Project

General

Profile

Actions

Bug #2271

open

CIFS clients fail to authenticate when idmap is using IDMU

Added by Raul Rangel about 9 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Category:
OS/Net (Kernel and Userland)
Target version:
-
Start date:
2012-03-10
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
cifs

Description

I joined my OI box to AD successfully

root@staypuft:~# smbadm list
[*] [AD]
[*] [ad.ismell.org]
[+oracle.ad.ismell.org] [10.0.0.2]
[.] [STAYPUFT] [S-1-5-21-1624921585-1963576407-4047943756]
[*] [AD] [S-1-5-21-3978222023-495330413-1469327242]

I then set my idmap to use IDMU based mapping as described here: http://docs.oracle.com/cd/E19963-01/html/821-1449/manageidmutm.html#enableidmusupporttask


$ svccfg -s svc:/system/idmap setprop \ config/directory_based_mapping = astring: idmu
$ svcadm refresh svc:/system/idmap

Then I created some ZFS shares and tried to connect to them with my windows box. The result was the login prompt kept popping up. This happened from both a computer joined to AD and not.

Doing an idmap dump I got the following

root@staypuft:~/bin# idmap dump -n
winuser:Guest@staypuft uid:2147483649
wingroup:Domain Users@staypuft gid:2147483652
wingroup:Guests@BUILTIN gid:2147483653
wingroup:Domain Admins@ad.ismell.org gid:2147483654
wingroup:Group Policy Creator gid:2147483655
wingroup:Enterprise Admins@ad.ismell.org gid:2147483656
wingroup:Schema gid:2147483657
wingroup:Denied RODC Password Replication Group@ad.ismell.org gid:2147483658
wingroup:Administrators@BUILTIN gid:2147483659
winuser:me@ad.ismell.org uid:10001
wingroup:Backup gid:10003
wingroup:Web Developers@ad.ismell.org gid:10005
wingroup:Domain gid:10000
wingroup:Network gid:2147483650
wingroup:Authenticated Users gid:2147483651
winuser:Administrator@ad.ismell.org unixuser:root
gsid:S-1-5-21-1624921585-1963576407-4047943756-2147483648 == unixgroup:root

idmap did correctly lookup my domain user ()

When looking at the smbd logs I saw the following:

Mar 6 17:55:32 indiana smbd[4229]: [ID 160719 auth.alert] adt_set_user: Invalid argument
Mar 6 17:55:32 indiana smbd[4229]: [ID 160719 auth.alert] adt_set_user: Invalid argument

So my guess is idmap is not passing IDMU mapped users correctly to smbd ?

To add another data point, I have tried the same procedure on NexentaStor and everything works as expected.

Thanks,
Raul

Actions

Also available in: Atom PDF