Am 21.01.2010 09:38, schrieb David Bond: > Hi, > > Thanks for your reply. Did you follow that documentation on implementing > Kerberos authentication? Just join it to domain, that should be enough (kerberos for cifs isn't implemented) (have to have a look on howto join exactly, but you'll have to get your kerberos setup fine first) > CIFS worked fine for me, apart from a few problems when trying to implement > user logons via active directory, as discussed in the thread I mentioned. > working here like a charm > My testing was in a 2003 R2 domain, it will probably be changed to a 2008 R2 > domain, but testing for old clients need to be done first (OS/2). No idea here. > > My goals for the server were / are: > > Unified logon, for CIFS, SSH, and local console logons, with consistent id > mapping between servers. would work, but one big caveat, currently (o)sol has no support for breaking down ad's recursive group structure (produced and represented through the ability of using dn's as group memeber) to its normal groups, so from unix view the users are only members of there primary group. (Workaround managed your group memberships in Ad twice => gives normal unix ldap memberships) Real pit fall is that ALL security groups a user is memberof (also recursive) HAS to HAVE a unix gid, or the logon to cifs is denied!
Here I'm looking for a way to get read access to the shares over http with a normal web browser, but respecting the zfs acls inplace. Best way would be to fork some browsing process on a per session/login way, using the accessing user... > > Anyway, what did you do to get it to work, do you have all your > authentication for the server via active directory; SSH, CIFS, Console > logons? If you do, would you mind, if it was different to how that document > described it, providing information on how it is set up. Yes currently I'm looking for a possibility to restrict/bind the logon rights and the accessrights to root role (pfexec,...) to an group imported from ad (Domain\ Admins f.ex.). Florian > > > > Many Thanks > > David > > > > -----Original Message----- > From: Florian Manschwetus [mailto:florianmanschwe...@gmx.de] > Sent: 21. januar 2010 09:21 > To: David Bond > Cc: cifs-discuss@opensolaris.org > Subject: Re: [cifs-discuss] idmap in AD with a solaris cifs server as > kerberos client? > > Am 21.01.2010 09:02, schrieb David Bond: >> When you say it works, did it work over a period of time (have you used it > for more than a day) or did it just work when you tried it? It worked fine > for me for a while and then would stop and would require me to touch the > resolve.conf file now and then for it to renew the servers kerberos tickets. > I had a thread on here about it. I'm the last comment on that page with the > thread in it. > hm here the idmapping works fine, for over 2 months now (productive! > 2008 forest with 2008R2 DCs) > > Florian > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
