Please read the Getting Started or the CIFS Administration document on CIFS server OpenSolaris page on how to setup your system in Workgroup mode. For some security reasons workgroup mode is not usable right out of the box and needs some minimal setup and idmap is not part of it. In fact it's not recommended to define name-based mapping rules in Workgroup mode since it leads to idmap trying to contact AD which will fail because system is not joined to any AD domain in this mode. Note that you won't actually need any name-based rule since the only users/groups available in this mode are local Solaris users/groups.
http://opensolaris.org/os/project/cifs-server/docs/ http://www.genunix.org/wiki/index.php/Getting_Started_With_the_Solaris_CIFS_Service Afshin Nicolas Williams wrote: > On Fri, Feb 08, 2008 at 08:13:13AM +1000, James C. McPherson wrote: >> Nicolas Williams wrote: >>> On Thu, Feb 07, 2008 at 11:41:47PM +1000, James C. McPherson wrote: >>>> Nicolas Williams wrote: >>>>> You don't have to do anything at all for idmap to be in AD-only mode. >>>>> By default it only does ephemeral ID mapping (for SID->UID/GID mapping) >>>>> and local SID mapping (for non-ephemeral UID/GID->SID mapping). >>>> Is this the compulsory mode of operation now? I noticed that since >>>> going from 77 to 81, I am no longer able to connect from my win-XP >>>> or win-Vista systems. The message I see is >>> No, ephemeral mapping is just the default. >> So do I still need the explicit "idmap add winuser:* unixuser:*" ? > > ONLY IF you want to do name-based mapping. > > Cutting to the chase: in workgroup mode idmapd only supports local-sid > mappings -- see way below. > > I.e., if you have a Unix name service environment where Unix users and > groups exist where they correspond to Windows users and groups and you > want to make sure that this equivalence carries over to file ACLs. > > AD w/ SFU does count as a "Unix name service environment", but the other > stipulation is up to you. > > Also, what you'd want is more like this: > > idmap add winname:[EMAIL PROTECTED] unixuser:* > idmap add winname:[EMAIL PROTECTED] unixgroup:* > >>>> Feb 6 15:33:12 farnarkle idmap[7189]: [ID 678313 daemon.error] Failed to >>>> create request for AD lookup by winname >>> Possible problems (I know, we should have beeter logging, but the >>> information here could be buried many layers deep, so it's hard to get): >>> >>> - your /etc/krb5/krb5.keytab is out of sync >>> Try re-joining your domain. >> I've never, ever used Kerberos. > > Did you use smbadm join? > >> I'm looking for a way to login, in workgroup mode :-) > > Aha! OK, you're in wokrgroup mode. > > In workgroup mode idmapd only supports mapping of Unix users and groups > to local SMB users/groups (i.e., it constructs a SID out of the local > machine SID and the UID or GID). You can ignore all complaints from > idmapd about AD lookups failing (we're gonna fix those complaints in > workgroup mode, yes). > > Further, in workgroup mode you can only access shares as a user that > exists on the server, not on the client. > > You do have to execute various tasks to make sure that you can use local > users and groups via SMB in workgroup mode. > > Nico _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
