krb5.keytab is out of sync > > Try re-joining your domain. > > I've never, ever used Kerberos. Did you use smbadm join? > I'm looking for a way to login, in workgroup mode :-) Aha! OK, you're in wokrgroup mode. In workgroup mode idmapd only supports mapping of Unix users and groups to local SMB users/groups (i.e., it constructs a SID out of the local machine SID and the UID or GID). You can ignore all complaints from idmapd about AD lookups failing (we're gonna fix those complaints in workgroup mode, yes). Further, in workgroup mode you can only access shares as a user that exists on the server, not on the client. You do have to execute various tasks to make sure that you can use local users and groups via SMB in workgroup mode. Nico -- _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
