cmschube-dell

13 Posts

5289

September 14th, 2010 16:00

SID -> UID/GID Mapping

Hey All -

Thanks for reading this. Here's my problem:

I have an Celerra that I'm having fits with as far as SID - UID/GID mapping. When I create a file on the Windows side on a CIFS share, the UID/GID are all messed up on the NFS export. Likewise vice versa, the windows perms are screwy when I create a file on the Unix side.

Here's my setup:

CIFS Share (Public) that is also an NFS export. I'm using an AD/IdMU environment. I disabled usermapper to no avail (since I learned that if the celerra can't find a UID/GID for the appropriate Windows user, it just makes one up.. which is what I don't want).

Current nsswitch.conf

# /.etc/nsswitch.conf :
#
passwd:         files ldap nis
group:          files ldap nis
hosts:          dns nis files ldap
netgroup:       files nis ldap

Current ldap.conf (taken from /.etc/ldap.conf.idmu_template_v1)

#/.etc/ldap.conf:
#
nss_base_passwd cn=Users,dc=lab,dc=xxxxxxxxxxxxx,dc=com
nss_base_group cn=Users,dc=lab,dc=xxxxxxxxxxxxxx,dc=com
nss_base_hosts cn=Computers,dc=lab,dc=xxxxxxxxxxxxx,dc=com
#nss_base_netgroup cn=netgroup,cn=mydomain,
cn=DefaultMigrationContainer30,dc=mycomain,dc=com?one
# Objects
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_objectclass ipHost Computer
# Attributes
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
# eof

server_ldap server_2 -info -verbose

server_2 :
LDAP domain: lab.xxxxxxxxxxxxx.com
     base DN: dc=lab,dc=xxxxxxxxxxxxxx,dc=com
     State: Configured - Connected
NIS domain: lab.xxxxxxxxxxxxx.com
Proxy (Bind) DN: cn=administrator,cn=Users,dc=lab,dc=xxxxxxxxxxxx,dc=com
     Configuration file - TTL: 1200 seconds
     Next configuration update in 406 seconds
     DIT schema type: MS
LDAP configuration servers:
     Server 192.168.xxx.200 port 389 : Active, disconnected
       SSL not enabled, Persona: none specified, Cipher Suite List: none specified
Domain naming contexts:
     DC=lab,DC=xxxxxxxxxxxxxxx,DC=com
     CN=Configuration,DC=lab,DC=xxxxxxxxxxxxxx,DC=com
     CN=Schema,CN=Configuration,DC=lab,DC=xxxxxxxxxxxxxx,DC=com

DC=DomainDnsZones,DC=lab,DC=xxxxxxxxxxxxxxxxx,DC=com
DC=ForestDnsZones,DC=lab,DC=xxxxxxxxxxxxxxxxx,DC=com

Domain supported authentication mechanisms:
     GSSAPI
     GSS-SPNEGO
     EXTERNAL
     DIGEST-MD5

Default search base: dc=lab,dc=xxxxxxxxxxxxxxxxx,dc=com
Domain default search scope: ONE
     passwd base DN:
          cn=Users,dc=lab,dc=xxxxxxxxxxxxxxxxx,dc=com - search scope ONE
          passwd object class: User
          passwd attributes: cn, uid, uidNumber, gidNumber, unixUserPassword, loginShell, gecos, description
     group base DN:
          cn=Users,dc=lab,dc=xxxxxxxxxxxxxxx,dc=com - search scope ONE
          group object class: Group
          group attributes: cn, gidNumber, unixUserPassword, memberUid, description
     hosts base DN:
          cn=Computers,dc=lab,dc=xxxxxxxxxxxxxx,dc=com - search scope ONE
          host object class: Computer
          host attributes: cn, ipHostNumber, description
     No netgroup base DN

So - here's my problem. I can open a windows share just fine, which is absolutely puzzling to me, because the secmap cache never gets updated. As I type this, I'm connected to the share \\labnas02\public with the user lab\administrator. However, here's my secmap:

server_cifssupport server_2 -secmap -list

SECMAP GROUP MAPPING TABLE

GID         Origin      Date of creation         Name                            SID
32769       usermapper Tue Sep 14 00:43:59 2010 LAB\Domain Admins               S-1-5-15-6e8b75da-370ca1cd-71a54d1a-200
32775       usermapper Tue Sep 14 22:13:53 2010 LAB\Domain Users                S-1-5-15-6e8b75da-370ca1cd-71a54d1a-201
32773       usermapper Tue Sep 14 00:43:59 2010 LAB\Schema Admins               S-1-5-15-6e8b75da-370ca1cd-71a54d1a-206
32772       usermapper Tue Sep 14 00:43:59 2010 LAB\Enterprise Admins           S-1-5-15-6e8b75da-370ca1cd-71a54d1a-207
32771       usermapper Tue Sep 14 00:43:59 2010 LAB\Group Policy Creator Owners S-1-5-15-6e8b75da-370ca1cd-71a54d1a-208
32774       usermapper Tue Sep 14 00:43:59 2010 LAB\Denied RODC Password ReplicaS-1-5-15-6e8b75da-370ca1cd-71a54d1a-23c

Notice - NO user mapping table..

So, then I began to think. Why do I even need LDAP? Theoretically, the search should stop at the NIS (which it totally functional to all the clients) after it finds the corresponding username in the NIS for adminstrator and then write it to the secmap cache. Am I wrong?

Any help here would be greatly appreciated.

Chris

Responses(12)

cmschube-dell

13 Posts

0

September 14th, 2010 16:00

Nevermind - I forgot that I had the drive mapped as another user... Here's the output.

server_cifssupport server_2 -cred -name cmschube -domain lab
server_2 : done

ACCOUNT GENERAL INFORMATION

Name                     : cmschube
Domain                   : LAB
Server                   : LABNAS02
Primary SID              : S-1-5-15-6e8b75da-370ca1cd-71a54d1a-457
UID                      : 32768
GID                      : 32768
Authentification         : KERBEROS
Privileges               : 0x7f
                         : 0x00001 => SeTakeOwnerShip
                         : 0x00002 => SeBackup
                         : 0x00004 => SeRestore
                         : 0x00008 => SeChangeNotify
                         : 0x00010 => SeAudit
                         : 0x00020 => SeIncreaseQuota
                         : 0x00040 => SeSecurity
System privileges        : 0x3
                         : 0x00001 => SysOpenLocally
                         : 0x00002 => SysAccessNetworkLogon
Extra credential data    : 0xe
                         : 0x00002 => Bypass Traverse Checking
                         : 0x00004 => Security
                         : 0x00008 => Backup Or Restore Privileges
NT administrator         : True
NT credential capability : 0x2
                         : 0x00002 => Kerberos Auth Used

ACCOUNT GROUPS INFORMATION

Type UNIX ID    Name                Domain              SID
NT   32769      Domain Admins       LAB                 S-1-5-15-6e8b75da-370ca1cd-71a54d1a-200
NT   10000      Domain Users        LAB                 S-1-5-15-6e8b75da-370ca1cd-71a54d1a-201
NT   32774      Denied RODC Pass    LAB                 S-1-5-15-6e8b75da-370ca1cd-71a54d1a-23c
NT   4294967294 Everyone                                S-1-1-0
NT   4294967294 NETWORK             NT AUTHORITY        S-1-5-2
NT   4294967294 Authenticated Us    NT AUTHORITY        S-1-5-b
NT   2151678496 Administrators      BUILTIN             S-1-5-20-220
NT   2151678497 Users               BUILTIN             S-1-5-20-221
NT   1          UNIX GID=0x1 &ap                        S-1-5-12-2-1
UNIX 32769
UNIX 10000      Domain Users
UNIX 32774
UNIX 4294967294
UNIX 2151678496
UNIX 2151678497
UNIX 1

So - this leads me to three questions:

1. Why is it not pulling the UID/GID from the NIS - which there is a valid entry

2. Why is the secmap not getting updated?

Thanks again,

Chris

cmschube-dell

13 Posts

0

September 14th, 2010 16:00

Hey Rainer -

Thanks for taking a look..

We don't have a VDM since we aren't going to be doing any replicating, I

remember the installer mentioning something about it and then saying that

we don't need one since we won't be replicating.

Do you have any suggestion on which switch/switches to throw on

server_cifssupport?

Thanks,

Chris

cmschube-dell

13 Posts

0

September 14th, 2010 16:00

Rainer,

The secmap is enabled -

SECMAP GENERAL INFORMATION

Name             : server_2
State            : Enabled
Fs               : /
Used nodes       : 6
Used blocks      : 8192

SECMAP MAPPED DOMAIN

Name                    SID
lab                     S-1-5-15-6e8b75da-370ca1cd-71a54d1a-ffffffff

Thanks,

Chris

R

Rainer_EMC

8.6K Posts

0

September 14th, 2010 16:00

are you using a VDM by any chance?

if yes then you might be looking at the wrong secmap - each vdm has it's own

if you can connect through CIFS then you definitely got a mapping from somewhere and server_cifssupport will tell you where it came from

without a mapped uid/gid the Celerra wouldn't allow the connect

Rainer

R

Rainer_EMC

8.6K Posts

0

September 14th, 2010 16:00

of course if you have disabled secmap through a param then looking at the secmap won't do you any good

you then need to use the other server_cifssupport options to check creds

R

Rainer_EMC

8.6K Posts

0

September 14th, 2010 16:00

then I would suggest to open a service request or try support live chat - maybe someone can dialin and take a look

using multiple mapping methods like NIS and LDAP can be confusing unless you know how it works and have a good reason to do so

R

Rainer_EMC

8.6K Posts

0

September 14th, 2010 16:00

sorry - not from memory

there should be a manual or technote about it on Powerlink

if you can write a file from Windows then you did get a mapping for uid/gid

we don't "make them up"

R

Rainer_EMC

8.6K Posts

0

September 14th, 2010 17:00

if you want to use NIS for user mapping you either need to have the passwd/group entries there with both domain and user or drop the domain via cifs.resolver param

also don't forget case sensitivity

In general - when doing multi-protocol I recommend reading and understanding the relevant manuals

R

Rainer_EMC

8.6K Posts

0

September 14th, 2010 17:00

you do realize you ldap.conf says to first look at LDAP - if it gets a mapping there it won't look at NIS

bergec

275 Posts

1

September 14th, 2010 23:00

Have you checked that you can get a valid UID or GID mapping with "server_ldap server_2 -lookup" (check exact syntax)

Also check CIFS resolver param. By default the DM searches user.domain (not just user). Use server_param command to change it, name of the facility is "cifs"

Claude

cmschube-dell

13 Posts

0

September 15th, 2010 04:00

Hey Claude -

Thanks for the response.

bergec wrote:
Have you checked that you can get a valid UID or GID mapping with "server_ldap server_2 -lookup" (check exact syntax)
Also check CIFS resolver param. By default the DM searches user.domain (not just user). Use server_param command to change it, name of the facility is "cifs"
Claude

I did get this working last night. Funny though, the ultimate resolution was to disable the cifs facility param (set it to 1 - even though everything I read told me to leave it enabled for an AD/IdMU configuration). I disabled my usermapper service and had to clean out some residual entries. I didn't realize that disabling the usermapper service just caused the dm to continue to query the usermapper's exisiting entries, just not to add new entries.

One thing I did notice though is that I had to query LDAP for the UID via "server_ldap server_2 -lookup -uid " before I could get "server_ldap server_2 -lookup -name -domain " to work. I don't think that should be normal operation?

But anywho, that should take care of this problem. Now to figure out why NFS is so bloody slow (4Mb/sec MAX copy rate ).

Thanks again everyone for the replies.

Chris

R

Rainer_EMC

8.6K Posts

0

September 15th, 2010 08:00

keep in mind that secmap is a permanent cache - an entry there will never get updated or expire unless you explicitly delete it with server_cifssupport

View All

No Events found!