Re: [cifs-discuss] using windows users/groups for ACLs?

Mon, 11 Jan 2010 11:38:11 -0800 

[ Accumulating responses to several messages ]

Frank wrote:

For idmap, why isn't simply using rfc2307 a strategy?  Adding some wonky
attribute such as unixUserName just doesn't make sense to me.  My windows
users already possess a complete rfc2307 attribute set and use that to
get unix rights when logging in.



There's no problem with setting the directory-based mapping parameters to 
use existing (RFC 2307 or otherwise) attributes.  You don't need to create 
new attributes.


Alan wrote:

The only time you need to a local UNIX group is when you want to
create a local SMB group on the OpenSolaris box.  smbadm will not
let you create the SMB group unless a UNIX group already exists
by the same name.



Well, and when you want a Windows group to correspond to some existing UNIX 
group.


Frank wrote:

svccfg -s svc:/system/idmap setprop config/ds_name_mapping_enabled=boolean: true
svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: uid
svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: gid



The RFC 2307 attribute for group name is "cn", not "gid".  RFC 2307 does 
not define the attribute "gid".  (I suspect that there is a sordid history 
there, probably starting with X.500 using "uid" to refer to a username, 
while UNIX would rather use that to refer to a UNIX numeric user id.)



 # idmap get-namemap frank.cusack
 No identity type determined.



This is a command parsing error.  (Yes, it is a simply awful message.  I've 
filed 6915792.)  It is complaining that it cannot tell what kind of name 
you have given it, whether it is a Windows name that should be assumed to 
be in the default domain or a UNIX name.


Try
    # idmap get-namemap winname:frank.cusack


My unix usernames and windows usernames are identical, so I could just
try to use the one-to-one rule-based mapping as documented but I'd like
to have the flexibility of windows users that don't have rfc2307
attributes being refused cifs service.



We won't refuse them service.  They just won't be mapped to UNIX users; 
their Windows identity will be used.  Any authenticated Windows user (and, 
in some configurations, unauthenticated ones) can get basic access to the 
CIFS server.  Use share and file system ACLs to control which users get 
what kind of access.

_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
























					Reply via email to