[OpenIndiana-discuss] OI idmap/smbsrv vs. older versions

Jim Klimov jimklimov at cos.ru
Mon Dec 30 06:40:48 UTC 2013 

Hello all,

   A problem has been noted on a server upgraded (with migration
of configs) from older SXCE snv_117 into OpenIndiana oi_151a8
regarding kCIFS support: While the old installations performed
quite well as a CIFS server in the domain, serving also for some
clients that are not part of the domain (however, with Windows
logins and passwords on the standalone PCs being identical to
those in the domain), the new installation (with old configs
including old idmap setup database files) often refuses access
at least for these stand-alone machines because it does not
recognize login attempts as authenticated:

Dec 30 10:19:27 thumper smbsrv: [ID 138215 kern.notice] NOTICE:
smbd[THUMPER\nobody]: distribs access denied: guest disabled

This happens even if I redefine the password for users locally
in OI with passwd (the pam.conf patch for smb is applied).
The accounts who need access to the fileserver part are defined
locally (/etc/passwd et al) without AD LDAP clientship and stuff.

Possibly, this happens because the Windows client presents the
username prepended with its own local host name (PC\username)
in absence of the domain membership. Possibly, then it tries
"Guest" which is disabled.

However, if the user waits until after the timeout and types
his login as "THUMPER\username", the access is granted.

So, the current configs are as follows:

# grep -v '#' /etc/pam.conf
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
gdm-autologin auth  required    pam_unix_cred.so.1
gdm-autologin auth  sufficient  pam_allow.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
passwd  auth required           pam_passwd_auth.so.1
cron    account required        pam_unix_account.so.1
cups    account required        pam_unix_account.so.1
gdm-autologin account  sufficient  pam_allow.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
other   password required       pam_smb_passwd.so.1     nowarn


# idmap list
add     winname:Guest at thumper   unixuser:nobody
add     winuser:Administrator at thumper   unixuser:root
add     wingroup:*@domain.ru       unixgroup:*
add     "wingroup:Domain Users at domain.ru"  unixgroup:staff
add     "wingroup:Domain Admins at domain.ru" unixgroup:sysadmin
add     wingroup:SYSTEM at domain.ru  unixgroup:winsystem
add     wingroup:Administrators at BUILTIN unixgroup:winadmins-builtin
add     wingroup:Network        unixgroup:winnet
add     "wingroup:Authenticated Users"  unixgroup:winusers-auth
add     "wingroup:Schema Admins at domain.ru" unixgroup:winadmins-schema
add     "wingroup:Enterprise Admins at domain.ru" 
unixgroup:winadmins-enterprise
add     winuser:jim at domain.ru      unixuser:jim
add     "wingroup:Power Users at BUILTIN"  unixgroup:winusers-power
add     winuser:*@domain.ru        unixuser:*



Adding another mapping that would match non-domain users to the
accounts defined in OI fails, possibly because the second pattern
is the same:

# idmap add 'winuser:*' 'unixuser:*'
add     winuser:*       unixuser:*
Error commiting transaction (Duplicate rule or conflicts with an 
existing Unix to Windows name-based rule)

# idmap add 'winuser:*@thumper' 'unixuser:*'
add     winuser:*@thumper       unixuser:*
Error commiting transaction (Duplicate rule or conflicts with an 
existing Unix to Windows name-based rule)


So... are there any ideas what can differ between the old and new
setups in a way that old works and new doesn't? Did the software
logic change somehow, or rather some config tweak was not migrated?

Thanks,
//Jim Klimov

More information about the OpenIndiana-discuss mailing list