[OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)

[Gordon Ross]

On Tue, Aug 7, 2012 at 9:25 AM, James Relph <james at themacplace.co.uk> wrote:
>> I've got a server hooked up to a 2003 AD and CIFS and netatalk are both allowing AD users to login (netatalk 3 via PAM).  One thing that's a bit puzzling is that the afpd process correctly gets the correct username mapping (and shows up as being owned by the correct user with a ps listing), but whatever the user writes is only written as UID 60001 (ie. nobody).
>
> Update time; after a further dig I assume that the reason the UID isn't being written to the filesystem is due to this (from the idmap man page):
>
> "To prevent aliasing problems, all file systems, archive and backup  formats, and  protocols  must store SIDs or map all UIDs and GIDs in the 2^31 to 2^32 - 2 range  to  the  nobody user and group."
>
> So, the question becomes, is it possible to get OpenIndiana to store the SIDs for users, and if not, why will it store the GID as correctly mapped, but the UID is translated to 60001?  I can get around this with static maps, but obviously that's not ideal based on duplicating the AD user listing (can be scripted at least).
>
> What's even weirder is that the CIFS server happily stores the UID in the filesystem even if the ephemerally mapped UID is in the 2^31 to 2^32 range.
>
> Very, very odd.
>
> Any insight gratefully appreciated!
>
> James.

If you setup idmap to use IDMU, then you'll get the UID/GID values
provided by AD, which are presumably the same values your other LDAP
clients will get from AD. :)

-- 
Gordon Ross <gwr at nexenta.com>
Nexenta Systems, Inc.  www.nexenta.com
Enterprise class storage for everyone