Quoting Jordan Brown <jordan.br...@oracle.com>:
Michael Anderson wrote:
So, this means that the entries are being found in the directory,
but for some reason aren't being or can't be used for mapping - is
that correct?
get-namemap and set-namemap operate on the "real" data stored on the
Domain Controllers, while normal mapping operations operate get their
information from a subset stored on the Global Catalog servers. My
guess is that the attributes were not being propagated to the GC.
I believe that the problem is that msSFU30Name isn't exported to the
Global Catalog, and the directory-based name mapping stuff requires
that the data be visible in the Global Catalog.
Here's an article that says how to make an attribute visible in the
Global Catalog:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248717
Hmm, I tried that, but it didn't seem to help.
It might take a while for the GC to get updated. I don't know how that
mechanism works, but I believe they are separate databases and so I
doubt that changing the setting for an attribute has immediate effect.
I'm wondering if I should extend the AD schema as described in the
CIFS docs. Although it would seem redundant, since the desired data
is already in the SFU extensions.
I would hope that you could use the existing fields.
Note that you might be able to use sAMAccountName, which is already
propagated to the GC. sAMAccountName is shown in the UI as
"Pre-Windows 2000 logon name", and I believe is always a copy of the
msSFU30Name.
Thanks for all the assistance. Very helpful.
Sorry I can't be more definitive.
Here's a query that may help to illuminate matters. You have to run it
as root so that it can use your system's credentials. This is roughly
the query that the mapping code uses; if it doesn't retrieve the
appropriate attributes then mapping isn't going to work.
|# ldapsearch -R -h <yourGCserver> -p 3268 -s subtree -b '' -o
mech=gssapi -o authzid='' '(sAMAccountName=vuser1)'
|
# exte.comd LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (sAMAccountName=vuser1)
# requesting: ALL
#
# vuser1, Users, domain.com
dn: CN=vuser1,CN=Users,DC=domain,DC.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: vuser1
givenName: vuser1
distinguishedName: CN=vuser1,CN=Users,DC=domain,DC.com
instanceType: 4
whenCreated: 20091215103053.0Z
whenChanged: 20100510065727.0Z
displayName: vuser1
uSNCreated: 1122529
uSNChanged: 1352342
name: vuser1
objectGUID:: LtWX7JjtpUO3s3EVCIg1sg==
userAccountControl: 512
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAlY9rWhrl0jyBPJSISQUAAA==
sAMAccountName: vuser1
sAMAccountType: 805306368
userPrincipalName: vus...@domain.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC.com
msSFU30Name: vuser1
msSFU30UidNumber: 100029
So that's what that looks like. Should be enough, at least for uid
resolution, or?
BTW, I just noticed something in a previous message:
svccfg -s svc:/system/idmap setprop
config/ds_name_mapping_enabled=boolean: true
svccfg -s svc:/system/idmap setprop
config/ad_unixuser_attr=astring:msSFU30Name
svccfg -s svc:/system/idmap setprop
config/ad_unixuser_attr=astring: msSFU30GidNumber
First, I assume that the last command should be setting
ad_unixgroup_attr, not ad_unixuser_attr. I assume that's simply a
transcription error, since your experiments seem to work.
Yes, it was a transcription error. But my experiments have stopped
working. This was after I deleted /var/idmap/db and restarted idmapd.
I also replicated msSFU30Name to the GC. Now I get:
# idmap get-namemap winuser:mand
Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'domain.com'
Found _ldap._tcp.dc._msdcs.domain.com 600 IN SRV [0][100] bdc2.domain.com:389
No namemap found in AD.
This is how idmapd is configured:
# svccfg -s idmap listprop
config application
config/list_size_limit count 0
config/stability astring Unstable
config/value_authorization astring solaris.smf.value.idmap
config/machine_sid astring
S-1-5-21-1373536303-522864990-3864964639
config/ds_name_mapping_enabled boolean true
config/ad_unixname_attr astring msSFU30Name
config/ad_unixgroup_attr astring msSFU30GidNumber
config/domain_name astring elego.de
rpcbind dependency
rpcbind/entities fmri svc:/network/rpc/bind
rpcbind/grouping astring require_all
rpcbind/restart_on astring restart
rpcbind/type astring service
filesystem-minimal dependency
filesystem-minimal/entities fmri svc:/system/filesystem/minimal
filesystem-minimal/grouping astring require_all
filesystem-minimal/restart_on astring error
filesystem-minimal/type astring service
general framework
general/action_authorization astring solaris.smf.manage.idmap
general/entity_stability astring Unstable
general/single_instance boolean true
general/value_authorization astring solaris.smf.manage.idmap
start method
start/exec astring /usr/lib/idmapd
start/timeout_seconds count 60
start/type astring method
stop method
stop/exec astring :kill
stop/timeout_seconds count 60
stop/type astring method
refresh method
refresh/exec astring ":kill -HUP"
refresh/timeout_seconds count 60
refresh/type astring method
tm_common_name template
tm_common_name/C ustring "Native Identity Mapping Service"
tm_man_idmapd template
tm_man_idmapd/manpath astring /usr/share/man
tm_man_idmapd/section astring 1M
tm_man_idmapd/title astring idmapd
tm_man_idmap template
tm_man_idmap/manpath astring /usr/share/man
tm_man_idmap/section astring 1M
tm_man_idmap/title astring idmap
Second, setting ad_unixgroup_attr to msSFU30GidNumber will *not* work.
This mechanism needs an attribute that contains a group *name*, not a
group *number*. Of course it would be easy to allow it to accept
either, but it doesn't currently.
That doesn't explain your problems with mapping vuser1, though.
--
Michael Anderson
IT Services & Support
elego Software Solutions GmbH
Gustav-Meyer-Allee 25
Building 12.3 (BIG) room 227
13355 Berlin, Germany
phone +49 30 23 45 86 96 michael.anderson at elegosoft.com
fax +49 30 23 45 86 95 http://www.elegosoft.com
Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin
Amtsgericht Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss