[OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

Tue Jun 27 13:20:45 UTC 2017

Mine has ldap only for passwd and group.

So on your system it really works with just having the traditional unix
permissions set. There are no ACLs in place?

Do you have an Active Directory domain with IDMU?

-----Original Message-----
From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de] 
Sent: Dienstag, 27. Juni 2017 15:19
To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
(owner:group:other) Unix permissions

also r151022

What is your /etc/nsswitch.conf saying?
Mine has nearly everywhere "files ldap", except hosts and ipnodes.

> -----Original Message-----
> From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 14:49
> To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> What version of omnios are you using? I'm using R151022.
> 
> -----Original Message-----
> From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 14:47
> To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hm,
> 
> maybe I should share my ldap config.
> ldapclient -v manual \
> -a credentialLevel=proxy \
> -a authenticationMethod=simple \
> -a proxyDN="cn=XXX" \
> -a proxyPassword=SECRET \
> -a defaultSearchBase=dc=ipk=de \
> -a domainName=DOMAINNAME \
> -a defaultServerList=<IPs of DCs> \
> -a attributeMap=group:userpassword=userPassword \
> -a attributeMap=group:uniqueMember=member \
> -a attributeMap=group:gidnumber=gidNumber \
> -a attributeMap=passwd:gecos=cn \
> -a attributeMap=passwd:gidnumber=gidNumber \
> -a attributeMap=passwd:uidnumber=uidNumber \
> -a attributeMap=passwd:uid=sAMAccountName \
> -a attributeMap=passwd:homedirectory=unixHomeDirectory \
> -a attributeMap=passwd:loginshell=loginShell \
> -a attributeMap=shadow:shadowflag=shadowFlag \
> -a attributeMap=shadow:userpassword=userPassword \
> -a objectClassMap=group:posixGroup=group \
> -a objectClassMap=passwd:posixAccount=user \
> -a objectClassMap=shadow:shadowAccount=user \
> -a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>" \
> -a serviceSearchDescriptor=group: <OUs of groups I want to lookup> \
> -a followReferrals=true
> 
> Maybe also a restart of the smb service?
> 
> Jens
> 
> > -----Original Message-----
> > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> > Sent: Dienstag, 27. Juni 2017 14:40
> > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > Hi,
> >
> >
> >
> > Now I get can’t access domain info in the smb log and users are prompted
> to
> > enter a password when accessing the shares. :(
> >
> >
> >
> > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> > Sent: Dienstag, 27. Juni 2017 09:37
> > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > I fixed this problem after executing this:
> >
> > idmap add winname:"*@<DOMAINNAME>" unixuser:"*"
> >
> > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*"
> >
> > svcadm restart idmap
> >
> > All new created files has now the uid and gid from the IDMU
> >
> >
> >
> > Jens
> >
> >
> >
> > From: OmniOS-discuss [mailto:omnios-discuss-bounces at lists.omniti.com]
> > On Behalf Of Oliver Weinmann
> > Sent: Dienstag, 27. Juni 2017 08:25
> > To: omnios-discuss <omnios-discuss at lists.omniti.com <mailto:omnios-
> > discuss at lists.omniti.com> >
> > Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > we are currently migrating all our data from a NetAPP system to an
OmniOS
> > sytem.
> >
> >
> >
> > The OmniOS system is joined to AD and LDAP client is configured to pull
> LDAP
> > info from AD / IDMU. This works fine.
> >
> >
> >
> > However we can’t manage to have access on folders where we have Unix
> > permissions from windows (CIFS).
> >
> >
> >
> > e.g.
> >
> >
> >
> > the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> >
> >
> >
> > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> >
> > 10000 Up BCSIM De_Dt Da Lg
> >
> >
> >
> > The folder Unix has the following permissions set:
> >
> >
> >
> > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> >
> > total 47
> >
> > d---------+  4 root     2147483653       4 Apr 25 05:37 .
> >
> > d---------+  4 root     2147483659       4 Apr 25 05:35 ..
> >
> > drwxrws---   9 bcsim    Up BCSIM De_Dt Da Lg      11 Mar  9 10:40 Unix
> >
> > d---------+  6 root     2147483653       6 Apr 25 05:37 Windows
> >
> >
> >
> > so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can
> access
> > the folder just fine via NFS.
> >
> >
> >
> > If the user utest2 tries to access this folder from windows via CIFS he
> gets
> > access denied.
> >
> >
> >
> > If I change the permissions so that other have r-x he can access the
> folder
> > but then I have no control on who can access the folder.
> >
> >
> >
> > On our NetApp system this was working fine. I assume it has to do with
the
> > IDMAP daemon using ephemeral mappings instead of pulling the
> uidnumber
> > and gidnumber from AD?
> >
> >
> >
> > I don’t want to use extended ACLs on this folder.
> >
> >
> >
> > Any ideas?
> >
> >
> >
> >
> >
> > Oliver Weinmann
> > Senior Unix VMWare, Storage Engineer
> >
> > Telespazio VEGA Deutschland GmbH
> > Europaplatz 5 - 64293 Darmstadt - Germany
> > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
> > oliver.weinmann at telespazio-vega.de
> <mailto:oliver.weinmann at telespazio-
> > vega.de>
> > http://www.telespazio-vega.de
> >
> > Registered office/Sitz: Darmstadt, Register court/Registergericht:
> Darmstadt,
> > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4970 bytes
Desc: not available
URL: <https://omniosce.org/ml-archive/attachments/20170627/695d0f5b/attachment-0001.bin>