Project

General

Profile

Actions

Bug #14034

open

AD joined system can no longer auth against administrators@BUILTIN

Added by Joshua Coombs 9 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Some time between Omnios r151030ap and r151030cm authenticating against the AD group administrators@BUILTIN stopped working for our AD joined OmniOS systems.

To replicate:
- Install OmniOS, join an AD domain, I followed the Solaris steps as outlined at https://docs.oracle.com/cd/E23824_01/html/821-1449/configuringoperationmodetm.html
- Create an SMB share: zfs create o casesensitivity=mixed -o nbmand=on -o sharesmb=name=test-share rpool/smb-test-share
Setup ACLs so all in administrators@BUILTIN have access:
- - idmap show c administrators@builtin (Note the GID, 2147483650 in my example)
- /usr/bin/chmod A=group:2147483650:rwxpdDaARWcCos:fd:allow /rpool/smb-test-share/.zfs/shares/test-share
- - /usr/bin/chmod A=group:2147483650:rwxpdDaARWcCos:fd:allow /rpool/smb-test-share
- Access the SMB share with an account that is a member of administrators@BUILTIN

On r151030ap and earlier, accessing the share will work. On r151030cm you'll be prompted for credentials and will not be able to auth even with valid creds. I don't know where in between the break occurs, looking at the release notes r151030cf had an update relating to SMB for MacOS Big Sur clients, r151030cm was the CVE-2020-1472 zerologon update so my suspicion would be one of the those two.

No data to display

Actions

Also available in: Atom PDF