This discussion is archived
4 Replies Latest reply: Feb 20, 2013 2:48 PM by 933584 RSS

Active Directory / ACL's

bandit84 Newbie
Currently Being Moderated
When I use ls -v on a directory I get this...

0:user:2147483675:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow

my question is... what is that 10 digit number? my server is bound to active directory and If I view the permissions on a windows computer then i see that the 10 digit number is a user in our domain but I don't think that number corresponds to the objectuid. So where does solaris get that number from?

thanks!
  • 1. Re: Active Directory / ACL's
    cindys Pro
    Currently Being Moderated
    Which ls command is this? I would use this one:

    # which ls
    /usr/bin/ls
    #

    Can you redisplay your output with /usr/bin/ls like this, for example:

    # ls -dv dir1
    drwxr-xr-x 3 root root 3 Jan 4 07:05 dir1
    0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
    /append_data/read_xattr/write_xattr/execute/delete_child
    /read_attributes/write_attributes/read_acl/write_acl/write_owner
    /synchronize:allow
    1:group@:list_directory/read_data/read_xattr/execute/read_attributes
    /read_acl/synchronize:allow
    2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
    /read_acl/synchronize:allow

    Thanks, Cindy
  • 2. Re: Active Directory / ACL's
    bandit84 Newbie
    Currently Being Moderated
    here's the output i get from the command...

    0:user:aholding:list_directory/read_data/add_file/write_data
    /add_subdirectory/append_data/read_xattr/write_xattr/execute
    /delete_child/read_attributes/write_attributes/delete/read_acl
    /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
    1:group:2147483650:list_directory/read_data/add_file/write_data
    /add_subdirectory/append_data/read_xattr/write_xattr/execute
    /delete_child/read_attributes/write_attributes/delete/read_acl
    /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow


    I read up on it a bit more and, if I'm not mistaken, the 10 digit number is the ephemeral id that is dynamically generated by Solaris. Is this number persistent across reboots? Just don't want the permissions to change if we ever have to reboot the server. I created a mapping rule using the following "idmap add winuser:'*@example.com' unixuser:'*'" but that means that I would have to create a local Solaris user for each windows user right? is there a better way to handle this? Ideally I would chmod a directory or file using the active directory's username i.e. chmod A+myuser@mycompany.com:list_directory/read_data......:allow. But right now I have to add the user locally first then chmod the directory using "chmod A+localuser:list_directory.....:allow" and because of the mapping rule the correct user would be added to the ACL. Do I have to right grasp on this issue or am I approaching it incorrectly? Thanks!
  • 3. Re: Active Directory / ACL's
    cindys Pro
    Currently Being Moderated
    Hi--

    Yes, there is a way to map the Windows users to a Solaris system. You shouldn't have to add them individually.
    I haven't done this myself but I would check this doc, if you haven't already:

    http://docs.oracle.com/cd/E26502_01/html/E29004/mapusergroupidentities.html#scrolltoc

    This doc explains how to create mapping rules and also that you need to configure the Solaris name service
    to access the Active Directory user and group sources, which is described here:

    http://docs.oracle.com/cd/E26502_01/html/E29002/adsetup-2.html#scrolltoc

    Thanks, Cindy
  • 4. Re: Active Directory / ACL's
    933584 Newbie
    Currently Being Moderated
    Hi there.. That number is the Ephemeral mapping that Solaris does for windows SIDs to UID/GID.

    you can do an
    root@husker:~# idmap dump -n
    winuser:ENSUR$@ms.anon.com        ==      uid:2147508226
    winuser:justinp@ms.anon.com       ==      uid:2147508227
    wingroup:Norchem_IT@ms.anon.com   ==      gid:2147508228
    winuser:JUSTINP0$@ms.anon.com     ==      uid:2147508228
    winuser:IT-MGR-SANDY$@ms.anon.com ==      uid:2147508225
    wingroup:ITComputers@ms.anon.com  ==      gid:2147508227
    wingroup:Domain Computers@ms.anon.com     ==      gid:2147508226
    wingroup:sasl@ms.anon.com ==      gid:2147483651
    wingroup:JabberUsers@ms.anon.com  ==      gid:2147483652
    wingroup:labdev@ms.anon.com       ==      gid:2147483653
    wingroup:UnixAdmins@ms.anon.com   ==      gid:2147483655
    to see how its mapped.

    Here is the doc on how idmap works.
    http://docs.oracle.com/cd/E19963-01/html/821-1449/mapusergroupidentities.html

    Default mode is Ephemeral mapping where it assumes windows SIDs do not have corresponding Solaris accounts (uid/gid) so it creates and arbitrary uid/gid for it.
    You can change the mode to Identity Management for UNIX (IDMU) which uses the UID/GID assigned by AD unix tools. Or rule based mapping or directory mapping.

    It does survive reboots just fine having tested that a few times now I can say it seems to do ok. I don't know if it uses an algorithm or what to figure out the gid such that the same SID generates the same gid each time.

    Edited by: TomS on Feb 20, 2013 2:47 PM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points