AD joined system can no longer auth against administrators@BUILTIN
Some time between Omnios r151030ap and r151030cm authenticating against the AD group administrators@BUILTIN stopped working for our AD joined OmniOS systems.
- Install OmniOS, join an AD domain, I followed the Solaris steps as outlined at https://docs.oracle.com/cd/E23824_01/html/821-1449/configuringoperationmodetm.html
- Create an SMB share: zfs create
o casesensitivity=mixed -o nbmand=on -o sharesmb=name=test-share rpool/smb-test-share Setup ACLs so all in administrators@BUILTIN have access:
- - idmap show
c administrators@builtin (Note the GID, 2147483650 in my example) - /usr/bin/chmod A=group:2147483650:rwxpdDaARWcCos:fd:allow /rpool/smb-test-share/.zfs/shares/test-share
- - /usr/bin/chmod A=group:2147483650:rwxpdDaARWcCos:fd:allow /rpool/smb-test-share
- Access the SMB share with an account that is a member of administrators@BUILTIN
On r151030ap and earlier, accessing the share will work. On r151030cm you'll be prompted for credentials and will not be able to auth even with valid creds. I don't know where in between the break occurs, looking at the release notes r151030cf had an update relating to SMB for MacOS Big Sur clients, r151030cm was the CVE-2020-1472 zerologon update so my suspicion would be one of the those two.
No data to display