[OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)
Frank Lahm
franklahm at gmail.com
Sun Aug 12 17:42:47 UTC 2012
2012/8/11 Gea <alka at hfg-gmuend.de>:
> Frank Lahm <franklahm <at> gmail.com> writes:
>
>>
>> 2012/8/10 Gordon Ross <gordon.w.ross <at> gmail.com>:
>> > On Thu, Aug 9, 2012 at 11:56 PM, Frank Lahm <franklahm <at> gmail.com> wrote:
>> >> 2012/8/10 Gordon Ross <gordon.w.ross <at> gmail.com>:
>> > [...]
>> >>> If you setup idmap to use IDMU, then you'll get the UID/GID values
>> >>> provided by AD, which are presumably the same values your other LDAP
>> >>> clients will get from AD. :)
>> >>
>> >> <http://wiki.openindiana.org/oi/Active+Directory+Integration>
>> >> -f
>> >>
>> >
>> > http://lmgtfy.com/?q=solaris+idmap+idmu
>>
>> *sigh*
>> I was just giving a pointer to some doc I have spent considerable time
>> and effort to provide a consolidated ressource for anybody facing this
>> problem.
>> You may notice that using idmu is one the things explained in great length.
>> Feel free to add links and add enhancements.
>> -f
>>
>
> IDMU seems not really helpful.
> If one wants to provide a transparent multiprotokoll server (CIFS + AFP + AD +
> ACL support)
> on OpenIndiana, it must be fully integrated into the builtin CIFS mechanism
> without the need to add
> anything to AD - with CIFS you need no IDMU due to ephemeral mappings.
>
> Netatalk needs to use the (by the CIFS service) already created idmappings or it
> must create
> a similar ephemeral mapping for new users (transparent for the next CIFS user).
Netatalk uses standard UNIX APIs for user and group identication,
authentication and authorization. That boils down to PAM and nsswitch.
So the question is not how to adapt Netatalk to undocumented and
private APIs, but how to configure PAM or in this case
name-service-switch.
> How can that be done?
You may try substituting idmap with winbind. idmap ephemeral mappings
are useless for for every UNIX process beside CIFS and NFS servers
because
"To prevent aliasing problems, all file systems, archive and backup
formats, and protocols must store SIDs or map all UIDs and GIDs in the
231 to 232 - 2 range to the nobody user and group."
<http://docs.oracle.com/cd/E23824_01/html/821-1462/idmap-1m.html>
-f
More information about the OpenIndiana-discuss
mailing list