[OpenIndiana-discuss] idmap case sensitivity

Jim Klimov jim at cos.ru
Tue Mar 19 12:29:41 UTC 2013 

On 2013-03-19 02:54, James Relph wrote:
> Hi all,
>
> I'm guessing this is a bug in idmap, but can someone just confirm if they have ever seen this
>
> # idmap list
> add     wingroup:administrators at DOMAIN.LOCAL  unixgroup:winadm

I think we've hit this years ago in one SXCE installation, and just
forced lowercase domain names with entries like this (there are many
per-user definitions also, I am not sure if they are the real key to
success):

add     winname:Guest at thumper   unixuser:nobody
add     winuser:Administrator at thumper   unixuser:root
add     wingroup:*@domain.ru       unixgroup:*
add     winuser:*@domain.ru        unixuser:*
add     "wingroup:Domain Users at domain.ru"  unixgroup:staff
add     "wingroup:Domain Admins at domain.ru" unixgroup:sysadmin

The LDAP-defined (or local /etc/passwd) POSIX users and windows MSAD
user textual names are kept in sync (manually so far; could be with
a replication script or with Sun DSEE IdSyncWin component or an IDM
system), so mappings work quite well - the Windows users access kCIFS
on the "\\thumper" and thanks to NFSv4 ACLs (manageable from Windows
too) have access to the non-individual shares, including those where
several admins can change distribs and so on. Files and directories
are owned by the initial uploader or even a local root, but manageable
by any admin. Proper inheritable ACL setup was a pain, and basically
anything under a given "root" has one policy (distribs, incomings,
a single user's home, etc), but works. Maintenance was scripted to
occasionally go over new files (i.e. make executable the unix binaries
and non-executable the data file types, etc.)

Integration of ZFS snapshots with Shadow Copies (Previous Versions)
works, as well as direct access to (hidden) .zfs/ subdirs where
available.

Also in /etc/krb/krb5.conf we defined both upper and lower cases,
obfuscated snippets follow:

[libdefaults]
#        default_realm = ___default_realm___
         default_realm = DOMAIN.RU

[realms]
         DOMAIN.RU = {
                 default_domain = DOMAIN.RU
                  default_domain = domain.ru
                 kdc = pdc.domain.ru
                  kdc = bdc.domain.ru
                 admin_server = pdc.domain.ru
                  admin_server = bdc.domain.ru
                 kpasswd_server = pdc.domain.ru
                  kpasswd_server = bdc.domain.ru
                 kpasswd_protocol = SET_CHANGE
         }

[domain_realm]
#       ___domainname___ = ___default_realm___
         .DOMAIN.RU = DOMAIN.RU
         .domain.ru = DOMAIN.RU
         domain.ru  = DOMAIN.RU

The DNS system is built on BIND, entries for MSAD domain are manually
defined there after some doc-reading and sniffing for requests. The
MSAD DC's don't even serve DNS, but they are clients of the master
nameserver (BIND) allowed to update it with client hostname entries.
Other hosts use slave replicas of the master name server (errors in
its config and typo's in zone files can cause failure of the DNS
server, but won't propagate and cause a network-wide nameless DoS).

HTH,
//Jim Klimov

More information about the OpenIndiana-discuss mailing list