[OpenIndiana-discuss] ZFS/CIFS shares in cross domains
Christopher Chan
christopher.chan at bradbury.edu.hk
Wed Dec 14 02:13:05 UTC 2011
On Wednesday, December 14, 2011 09:17 AM, Patrick O'Sullivan wrote:
> I found that issue: https://www.illumos.org/issues/1087
>
> However, that issue itself is that certain modes of access try to force Kerberos auth, not that Kerberos auth itself is broken.
>
> Do you know if the Kerberos auth issue was fixed or if they made accessing \\servername.fqdn work like \\servername (i.e. using pass through auth)?
>
No idea as I am not a Nexenta customer. The details appear to be on the
Nexenta bug tracking system.
My problem is that accessing \\servername does not work but \\serverip
does...
> Googling for the Nexenta support number doesn't turn anything up.
>
> On Dec 13, 2011, at 7:44 PM, Christopher Chan<christopher.chan at bradbury.edu.hk> wrote:
>
>
>> There is an illumos issue on this I think: #1087. A fix is available but I don't know if it has been applied to the illumos 151 tree and whether OI has packaged that.
>>
>>
>>
>> On Wednesday, December 14, 2011 08:18 AM, Patrick O'Sullivan wrote:
>>
>>> Question for the group at large:
>>>
>>> Was true Kerberos support for CIFS ever added? It's tough to tell because the old OpenSolaris documentation/bug tracking has been largely taken down.
>>>
>>> Here's one of the old references I can find: http://arc.opensolaris.org/caselog/PSARC/2009/673/20091209_natalie.li
>>>
>>> Alexei,
>>>
>>> If you read that, you'll see that as of when it was written, the CIFS service could do pass through auth but not true Kerberos auth. Maybe pass through is working for members of ADS.DOMAIN.EDU but not for KRB.REALM.EDU as those users are not part of ADS.DOMAIN.EDU. Maybe some packet captures would help see what the flow actually looks like?
>>>
>>> On Dec 12, 2011, at 10:08 PM, alexei at soemail.rutgers.edu wrote:
>>>
>>>
>>>
>>>> Greetings,
>>>>
>>>> I'm trying to set OpenIndiana 151a as a storage server, ZFS/CIFS, in a
>>>> cross Realm/Domain trust infrastructure. Namely, I have an MIT Kerbreros 5
>>>> server, providing realm KRB.REALM.EDU, and an Active Directory Windows
>>>> 2003 server, providing domain ADS.DOMAIN.EDU, set with cross DOMAIN/REALM
>>>> two-way trust.
>>>>
>>>> The OpenIndiana ZFS/CIFS server is added to the domain, ADS.DOMAIN.EDU, and
>>>> allows mapping shares onto Windows 7 desktops in the domain for the domain
>>>> users, for example alex at ADS.DOMAIN.EDU.
>>>> However, the user who logins to the same desktop as the realm user, such
>>>> as alex at KRB.REALM.EDU, appears to ZFS/CIFS server as Guest and can not
>>>> map the shares unlike the domain users.
>>>>
>>>> However, my NetApp filer, which also operates in ADS.DOMAIN.EDU, has no
>>>> problem mapping the shares for both the domain and the realm accounts.
>>>>
>>>> Is there any limitation in ZFS/CIFS on OpenIndiana 151a that disallows
>>>> access to the shares in the cross Domain/Realm two-way trust case?
>>>>
>>>> Any of your recommendations and advices would be appreciated.
>>>> Thanks,
>>>> Alexei
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenIndiana-discuss mailing list
>>>> OpenIndiana-discuss at openindiana.org
>>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>>
>>>>
>>> _______________________________________________
>>> OpenIndiana-discuss mailing list
>>> OpenIndiana-discuss at openindiana.org
>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>
>>>
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the OpenIndiana-discuss
mailing list