3 Replies Latest reply on Dec 20, 2011 10:45 AM by atopher

    Sun 7310 IDMU/SMB/NFS Woes

      We have had a 7310 box for a couple of years and I have never got to grips with NFS & CIFS permissions.

      I have given up on the Identity mapping as it seems to cause nothing but a headache unless you have everything in place on both sides. I.e. as soon as a user that is not on the NFS client drops a file on an NFS share, the NFS client simply cannot read the ACLs + plus a load of other permission issues I have been unable to sort out.

      Finally had a bit of time to look into this and downloaded the simulator.

      So the plan now is to keep things simple:
      - NFS client mounts the share over NFSv3, so no ACLs to deal with. This may cause issues later down the line but I need to ensure that NFS clients can access the files. v3 is the easiest way to achieve this.
      - SMB client mounts the share as usual
      - I will use IDMU to get unix UID's and GID's from AD for the users and groups I know require to access from both protocols.

      Simple eh?

      Not so :-( It seems that as soon as I enable IDMU on the device, I am unable to access the share over SMB - it asks for a username and password. Switch IDMU off and return to ID mapping, and I can access the share (but then I ma back to square one). I know that the Unix IDs for the group and user are OK - they are showing up in the Mappings tab.

      There is the following error in the system log though:
      smbd[1425] alert adt_set_user: Invalid argument

      Can anyone advise what might be causing this error?

      Any help/advice on the subject appreciated, I have been tearing my hair out over this for a while!
        • 1. Re: Sun 7310 IDMU/SMB/NFS Woes
          Am back to sorting out ID mapping now and have asked a similar NFSv4 question in the Solaris forum.

          Still, any pointers as to how to successfully configure ID mapping for NFS/SMB would very useful.

          • 2. Re: Sun 7310 IDMU/SMB/NFS Woes

            we are using Windows 2008 R2 ADS with SFU/IDMU.

            Our 7310 connects via LDAP to the Global Catalog to fetch any PosixAccounts/GroupAccounts.

            1.) LDAP Service:
            XXX:configuration services ldap> show
                                  <status> = online
                           default_servers = <DC01_IPv4>:3268,<DC02_IPv4>:3268
                                  proxy_dn =
                            proxy_password =
                                   base_dn = dc=foobar,dc=org
                              search_scope = sub
                                cred_level = self
                               auth_method = sasl/GSSAPI
                                   use_tls = false
                              user_mapattr = homeDirectory=unixHomeDirectory,gecos=name
                          user_mapobjclass = posixAccount=user
                               user_search = DC=foobar,DC=org
                             group_mapattr = cn=msSFU30Name
                         group_mapobjclass = posixGroup=group
                              group_search = DC=foobar,DC=org
            SERVER       ADDRESS                    SOURCE     EXPIRES
            server-000   <DC01_IPv4>:3268             none
            server-001   <DC02_IPv4>:3268             none
            XXX:configuration services ldap>
            2.) AD Service:
            XXX:configuration services ad> show
                                  <status> = online
                                      mode = domain
                                    domain = foobar.org
                                    server = dc01 (<DC01_IPv4>)
                                       domain => Join an Active Directory domain
                                    workgroup => Join a Windows workgroup
            XXX:configuration services ad>
            3.) IMAP Serivce:
            XXX:configuration services idmap> show
                                  <status> = online
                          ad_unixuser_attr =
                         ad_unixgroup_attr =
                        nldap_winname_attr =
                   directory_based_mapping = idmu
            MAPPING      WINDOWS ENTITY                    DIRECTION    UNIX ENTITY
            idmap-000    ""@""                              <=           sys (G)
            idmap-001    ""@""                              <=           other (G)
            idmap-002    *@FOOBAR                          =>           "" (G)
            idmap-003    *@FOOBAR                          =>           "" (U)
            idmap-004    ""@""                              <=           * (G)
            idmap-005    ""@""                              <=           * (U)
            idmap-006    Domain Admins@FOOBAR              ==           root (G)
            idmap-007    Administrator@FOOBAR              ==           root (U)
            idmap-008    *@FOOBAR                          ==           * (G)
            idmap-009    *@FOOBAR                          ==           * (U)
            XXX:configuration services idmap>
            4.) SMB Service (+ Autohome Rule):
            XXX:configuration services smb> show
                                  <status> = online
                              lmauth_level = 4
                            system_comment = fileserver
                             wins_server_1 = <DC01_IPv4>
                             wins_server_2 = <DC02_IPv4>
                              wins_exclude =
                                       pdc = <DC01_IPv4>
                                  ads_site = foobar
                               max_workers = 1024
                                keep_alive = 5400
                               ddns_enable = false
                             oplock_enable = true
                        restrict_anonymous = false
                           signing_enabled = true
                          signing_required = false
            RULE       NSS      USER         DIRECTORY            CONTAINER
            rule-000   false    *            /export/foobar/home/& CN=Users,DC=foobar,DC=org
                                       groups => Configure SMB local groups
            meganova:configuration services smb>
            5.) NFS Service:
            XXX:configuration services nfs> show
                                  <status> = online
                               version_min = 3
                               version_max = 4
                              nfsd_servers = 500
                              grace_period = 15
                                 mapid_dns = true
                              mapid_domain =
                         enable_delegation = true
                                krb5_realm =
                                  krb5_kdc =
                                 krb5_kdc2 =
                                krb5_admin =
            XXX:configuration services nfs>
            • 3. Re: Sun 7310 IDMU/SMB/NFS Woes
              Wow thanks for this, only just checked back as am not receiving notifications.

              Will give it a shot on the test box later today.

              Thanks, Chris