[OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

Jens Bauernfeind bauernfeind at ipk-gatersleben.de
Tue Jun 27 12:47:10 UTC 2017 

Hm,

maybe I should share my ldap config.
ldapclient -v manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN="cn=XXX" \
-a proxyPassword=SECRET \
-a defaultSearchBase=dc=ipk=de \
-a domainName=DOMAINNAME \
-a defaultServerList=<IPs of DCs> \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:uniqueMember=member \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>" \
-a serviceSearchDescriptor=group: <OUs of groups I want to lookup> \
-a followReferrals=true

Maybe also a restart of the smb service?

Jens

> -----Original Message-----
> From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 14:40
> To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hi,
> 
> 
> 
> Now I get can’t access domain info in the smb log and users are prompted
to
> enter a password when accessing the shares. :(
> 
> 
> 
> From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 09:37
> To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> 
> 
> Hi,
> 
> 
> 
> I fixed this problem after executing this:
> 
> idmap add winname:"*@<DOMAINNAME>" unixuser:"*"
> 
> idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*"
> 
> svcadm restart idmap
> 
> All new created files has now the uid and gid from the IDMU
> 
> 
> 
> Jens
> 
> 
> 
> From: OmniOS-discuss [mailto:omnios-discuss-bounces at lists.omniti.com]
> On Behalf Of Oliver Weinmann
> Sent: Dienstag, 27. Juni 2017 08:25
> To: omnios-discuss <omnios-discuss at lists.omniti.com <mailto:omnios-
> discuss at lists.omniti.com> >
> Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> 
> 
> Hi,
> 
> 
> 
> we are currently migrating all our data from a NetAPP system to an OmniOS
> sytem.
> 
> 
> 
> The OmniOS system is joined to AD and LDAP client is configured to pull
LDAP
> info from AD / IDMU. This works fine.
> 
> 
> 
> However we can’t manage to have access on folders where we have Unix
> permissions from windows (CIFS).
> 
> 
> 
> e.g.
> 
> 
> 
> the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> 
> 
> 
> root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> 
> 10000 Up BCSIM De_Dt Da Lg
> 
> 
> 
> The folder Unix has the following permissions set:
> 
> 
> 
> root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> 
> total 47
> 
> d---------+  4 root     2147483653       4 Apr 25 05:37 .
> 
> d---------+  4 root     2147483659       4 Apr 25 05:35 ..
> 
> drwxrws---   9 bcsim    Up BCSIM De_Dt Da Lg      11 Mar  9 10:40 Unix
> 
> d---------+  6 root     2147483653       6 Apr 25 05:37 Windows
> 
> 
> 
> so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can access
> the folder just fine via NFS.
> 
> 
> 
> If the user utest2 tries to access this folder from windows via CIFS he
gets
> access denied.
> 
> 
> 
> If I change the permissions so that other have r-x he can access the
folder
> but then I have no control on who can access the folder.
> 
> 
> 
> On our NetApp system this was working fine. I assume it has to do with the
> IDMAP daemon using ephemeral mappings instead of pulling the uidnumber
> and gidnumber from AD?
> 
> 
> 
> I don’t want to use extended ACLs on this folder.
> 
> 
> 
> Any ideas?
> 
> 
> 
> 
> 
> Oliver Weinmann
> Senior Unix VMWare, Storage Engineer
> 
> Telespazio VEGA Deutschland GmbH
> Europaplatz 5 - 64293 Darmstadt - Germany
> Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
> oliver.weinmann at telespazio-vega.de <mailto:oliver.weinmann at telespazio-
> vega.de>
> http://www.telespazio-vega.de
> 
> Registered office/Sitz: Darmstadt, Register court/Registergericht:
Darmstadt,
> HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6023 bytes
Desc: not available
URL: <https://omniosce.org/ml-archive/attachments/20170627/2607a8bb/attachment.bin>

More information about the OmniOS-discuss mailing list