[OpenIndiana-discuss] DNS Alias issue for CIFS - network, path not found on Win7

Robbie Crash sardonic.smiles at gmail.com
Thu Mar 7 16:36:04 UTC 2013 

> AD integration with the builtin CIFS server is dead easy. I've joined OI to
>> 2003/2008 and 2012 native functioning domains with no issue.
>>
> The command "smbdadm join -u" runs w/o any problem. But when it comes to
> idmap I have suffered a major screw-up just two days ago that cost me
> dearly. As soon as the kerberos was configured, and * users and the
> often-mentioned basic Domain Users and Domain Administrators groups where
> added in idmap, no share including those with guest access could be
> accessed anymore. Messages was flooded with "smbd[1862]: [ID 801593
> daemon.error] smb_idmap_batch_getmappings: Mapping not found or inhibited".
>  I couldn't find a way to solve that issue.
>
> Even when I left the domain, idmap continued to amok. idmap and smb/server
> would hang with no way to kill it until I changed the workgroup to an
> ephimeral value and flushed idmap after another re-boot of the whole
> machine. This came with a serious but sneaking degradation of CIFS shares
> access, kicking in after app. 8 hours from when I initially had left the
> domain.
>

I'm assuming you followed the Oracle docs on domain joining?
http://docs.oracle.com/cd/E23824_01/html/821-1449/configuringoperationmodetm.html

In my experience, idmap failures are a result of only a few things:
1. The username/group is misspelled somewhere in idmap. Verify in idmap
list that it's winuser:user at domain.tld unixuser:user the FQDN is required
for the Windows user portion IE not just domain\user or user at domain, but
domain.com\user or user at domain.com.
2. Connections to the DC are failing either because of networking issues or
because kerberos wasn't happy about something. Usually clock skew.
3. A problem with the Windows user account, locked out/must change password
at next logon/expired password
4. DNS on the OI box being pointed somewhere other than a GC DC.

Check idmapping with idmap show -cV uid:UNIXUID  to see what's happening
when idmap tries to do the lookup.

Is the OI box able to look up Windows hosts by shortname?


> What is serving DNS for you?
>>
> The AD PDC.

Windows box? What version?


>  Are you using WINS?
>>
> Not on OI, not on the DCs
>
Do you have NetBIOS enabled?
>>
> No
>
Do the clients know this?


>  Are you using IPv6?
>>
> Deactivated on fileserver, and all DCs.  Some clients don't have IPv6
> deactivated, but the issue occurs on pure IPv4 clients as well.

 Do your XP clients face the same connection problems?
>>
> Probably related ones, yes. I am not sure if the explicit error message
> occurred there.



>  What about Windows 8?
>>
> Not enough experience yet.
>
>> You've said you still get failures when accessing by IP, correct? On all
>> clients at the same time, or sporadically across clients?
>>
> The issue is always sporadically on individual clients.
>
>> What applications are you using to access the server? IE: Are you opening
>> things through Explorer, or are you opening things through Office?
>>
> Explorer and Office. In Office the outages are more extreme.
>

See if disabling SMB security signing checks on a couple clients eliminates
the issue. Office is particularly finnicky about this, and I have no idea
why. The registry changes in the Workaround section of this technet article
will do what you need. http://support.microsoft.com/kb/982860 Disabling
signing will make MITM attacks easier.


>  Are you using offline files?
>>
> Not that I am aware of.
>
> Thanks for your help.
>
> With kind regards,
>
> Sebastian
>
>>
>>
>> >
>> >_____________________________**_**_________________
>> >OpenIndiana-discuss mailing list
>> >OpenIndiana-discuss@**openind**iana.org <http://openindiana.org><
>> OpenIndiana-discuss@**openindiana.org<OpenIndiana-discuss at openindiana.org>
>> >
>> >http://openindiana.org/****mailman/listinfo/openindiana-****discuss<http://openindiana.org/**mailman/listinfo/openindiana-**discuss>
>> <http://openindiana.**org/mailman/listinfo/**openindiana-discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss>
>> >
>> >
>>
>> -- Seconds to the drop, but it seems like hours. http://www.openmedia.ca
>> https://robbiecrash.me
>>
>
>
> ______________________________**_________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss@**openindiana.org<OpenIndiana-discuss at openindiana.org>
> http://openindiana.org/**mailman/listinfo/openindiana-**discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss>
>



-- 
Seconds to the drop, but it seems like hours.

http://www.openmedia.ca
https://robbiecrash.me

More information about the OpenIndiana-discuss mailing list