[OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

Tue Jun 27 13:19:01 UTC 2017

also r151022

What is your /etc/nsswitch.conf saying?
Mine has nearly everywhere "files ldap", except hosts and ipnodes.

> -----Original Message-----
> From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 14:49
> To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> What version of omnios are you using? I'm using R151022.
> 
> -----Original Message-----
> From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 14:47
> To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hm,
> 
> maybe I should share my ldap config.
> ldapclient -v manual \
> -a credentialLevel=proxy \
> -a authenticationMethod=simple \
> -a proxyDN="cn=XXX" \
> -a proxyPassword=SECRET \
> -a defaultSearchBase=dc=ipk=de \
> -a domainName=DOMAINNAME \
> -a defaultServerList=<IPs of DCs> \
> -a attributeMap=group:userpassword=userPassword \
> -a attributeMap=group:uniqueMember=member \
> -a attributeMap=group:gidnumber=gidNumber \
> -a attributeMap=passwd:gecos=cn \
> -a attributeMap=passwd:gidnumber=gidNumber \
> -a attributeMap=passwd:uidnumber=uidNumber \
> -a attributeMap=passwd:uid=sAMAccountName \
> -a attributeMap=passwd:homedirectory=unixHomeDirectory \
> -a attributeMap=passwd:loginshell=loginShell \
> -a attributeMap=shadow:shadowflag=shadowFlag \
> -a attributeMap=shadow:userpassword=userPassword \
> -a objectClassMap=group:posixGroup=group \
> -a objectClassMap=passwd:posixAccount=user \
> -a objectClassMap=shadow:shadowAccount=user \
> -a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>" \
> -a serviceSearchDescriptor=group: <OUs of groups I want to lookup> \
> -a followReferrals=true
> 
> Maybe also a restart of the smb service?
> 
> Jens
> 
> > -----Original Message-----
> > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> > Sent: Dienstag, 27. Juni 2017 14:40
> > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > Hi,
> >
> >
> >
> > Now I get can’t access domain info in the smb log and users are prompted
> to
> > enter a password when accessing the shares. :(
> >
> >
> >
> > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> > Sent: Dienstag, 27. Juni 2017 09:37
> > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > I fixed this problem after executing this:
> >
> > idmap add winname:"*@<DOMAINNAME>" unixuser:"*"
> >
> > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*"
> >
> > svcadm restart idmap
> >
> > All new created files has now the uid and gid from the IDMU
> >
> >
> >
> > Jens
> >
> >
> >
> > From: OmniOS-discuss [mailto:omnios-discuss-bounces at lists.omniti.com]
> > On Behalf Of Oliver Weinmann
> > Sent: Dienstag, 27. Juni 2017 08:25
> > To: omnios-discuss <omnios-discuss at lists.omniti.com <mailto:omnios-
> > discuss at lists.omniti.com> >
> > Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > we are currently migrating all our data from a NetAPP system to an
OmniOS
> > sytem.
> >
> >
> >
> > The OmniOS system is joined to AD and LDAP client is configured to pull
> LDAP
> > info from AD / IDMU. This works fine.
> >
> >
> >
> > However we can’t manage to have access on folders where we have Unix
> > permissions from windows (CIFS).
> >
> >
> >
> > e.g.
> >
> >
> >
> > the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> >
> >
> >
> > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> >
> > 10000 Up BCSIM De_Dt Da Lg
> >
> >
> >
> > The folder Unix has the following permissions set:
> >
> >
> >
> > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> >
> > total 47
> >
> > d---------+  4 root     2147483653       4 Apr 25 05:37 .
> >
> > d---------+  4 root     2147483659       4 Apr 25 05:35 ..
> >
> > drwxrws---   9 bcsim    Up BCSIM De_Dt Da Lg      11 Mar  9 10:40 Unix
> >
> > d---------+  6 root     2147483653       6 Apr 25 05:37 Windows
> >
> >
> >
> > so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can
> access
> > the folder just fine via NFS.
> >
> >
> >
> > If the user utest2 tries to access this folder from windows via CIFS he
> gets
> > access denied.
> >
> >
> >
> > If I change the permissions so that other have r-x he can access the
> folder
> > but then I have no control on who can access the folder.
> >
> >
> >
> > On our NetApp system this was working fine. I assume it has to do with
the
> > IDMAP daemon using ephemeral mappings instead of pulling the
> uidnumber
> > and gidnumber from AD?
> >
> >
> >
> > I don’t want to use extended ACLs on this folder.
> >
> >
> >
> > Any ideas?
> >
> >
> >
> >
> >
> > Oliver Weinmann
> > Senior Unix VMWare, Storage Engineer
> >
> > Telespazio VEGA Deutschland GmbH
> > Europaplatz 5 - 64293 Darmstadt - Germany
> > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
> > oliver.weinmann at telespazio-vega.de
> <mailto:oliver.weinmann at telespazio-
> > vega.de>
> > http://www.telespazio-vega.de
> >
> > Registered office/Sitz: Darmstadt, Register court/Registergericht:
> Darmstadt,
> > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6023 bytes
Desc: not available
URL: <https://omniosce.org/ml-archive/attachments/20170627/c1a6064e/attachment.bin>