[Pkg-team] [OpenIndiana Distribution - Bug #2271] CIFS clients fail to authenticate when idmap is using IDMU

illumos project devnull at illumos.org
Sun May 20 15:44:19 UTC 2012 

Issue #2271 has been updated by Bayard Bell.


Have you asked for assistance with this on any of the mailing lists (e.g. openindiana-discuss)?
----------------------------------------
Bug #2271: CIFS clients fail to authenticate when idmap is using IDMU
https://www.illumos.org/issues/2271

Author: Raul Rangel
Status: New
Priority: Normal
Assignee: OI PKG
Category: OS/Net (Kernel and Userland)
Target version: 
Difficulty: Medium
Tags: cifs


I joined my OI box to AD successfully
@
root at staypuft:~# smbadm list
[*] [AD]
[*] [ad.ismell.org]
        [+oracle.ad.ismell.org] [10.0.0.2]
[.] [STAYPUFT] [S-1-5-21-1624921585-1963576407-4047943756]
[*] [AD] [S-1-5-21-3978222023-495330413-1469327242]
@

I then set my idmap to use IDMU based mapping as described here: http://docs.oracle.com/cd/E19963-01/html/821-1449/manageidmutm.html#enableidmusupporttask

@
$ svccfg -s svc:/system/idmap setprop \ config/directory_based_mapping = astring: idmu
$ svcadm refresh svc:/system/idmap
@

Then I created some ZFS shares and tried to connect to them with my windows box. The result was the login prompt kept popping up. This happened from both a computer joined to AD and not.

Doing an idmap dump I got the following
@
root at staypuft:~/bin# idmap dump -n
winuser:Guest at staypuft  ==      uid:2147483649
wingroup:Domain Users at staypuft  ==      gid:2147483652
wingroup:Guests at BUILTIN ==      gid:2147483653
wingroup:Domain Admins at ad.ismell.org    ==      gid:2147483654
wingroup:Group Policy Creator Owners at ad.ismell.org      ==      gid:2147483655
wingroup:Enterprise Admins at ad.ismell.org        ==      gid:2147483656
wingroup:Schema Admins at ad.ismell.org    ==      gid:2147483657
wingroup:Denied RODC Password Replication Group at ad.ismell.org   ==      gid:2147483658
wingroup:Administrators at BUILTIN ==      gid:2147483659
winuser:me at ad.ismell.org        ==      uid:10001
wingroup:Backup Admins at ad.ismell.org    ==      gid:10003
wingroup:Web Developers at ad.ismell.org   ==      gid:10005
wingroup:Domain Users at ad.ismell.org     ==      gid:10000
wingroup:Network        ==      gid:2147483650
wingroup:Authenticated Users    ==      gid:2147483651
winuser:Administrator at ad.ismell.org     ==      unixuser:root
gsid:S-1-5-21-1624921585-1963576407-4047943756-2147483648       ==      unixgroup:root
@

idmap did correctly lookup my domain user (me at ad.ismell.org)

When looking at the smbd logs I saw the following:
@
Mar  6 17:55:32 indiana smbd[4229]: [ID 160719 auth.alert] adt_set_user: Invalid argument
Mar  6 17:55:32 indiana smbd[4229]: [ID 160719 auth.alert] adt_set_user: Invalid argument
@

So my guess is idmap is not passing IDMU mapped users correctly to smbd ?

To add another data point, I have tried the same procedure on NexentaStor and everything works as expected.

Thanks,
Raul


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://www.illumos.org/my/account

More information about the Pkg-team mailing list