On January 8, 2010 8:43:31 PM -0800 Alan M Wright <a...@sun.com> wrote:
On 01/08/10 19:33, Frank Cusack wrote:
When using zfs/cifs, and the solaris cifs server is a domain member, can
windows groups be used directly or do they have to be mediated by mapping
to unix groups?
When setting the file owner or group, managing ACLs or creating
idmap rules, you can use Windows domain groups directly.
If that's not what you are asking, can you expand on what you
mean and provide examples of what you'd like to achieve.
That is exactly what I'm asking. It doesn't look like I've quite gotten
that far though. I did finally manage to get b130 installed and
was able to join the 2k8r2 domain by setting lmauth_level=2. Interesting
that I had to start the smb/server service in order to join the domain.
I didn't do anything else and then when my vista domain client tries
to access the share, I was getting an error that idmap failed. OK
so I configured the idmap service to use directory based mapping and
to use the rfc2307 names.
svccfg -s svc:/system/idmap setprop config/ds_name_mapping_enabled=boolean:
true
svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: uid
svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: gid
I did a refresh and a restart on the system/idmap service to hepefully
make it take effect. No such luck. OK a reboot. Still the same failure,
idmap failed. The error is coming from smbd; idmap doesn't appear to be
logging any debug info, how do I check what is the problem?
As a test:
# idmap get-namemap frank.cusack
No identity type determined.
That doesn't look promising.
Note that my b130 server is an ldap client and windows users can login
and uid/gid mappings work via nsswitch and the rfc2307 attributes
that are part of their AD accounts.
None of the howto's I can find online discuss idmap at all, yet they
all seem to show successful mounting of cifs shares. I feel this is
the last hurdle!!
My unix usernames and windows usernames are identical, so I could just
try to use the one-to-one rule-based mapping as documented but I'd like
to have the flexibility of windows users that don't have rfc2307
attributes being refused cifs service.
-frank
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
