[OpenIndiana-discuss] ZFS/CIFS shares in cross domains

Christopher Chan christopher.chan at bradbury.edu.hk
Wed Dec 14 06:13:11 UTC 2011 

/me cringes...

On 151a...I wonder if my problem will go away if I actually dist-upgrade...

Oh well, come Monday I shall know.



On Wednesday, December 14, 2011 01:57 PM, alexei at soemail.rutgers.edu wrote:
> On OI 151a, the canonical name works fine for mapping the shares, but FQDN
> does not. Perhaps, the bug was not fixed in OI, unlike in Nextena, as you
> suggested.
>
>
>    
>> On Wednesday, December 14, 2011 09:17 AM, Patrick O'Sullivan wrote:
>>      
>>> I found that issue: https://www.illumos.org/issues/1087
>>>
>>> However, that issue itself is that certain modes of access try to force
>>> Kerberos auth, not that Kerberos auth itself is broken.
>>>
>>> Do you know if the Kerberos auth issue was fixed or if they made
>>> accessing \\servername.fqdn work like \\servername (i.e. using pass
>>> through auth)?
>>>
>>>        
>> No idea as I am not a Nexenta customer. The details appear to be on the
>> Nexenta bug tracking system.
>>
>> My problem is that accessing \\servername does not work but \\serverip
>> does...
>>
>>
>>      
>>> Googling for the Nexenta support number doesn't turn anything up.
>>>
>>> On Dec 13, 2011, at 7:44 PM, Christopher
>>> Chan<christopher.chan at bradbury.edu.hk>   wrote:
>>>
>>>
>>>        
>>>> There is an illumos issue on this I think: #1087. A fix is available
>>>> but I don't know if it has been applied to the illumos 151 tree and
>>>> whether OI has packaged that.
>>>>
>>>>
>>>>
>>>> On Wednesday, December 14, 2011 08:18 AM, Patrick O'Sullivan wrote:
>>>>
>>>>          
>>>>> Question for the group at large:
>>>>>
>>>>> Was true Kerberos support for CIFS ever added? It's tough to tell
>>>>> because the old OpenSolaris documentation/bug tracking has been
>>>>> largely taken down.
>>>>>
>>>>> Here's one of the old references I can find:
>>>>> http://arc.opensolaris.org/caselog/PSARC/2009/673/20091209_natalie.li
>>>>>
>>>>> Alexei,
>>>>>
>>>>> If you read that, you'll see that as of when it was written, the CIFS
>>>>> service could do pass through auth but not true Kerberos auth. Maybe
>>>>> pass through is working for members of ADS.DOMAIN.EDU but not for
>>>>> KRB.REALM.EDU as those users are not part of ADS.DOMAIN.EDU. Maybe
>>>>> some packet captures would help see what the flow actually looks like?
>>>>>
>>>>> On Dec 12, 2011, at 10:08 PM, alexei at soemail.rutgers.edu wrote:
>>>>>
>>>>>
>>>>>
>>>>>            
>>>>>> Greetings,
>>>>>>
>>>>>> I'm trying to set OpenIndiana 151a as a storage server, ZFS/CIFS, in
>>>>>> a
>>>>>> cross Realm/Domain trust infrastructure. Namely, I have an MIT
>>>>>> Kerbreros 5
>>>>>> server, providing realm KRB.REALM.EDU, and an Active Directory
>>>>>> Windows
>>>>>> 2003 server, providing domain ADS.DOMAIN.EDU, set with cross
>>>>>> DOMAIN/REALM
>>>>>> two-way trust.
>>>>>>
>>>>>> The OpenIndiana ZFS/CIFS server is added to the domain,
>>>>>> ADS.DOMAIN.EDU, and
>>>>>> allows mapping shares onto Windows 7 desktops in the domain for the
>>>>>> domain
>>>>>> users, for example alex at ADS.DOMAIN.EDU.
>>>>>> However, the user who logins to the same desktop as the realm user,
>>>>>> such
>>>>>> as alex at KRB.REALM.EDU, appears to  ZFS/CIFS server as Guest and can
>>>>>> not
>>>>>> map the shares unlike the domain users.
>>>>>>
>>>>>> However, my NetApp filer, which also operates in ADS.DOMAIN.EDU, has
>>>>>> no
>>>>>> problem mapping the shares for both the domain and the realm
>>>>>> accounts.
>>>>>>
>>>>>> Is there any limitation in ZFS/CIFS on OpenIndiana 151a that
>>>>>> disallows
>>>>>> access to the shares in the cross Domain/Realm two-way trust case?
>>>>>>
>>>>>> Any of your recommendations and advices would be appreciated.
>>>>>> Thanks,
>>>>>> Alexei
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenIndiana-discuss mailing list
>>>>>> OpenIndiana-discuss at openindiana.org
>>>>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>>>>
>>>>>>
>>>>>>              
>>>>> _______________________________________________
>>>>> OpenIndiana-discuss mailing list
>>>>> OpenIndiana-discuss at openindiana.org
>>>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>>>
>>>>>
>>>>>            
>>>> _______________________________________________
>>>> OpenIndiana-discuss mailing list
>>>> OpenIndiana-discuss at openindiana.org
>>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>>
>>>>          
>>> _______________________________________________
>>> OpenIndiana-discuss mailing list
>>> OpenIndiana-discuss at openindiana.org
>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>
>>>        
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>>      
>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>

More information about the OpenIndiana-discuss mailing list