4 Replies Latest reply: Feb 20, 2013 2:48 PM by 933584 RSS

    Active Directory / ACL's

    bandit84
      When I use ls -v on a directory I get this...

      0:user:2147483675:list_directory/read_data/add_file/write_data
      /add_subdirectory/append_data/read_xattr/write_xattr/execute
      /delete_child/read_attributes/write_attributes/delete/read_acl
      /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow

      my question is... what is that 10 digit number? my server is bound to active directory and If I view the permissions on a windows computer then i see that the 10 digit number is a user in our domain but I don't think that number corresponds to the objectuid. So where does solaris get that number from?

      thanks!
        • 1. Re: Active Directory / ACL's
          Cindys-Oracle
          Which ls command is this? I would use this one:

          # which ls
          /usr/bin/ls
          #

          Can you redisplay your output with /usr/bin/ls like this, for example:

          # ls -dv dir1
          drwxr-xr-x 3 root root 3 Jan 4 07:05 dir1
          0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
          /append_data/read_xattr/write_xattr/execute/delete_child
          /read_attributes/write_attributes/read_acl/write_acl/write_owner
          /synchronize:allow
          1:group@:list_directory/read_data/read_xattr/execute/read_attributes
          /read_acl/synchronize:allow
          2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
          /read_acl/synchronize:allow

          Thanks, Cindy
          • 2. Re: Active Directory / ACL's
            bandit84
            here's the output i get from the command...

            0:user:aholding:list_directory/read_data/add_file/write_data
            /add_subdirectory/append_data/read_xattr/write_xattr/execute
            /delete_child/read_attributes/write_attributes/delete/read_acl
            /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
            1:group:2147483650:list_directory/read_data/add_file/write_data
            /add_subdirectory/append_data/read_xattr/write_xattr/execute
            /delete_child/read_attributes/write_attributes/delete/read_acl
            /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow


            I read up on it a bit more and, if I'm not mistaken, the 10 digit number is the ephemeral id that is dynamically generated by Solaris. Is this number persistent across reboots? Just don't want the permissions to change if we ever have to reboot the server. I created a mapping rule using the following "idmap add winuser:'*@example.com' unixuser:'*'" but that means that I would have to create a local Solaris user for each windows user right? is there a better way to handle this? Ideally I would chmod a directory or file using the active directory's username i.e. chmod A+myuser@mycompany.com:list_directory/read_data......:allow. But right now I have to add the user locally first then chmod the directory using "chmod A+localuser:list_directory.....:allow" and because of the mapping rule the correct user would be added to the ACL. Do I have to right grasp on this issue or am I approaching it incorrectly? Thanks!
            • 3. Re: Active Directory / ACL's
              Cindys-Oracle
              Hi--

              Yes, there is a way to map the Windows users to a Solaris system. You shouldn't have to add them individually.
              I haven't done this myself but I would check this doc, if you haven't already:

              http://docs.oracle.com/cd/E26502_01/html/E29004/mapusergroupidentities.html#scrolltoc

              This doc explains how to create mapping rules and also that you need to configure the Solaris name service
              to access the Active Directory user and group sources, which is described here:

              http://docs.oracle.com/cd/E26502_01/html/E29002/adsetup-2.html#scrolltoc

              Thanks, Cindy
              • 4. Re: Active Directory / ACL's
                933584
                Hi there.. That number is the Ephemeral mapping that Solaris does for windows SIDs to UID/GID.

                you can do an
                root@husker:~# idmap dump -n
                winuser:ENSUR$@ms.anon.com        ==      uid:2147508226
                winuser:justinp@ms.anon.com       ==      uid:2147508227
                wingroup:Norchem_IT@ms.anon.com   ==      gid:2147508228
                winuser:JUSTINP0$@ms.anon.com     ==      uid:2147508228
                winuser:IT-MGR-SANDY$@ms.anon.com ==      uid:2147508225
                wingroup:ITComputers@ms.anon.com  ==      gid:2147508227
                wingroup:Domain Computers@ms.anon.com     ==      gid:2147508226
                wingroup:sasl@ms.anon.com ==      gid:2147483651
                wingroup:JabberUsers@ms.anon.com  ==      gid:2147483652
                wingroup:labdev@ms.anon.com       ==      gid:2147483653
                wingroup:UnixAdmins@ms.anon.com   ==      gid:2147483655
                to see how its mapped.

                Here is the doc on how idmap works.
                http://docs.oracle.com/cd/E19963-01/html/821-1449/mapusergroupidentities.html

                Default mode is Ephemeral mapping where it assumes windows SIDs do not have corresponding Solaris accounts (uid/gid) so it creates and arbitrary uid/gid for it.
                You can change the mode to Identity Management for UNIX (IDMU) which uses the UID/GID assigned by AD unix tools. Or rule based mapping or directory mapping.

                It does survive reboots just fine having tested that a few times now I can say it seems to do ok. I don't know if it uses an algorithm or what to figure out the gid such that the same SID generates the same gid each time.

                Edited by: TomS on Feb 20, 2013 2:47 PM