[Pkg-team] [OpenIndiana Distribution - Bug #2271] CIFS clients fail to authenticate when idmap is using IDMU
illumos project
devnull at illumos.org
Mon Aug 6 15:37:55 UTC 2012
Issue #2271 has been updated by Anthony Germano.
I am having the same issue. I'm running oi 151a5. I tested with both Windows XP pro sp3 and Vista ultimate sp2 clients.
Below is some of the testing I did. Idmu had not yet been enabled.
<pre>
[client able to connect]
$ idmap dump -n
winuser:testuser at mydomain.com == uid:2147483650
$ svccfg -s svc:/system/idmap setprop \ config/directory_based_mapping = astring: idmu
$ svcadm refresh svc:/system/idmap
$ idmap flush -a
[client still able to connect]
$ idmap dump -n
winuser:testuser at mydomain.com == uid:10000
[log out and back in to windows]
[try to connect from client and get invalid login box]
$ tail /var/adm/messeges
Aug 6 11:22:45 openindiana smbd[655]: [ID 160719 auth.alert] adt_set_user: Invalid argument
$ svccfg -s svc:/system/idmap setprop \ config/directory_based_mapping = astring: none
$ svcadm refresh svc:/system/idmap
$ idmap flush -a
[client able to connect again]
$ idmap dump -n
winuser:testuser at mydomain.com == uid:2147483651
</pre>
Like the original poster, I have successfully used idmu with NexentaStor (3.1.3 CE)
----------------------------------------
Bug #2271: CIFS clients fail to authenticate when idmap is using IDMU
https://www.illumos.org/issues/2271
Author: Raul Rangel
Status: New
Priority: Normal
Assignee: OI PKG
Category: OS/Net (Kernel and Userland)
Target version:
Difficulty: Medium
Tags: cifs
I joined my OI box to AD successfully
@
root at staypuft:~# smbadm list
[*] [AD]
[*] [ad.ismell.org]
[+oracle.ad.ismell.org] [10.0.0.2]
[.] [STAYPUFT] [S-1-5-21-1624921585-1963576407-4047943756]
[*] [AD] [S-1-5-21-3978222023-495330413-1469327242]
@
I then set my idmap to use IDMU based mapping as described here: http://docs.oracle.com/cd/E19963-01/html/821-1449/manageidmutm.html#enableidmusupporttask
@
$ svccfg -s svc:/system/idmap setprop \ config/directory_based_mapping = astring: idmu
$ svcadm refresh svc:/system/idmap
@
Then I created some ZFS shares and tried to connect to them with my windows box. The result was the login prompt kept popping up. This happened from both a computer joined to AD and not.
Doing an idmap dump I got the following
@
root at staypuft:~/bin# idmap dump -n
winuser:Guest at staypuft == uid:2147483649
wingroup:Domain Users at staypuft == gid:2147483652
wingroup:Guests at BUILTIN == gid:2147483653
wingroup:Domain Admins at ad.ismell.org == gid:2147483654
wingroup:Group Policy Creator Owners at ad.ismell.org == gid:2147483655
wingroup:Enterprise Admins at ad.ismell.org == gid:2147483656
wingroup:Schema Admins at ad.ismell.org == gid:2147483657
wingroup:Denied RODC Password Replication Group at ad.ismell.org == gid:2147483658
wingroup:Administrators at BUILTIN == gid:2147483659
winuser:me at ad.ismell.org == uid:10001
wingroup:Backup Admins at ad.ismell.org == gid:10003
wingroup:Web Developers at ad.ismell.org == gid:10005
wingroup:Domain Users at ad.ismell.org == gid:10000
wingroup:Network == gid:2147483650
wingroup:Authenticated Users == gid:2147483651
winuser:Administrator at ad.ismell.org == unixuser:root
gsid:S-1-5-21-1624921585-1963576407-4047943756-2147483648 == unixgroup:root
@
idmap did correctly lookup my domain user (me at ad.ismell.org)
When looking at the smbd logs I saw the following:
@
Mar 6 17:55:32 indiana smbd[4229]: [ID 160719 auth.alert] adt_set_user: Invalid argument
Mar 6 17:55:32 indiana smbd[4229]: [ID 160719 auth.alert] adt_set_user: Invalid argument
@
So my guess is idmap is not passing IDMU mapped users correctly to smbd ?
To add another data point, I have tried the same procedure on NexentaStor and everything works as expected.
Thanks,
Raul
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://www.illumos.org/my/account
More information about the Pkg-team
mailing list