Hi,
I've got a server hooked up to a 2003 AD and CIFS and netatalk are both
allowing AD users to login (netatalk 3 via PAM). One thing that's a bit
puzzling is that the afpd process correctly gets the correct username mapping
(and shows up as being owned by the correct user with a ps listing),
> I've got a server hooked up to a 2003 AD and CIFS and netatalk are both
> allowing AD users to login (netatalk 3 via PAM). One thing that's a bit
> puzzling is that the afpd process correctly gets the correct username mapping
> (and shows up as being owned by the correct user with a ps listin
As may have become obvious from my last few posts we've been looking at Active
Directory integration for the past few weeks (and pretty hard for the past
week). Obviously the CIFS server integration with AD seems pretty reasonable
straight out of the box, but other services that want to use AD
> I would say, OpenIndiana/ Solaris (as a fileserver) is useless without its
> Windows compatible
> Snap, ACL and CIFS features. These are the killer arguments to use OI/
> Solaris widely - the most compatible
> Windows-server on Unix.
I think the only thing you're missing moving to SAMBA+winbi
> The problem that must be solved:
> a File created from CIFS must have the same owner SID/ ACL/ UID/ GID
> like those created with netatalk. (interoperabiity)
The thing is that surely that's an API or system level requirement - it
shouldn't be up to each server application to reverse-engineer wh
Hi Frank,
> ...
> To prevent aliasing problems, all file systems, archive and
> backup formats, and protocols must store SIDs or map all
> UIDs and GIDs in the 2^31 to 2^32 - 2 range to the nobody
> user and group.
> ...
>
I guess my question from that after seeing wh
>>
> I haven't wrapped my head around what Gea tried to describe, so I
> can't really comment on that but afaict it' wooly thinking (tm).
>
Shoop!
> However, I think I was able to solve the problem described here (it
> seems seteuid(0) is not enough if your effective gid is an ephemeral
> one,
Hi Gordon,
Apologies, missed this the other day.
My advice would be to make it easier to use IDMU. The modifications
to AD to support IDMU are quite widely accepted these days, at least
in organizations that have both Windows and *nix.
The problem is that some of the organisations w
Yes, ephemeral IDs are temporary representations of Security
Identifiers (SIDs). The idmapd(1m) daemon maintains these in a cache,
with time-to-live (TTL) based expiration. There's a library API for
turning an ephemeral ID back into a SID - see: idmap_get_sidbyuid
http://src.illumos.org/
> Really? Where is your evidence? I don't think I've ever seen one
> change except after a reboot.
>
The cache TTL for idmap is only 10 minutes from what I've seen (
http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ). I
read somewhere (sorry, can't find the source a
> The cache TTL for idmap is only 10 minutes from what I've seen (
> http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ).
> I read somewhere (sorry, can't find the source at the moment) that while a
> user is logged in their ephemeral UID won't change, but that may only
> The cache TTL for idmap is only 10 minutes from what I've seen (
> http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ).
> I read somewhere (sorry, can't find the source at the moment) that while a
> user is logged in their ephemeral UID won't change, but that may only
That will require a better groomed Netatalk package & SMF manifest. Right
now that's a slightly messy thing to set up.
This to some extent goes back to something I've been talking about recently.
The current version of netatalk (v3) is actually excellent on OI. NetAFP added
cross-protocol
> AD issues are going to require someone tenacious, motivated, and a bit
> masochistic as it's historically been a bit of a moving target.
AD seems reasonably stable these days, and in fact the current Illumos strategy
works 90% of the way, it's the idmap that actually breaks down because of the
> what about using winbind? Works with Netatalk and I guess it will also
> work with Solaris CIFS.
>
> We haven't been able to get supplementary groups working, but I'm
> pretty sure that could be solved, possibly by installing an updated
> winbind from sources.
Hi Frank,
Winbind worked straigh
>>
> really? Can you elaborate? The thing is, I'm in the process of
> compiling and updated winbind from latest Samba sources (and
> documenting that process) in order to test with that if the problems
> with supplementary groups go away and if it works with Solaris CIFS.
After I'd installed winb
> You need to post and/or analyse the errorlog of the smb service.
> Assuming killed more cats than curiosity ;-)
>
I know, but this had been a bit of a marathon getting to this point alone, and
all I needed at the time was AFP. I will have another look when I get half an
hour.
James.
__
> Having winbind and Solaris CIFS joined to AD at the same time can not
> be done by default, as both will try to associate the computer account
> in AD with their own authentication system and change the machine
> password. Back to square one.
> -f
Do you need CIFS to be joined to AD? Can you
Hi all,
I'm guessing the answer to this is no, but does anyone know if it is possible
to get COMSTAR running inside a non-global zone? I've tried a pkg install
storage-server (which seems to go OK) but I can't get stmf started up (just not
aware of the service) nor iscsi/target.
It's not crit
Hi all,
Bit of a curious one this, but is anyone aware of anything that could cause
CHAP authentication failure from certain initiators? We're setting up VMware
against a storage box, and for one of the VM initiators it's working fine (can
see the LUN no problem). For another initiator, setup
Hi all,
I wonder if anyone has seen this problem before. We're running OI 151a7 under
VMware 5. We had the system go down (hardware failure effectively) and when we
brought it back up, it can no longer access any iscsi targets (also OI 151a7,
but running on baremetal on the storage side).
Th
side and solve it.
> I dont know wich one u use ( storage )
> El 30/11/2012 17:08, "James Relph" escribió:
>
>> Hi all,
>>
>> I wonder if anyone has seen this problem before. We're running OI 151a7
>> under VMware 5. We had the system go down (
> very strange so i got some basic questions :
>
> are you using only one path ?
Single path over four 10Gbe as an LACP aggregate.
> are you using jumbo frames ( host, storage, switch )
Yup, 9000 on everything.
> iscsi services are up i guess
Yep.
> from storage side are you able to see the
>> very strange so i got some basic questions :
>>
>> are you using only one path ?
>
> Single path over four 10Gbe as an LACP aggregate.
Actually, just realised I did that the wrong way around. The storage servers
are all setup like that. The VMs have failover on the physical side, but
acc
Hi all,
We've been running a few instances of Oi151a7 under VMware 5.1 and have been
able to get the vmxnet3 driver working reasonably well, except oddly for iSCSI
traffic (CIFS and AFP via netatalk are absolutely fine). After a while running
iSCSI over the interface crashes the system and iSC
> This sort of thing is more easily done if the people doing the work receive
> compensation for it rather than doing the work in their spare time from a
> different paying job.
>
> If there was an "OpenIndiana Foundation" which could receive
> contributions/payments, then it would be possible
> Would a Kickstarter project to fund an OI support group be possible? The
> problem is you need a certain level of commitments to justify setting up a
> support operation.
>
> I was quite happy to pay Sun for a 3 year Gold level contract on my Ultra 20
> when I bought it. $250/yr to fund s
> As I understand it the strategy was always to encourage the proliferation of
> solution providers and integrators to fulfill this function.These It was
> thought would form in the market where a stable release,sufficient
> development had taken place to provide significant market penetration a
> Which is fine to some extent, but what that has led to are a lot of quite
> specific solutions for situations not everyone is in (SmartOS is obviously
> heavily cloud-oriented) or companies very focussed on selling (not
> necessarily cheap) support. I'd quite like to see OpenIndiana thrive as
> As Martin mentions SCHUFA it seems Martin is already fallen off the
> cliff, so I'd like to encourage anbody who's considering to donate
> something to Martin's efforts to act *now*.
> --f
I've sent something as well Martin, hope we can get rid of that negative symbol
James
___
> How about something along the lines of the following:
>
> List active developers on the website for OI along w/ what they are working
> on.
>
> If you want to fund that person's work, you sign up to provide a certain
> amount which is divided into equal allotments for each month remaining in
> I'd like to suggest as a social convention that the initial "license fee" be
> 10% of system cost and "support fee" after the first year at 5%. Purely
> voluntary the way tipping service staff in restaurants used to be. No
> distinction between used or new equipment. So if you spin up an old
> I, personally, appreciate their efforts very much. I just think that funding
> individual developers is probably the best we can reasonably hope for at this
> time. It's not as complete of a solution as paying one or more people to
> work on OI full time; but at least it would be a step in t
> However, in case that your filesystems for some reason rely on ACLs
> and extended attributes (not so for the default installation) you
> might have to use the Sun tar or cpio (not the GNU variants).
For what it's worth you can build the 3.0.10-dev versions of rsync with Solaris
xattr and ACL s
> If you want security updates, there's no reason why some of you can't get
> together and start your own business offering these updates for a fee. OI is
> open source. You wouldn't necessarily have to start your own distribution,
> although you could do that, too. But the code base is out t
Hi all,
I just wondered if anyone here was particularly familiar with idmap's diagonal
mapping? It looked like it could be quite handy for adding group permissions
with static maps (eg. Windows Group is mapped to a single unix user), but I'm
wondering if it is possible to use it like that. Wh
Hi all,
Another idmap issue! Just trying a new VM for some troubleshooting and I can't
seem to get the name_cache_timeout and id_cache_timeout settings to work on
here. I've run:
svccfg -s svc:/system/idmap setprop config/name_cache_timeout=count: 31536000
svccfg -s svc:/system/idmap setprop
Hi Reg,
> svccfg -s svc:/system/idmap listprop "config/*"
config/list_size_limit count0
config/stabilityastring Unstable
config/value_authorization astring solaris.smf.value.idmap
config/machine_sid astring S-1-5-21-3389328288-2012474116-2712525247
config/domain
> Just in case, you also did "svcadm refresh idmap" after changing SMF
> service properties and before restarting the service, right? ;)
I think so, although you've got me wondering now. Although saying that, it's
appearing correctly in the idmap database, so presumably I did and that should
be
> FWIW "svcadm restart idmap" loads the new setting properly on oi_151a7 w/o an
> "svcadm refresh idmap".
Yep, didn't make any difference:
18:30:00 uid=2147508225(james@themacplace.private) gid=2147483650(Domain
Users@themacplace.private)
18:31:00 uid=2147508225(james@themacplace.private) g
> Try modifying your cron job to do a:
>
> "idmap dump -nv"
I'll add that in, see what drops out.
> Writing a static set of name rules using awk should be pretty trivial if one
> can query Windows and Mac OS for authorized user name lists. Updating could
> be triggered by a request that didn
> I did think of that, but it's things like triggering that, keeping it up to
> date (ie. when users are removed from AD) and the rest, and I thought it
> might become quite a big project really and something that may be better
> written as some kind of alternate idmap option (i.e. instead of ju
> Unless I've badly misunderstood what I've read it can do that now. Of
> course, comments and code are not always in agreement. Or perhaps the more
> common, "However, if you did that then, you can't do this now."
The thing is that there doesn't seem to be anything anywhere that actually sa
> Are you saying there's another copy besides idmap.db? I'd not seen evidence
> of that.
No, but even if an object is already in the cache, it still seems to be
updating the UID. It doesn't seem to be the case that an entry in the idmap
cache is a static entry. Either that or the cache time
Hi all,
I'm guessing this is a bug in idmap, but can someone just confirm if they have
ever seen this
# idmap list
add wingroup:administrators@DOMAIN.LOCAL unixgroup:winadm
# getent group "administrators@domain.local"
administrators@coolblue.local::102:
# getent group "administrators@DOMA
Hi Jim,
> I think we've hit this years ago in one SXCE installation, and just
> forced lowercase domain names with entries like this (there are many
> per-user definitions also, I am not sure if they are the real key to
> success):
>
> add winname:Guest@thumper unixuser:nobody
> add win
Hi all,
I just wondered if anyone knew why a COMSTAR iSCSI re-share would show up as
"Drive type unknown" using the format command, whereas other luns (from
different hosts) are unaffected (show up as COMSTAR OI)? It doesn't seem to be
causing any problems, I just thought it was odd!
Thanks,
Hi all,
I've managed to get a YubiKey ( http://www.yubico.com ) working on Oi151a7
(follow up post on that shortly) but I just wondered if anyone knew if it was
possible to use that with the build in SSH service, or if it does require
OpenSSH installing? I've got to the point where it asks for
Hi all,
I am going to stick a wiki page up explaining the process involved in getting
the YubiKey software installed, and I just wondered about how much I had needed
to update/install to get it working. In terms of software other than the
YubiKey software I needed to put on new versions of aut
Talking to myself here, but the answer is no, it doesn't need OpenSSH. It
works fine with the built-in SSH server. I was having a few problems getting
it working but tracked it down to a typo in the yubikey_mappings file. Works a
treat!
Thanks,
James.
On 26 Mar 2013, at 09:56, James
Hi all,
Has anyone seen the below error with pkg before? This is with a brand new
install of 151a7, in the global zone:
Traceback (most recent call last):
File "/usr/bin/pkg", line 45, in
import pkg.client.api as api
File "/usr/lib/python2.6/vendor-packages/pkg/client/api.py", line 34,
27 Mar 2013, at 18:36, Alexander Eremin wrote:
> Sometimes this is due bad *.pyc somewhere. You can try to delete them in
> vendor-packages/pkg
> directory before.
>
> Alexander
>
> On 27.03.2013, at 20:58, James Relph wrote:
>
>> Hi all,
>>
>> Has a
Hi,
Apologies for cross posting, but I'm not sure if this is an Oi issue or a
cswsamba issue. I've installed cswsamba (3.6.15) and cswsamba_winbind on an OI
box (151a7). I've got it bound to AD fine, and winbind itself seems to be
operating perfectly (I've actually got netatalk happily authen
Thanks Laurent, appreciate the help.
> I'm maintaining that package, I do want to keep it running on OI as well, so
> it's good to know it's working there.
Both cswsamba and cswwinbind do seem to be working fine, they're just not
talking to each other!
> It might be a Samba configuration issue
> Well, the lines you had shown appeared to show they were talking, just the
> answer was negative for some reason.
Interesting, odd that the PAM side is working though. It's been very annoying
I'll say that.
> Do you remember where?
Here: https://www.opencsw.org/mantis/view.php?id=5020
>
> I think might be a problem. Those are the 32 bit modules. I don't think
> you're running the system 32 bit, so apps requesting 64 bit pam will not be
> happy.
> I think you should try with $ISA (implicit for the relative names), something
> like that:
> /opt/csw/lib/$ISA/security/pam_winbind.
> You need to have both, hence the $ISA, since 32 and 64 bits apps will
> each need the proper binary.
> And I realized I gave you a wrong path earlier for the ldd, forgotten I
> had just introduced both 32/64 Samba binaries, I should have noticed it
> was way too short:
> /opt/csw/sbin/amd64 or /o
Just been looking into this a bit and I wondered if the was any chance that
this group issue could be causing problems (users are in a lot of groups):
https://bugzilla.samba.org/process_bug.cgi
Does the current version of cswsamba have those patches? I tried compiling a
version from scratch, b
> If Andrew doesn't respond, let me know. It shouldn't be too hard to get these
> right for Samba 4.
Thanks Frank, I think Samba4 looks in general a little easier - even the
compilation seems more straightforward than 3. The benefit there is I can get
Samba4 to actually use winbind properly!
> You should be able to just upgrade to them:
> pkgutil -t http://buildfarm.opencsw.org/opencsw/experimental/laurent -u
Hi Lauren,
Thanks for that, the patches seem to work and I can use netatalk with winbind
still (with more groups now!), but SMB is still a no go, I just get:
check_ntlm_passw
> Laurent with a 't', so it's male, just for the record ;-)
Sorry, typo there, I did get it right earlier!
>
> Careful, IIRC, the "No such user" answer for Samba is an authentication
> issue, you can get that even when the user is indeed there, but with eg a bad
> password. While the pam resu
> What do you get when you do wbinfo -a user or wbinfo -k user?
Plaintext and Kerberos authentication succeeds, but challenge-response doesn't
for some reason. Not sure if that's related?
Thanks,
James.
___
OpenIndiana-discuss mailing list
OpenIndian
>>
> Depends I guess. I have the same results but things work over here...but then
> I did build a patched version of samba and I don't just run vanilla samba
> like what csw built.
>
I tried the same approach myself but ran into a problem building samba as it
was complaining about being unab
> LDAP_LIBS="-lldap-2.4 -llber-2.4"
>
> You may also need to add -I/usr/include/openldap to CFLAGS.
Thanks, that got me past the LDAP error! Just a Kerberos error now... sigh...
checking for working krb5-config... no. Fallback to previous krb5 detection
strategy
I've got Kerberos installed an
> Thanks, that got me past the LDAP error! Just a Kerberos error now... sigh...
For reference this fixes that:
export CPPFLAGS="-I/usr/include/kerberosv5"
James
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindian
Hi all,
I still haven't been able to get Samba 3.6 working (of any variety), but I have
managed to get Samba4 up and running, and it's pretty good.
I'll check these notes to make sure these are accurate, but these are the steps
to have a non-global zone in Oi 151a7 sharing out SMB and AFP with
> All the rest is good but that crle line - ugh.
Ignore that, I should have deleted it out. I was using that while trying to
sort out the LDFLAGS bit, but it's not necessary.
One thing in terms of the LDFLAGS line actually that you might know (I really
don't compile stuff this complicated ver
> Okay, now I am tempted. You built samba4 on oi151a7 with gcc?
Yep, it's actually pretty straightforward when you work out the requirements,
there's not tons of dependencies or other bits, my final working solution (I
did this in a zone, so there's a few extra bits in here that aren't needed i
Hi all,
Just wondered if anyone could confirm something here, I've got a Oi151a7 box
with a Qlogic FC card and I'm having a few issues with mpxio multipathing on
there (ie. it won't do it). One thing I wondered though, should this be using
the qlc driver? The card seems to work, but I'm seein
Hi Karl,
> I think we need more information to be able to help.
> Have you enabled mpxio? Have a look at the stmsboot command.
mpxio is enabled.
> What kind of Qlogic card do you have. Oem or original Qlogic, and model.
> In "old" Sun days you could buy Sun OEM Qlogic cards that used the QLC dr
Turns out that the settings provided by the manufacturer of the array were
incorrect (typically). For what it's worth the setting to get RamSan units
using multipath is to add:
scsi-vhci-failover-override =
"TMS RamSan", "f_sym";
Just the two lines, works fine now. The documentat
Hi all,
Just as a follow up from the samba4 build (which has been working fine in terms
of basic access and winbind for netatalk), has anyone had any success using
Samba with ZFS ACLs?
I've built Samba (4 again) with:
--with-shared-modules=nfs4_acls,vfs_zfsacl
and in smb.conf I have:
[Share]
00:07:13.741725, 5] ../source3/smbd/vfs.c:103(smb_register_vfs)
Successfully added vfs backend 'zfsacl'
Successfully loaded vfs module [zfsacl] with the new modules system
No obvious errors in samba.log (log level set to 5), but just seems to be
ignoring the ACLs still.
James.
O
in.
James
Principal Consultant
Website:www.themacplace.co.uk
On 31 Jul 2013, at 00:40, James Relph wrote:
> Just as a bit more detail on this, the module itself does seem to be loading
> OK:
>
> Loading module 'zfsacl': Trying to load from
> /us
Hi all,
Does anyone know if the current version of OpenIndiana (either 151a7 or
hipster) has a fix in for this issue (in terms of mpt timeouts being honoured):
http://blogs.everycity.co.uk/alasdair/2011/05/adjusting-drive-timeouts-with-mdb-on-solaris-or-openindiana/
I had a look at the associat
Hi all,
Is anybody using Oi as a data store for VMware using NFS or iSCSI?
Thanks,
James.
Sent from my iPhone
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
using the same iSCSI targets without any
errors at all, so it is all a bit odd.
Thanks,
James
On 10 Aug 2013, at 14:32, Edward Ned Harvey (openindiana)
wrote:
>> From: James Relph [mailto:ja...@themacplace.co.uk]
>> Sent: Saturday, August 10, 2013 6:12 AM
>>
>> Is
t;
>> On 2013-08-11 11:13, James Relph wrote:
>> Hi Ed, Chip,
>>
>> Thanks for the responses, it was basically to see whether people had been
>> having any compatibility issues with Oi as backend storage. We've seen
>> datastore disconnects in the ESXi h
> Also, does your host use ipfilter to filter and/or NAT access to the
> iSCSI and NFS services?
Nope, dedicated physical 10Gb network for iSCSI/NFS traffic, with 4x 10Gb links
(in an LACP bond) per device. Should be pretty solid really.
Thanks,
James.
___
> If I recall correctly, you can set LACP parameters that determine how
> fast the switch-over occurs between ports, the interval at which the
> interfaces send LACP packets, and more. These can be set on either the
> OS or switch side depending on the vendor. So if you've determined
> that there i
> I think we found your smoking gun. You're getting ping loss on a local
> network, and you're using 4x 10Gb LACP bonded network. And for some reason
> you say "should be pretty solid." What you've described is basically the
> definition of unstable, if you ask me.
No, we're not getting any
our
>> observations.
>>
>> Sent from my android device.
>>
>> -Original Message-
>> From: "Edward Ned Harvey (openindiana)"
>> To: Discussion list for OpenIndiana
>> Sent: Tue, 13 Aug 2013 7:22 AM
>> Subject: Re: [OpenIndian
>> the same servers as iSCSI targets has no iSCSI errors at the same time as
>> VMware is freaking out
>
> Is VMware using iSCSI as well or NFS?
Tried it with both (iSCSI originally), and oddly it's basically the exact same
issue (frequent disconnects) between NFS and iSCSI. You would be con
83 matches
Mail list logo
