Unsolved
This post is more than 5 years old
13 Posts
0
5289
SID -> UID/GID Mapping
Hey All -
Thanks for reading this. Here's my problem:
I have an Celerra that I'm having fits with as far as SID - UID/GID mapping. When I create a file on the Windows side on a CIFS share, the UID/GID are all messed up on the NFS export. Likewise vice versa, the windows perms are screwy when I create a file on the Unix side.
Here's my setup:
CIFS Share (Public) that is also an NFS export. I'm using an AD/IdMU environment. I disabled usermapper to no avail (since I learned that if the celerra can't find a UID/GID for the appropriate Windows user, it just makes one up.. which is what I don't want).
Current nsswitch.conf
# /.etc/nsswitch.conf :
#
passwd: files ldap nis
group: files ldap nis
hosts: dns nis files ldap
netgroup: files nis ldap
Current ldap.conf (taken from /.etc/ldap.conf.idmu_template_v1)
#/.etc/ldap.conf:
#
nss_base_passwd cn=Users,dc=lab,dc=xxxxxxxxxxxxx,dc=com
nss_base_group cn=Users,dc=lab,dc=xxxxxxxxxxxxxx,dc=com
nss_base_hosts cn=Computers,dc=lab,dc=xxxxxxxxxxxxx,dc=com
#nss_base_netgroup cn=netgroup,cn=mydomain,
cn=DefaultMigrationContainer30,dc=mycomain,dc=com?one
# Objects
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_objectclass ipHost Computer
# Attributes
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
# eof
server_ldap server_2 -info -verbose
server_2 :
LDAP domain: lab.xxxxxxxxxxxxx.com
base DN: dc=lab,dc=xxxxxxxxxxxxxx,dc=com
State: Configured - Connected
NIS domain: lab.xxxxxxxxxxxxx.com
Proxy (Bind) DN: cn=administrator,cn=Users,dc=lab,dc=xxxxxxxxxxxx,dc=com
Configuration file - TTL: 1200 seconds
Next configuration update in 406 seconds
DIT schema type: MS
LDAP configuration servers:
Server 192.168.xxx.200 port 389 : Active, disconnected
SSL not enabled, Persona: none specified, Cipher Suite List: none specified
Domain naming contexts:
DC=lab,DC=xxxxxxxxxxxxxxx,DC=com
CN=Configuration,DC=lab,DC=xxxxxxxxxxxxxx,DC=com
CN=Schema,CN=Configuration,DC=lab,DC=xxxxxxxxxxxxxx,DC=comDC=DomainDnsZones,DC=lab,DC=xxxxxxxxxxxxxxxxx,DC=com
DC=ForestDnsZones,DC=lab,DC=xxxxxxxxxxxxxxxxx,DC=comDomain supported authentication mechanisms:
GSSAPI
GSS-SPNEGO
EXTERNAL
DIGEST-MD5Default search base: dc=lab,dc=xxxxxxxxxxxxxxxxx,dc=com
Domain default search scope: ONE
passwd base DN:
cn=Users,dc=lab,dc=xxxxxxxxxxxxxxxxx,dc=com - search scope ONE
passwd object class: User
passwd attributes: cn, uid, uidNumber, gidNumber, unixUserPassword, loginShell, gecos, description
group base DN:
cn=Users,dc=lab,dc=xxxxxxxxxxxxxxx,dc=com - search scope ONE
group object class: Group
group attributes: cn, gidNumber, unixUserPassword, memberUid, description
hosts base DN:
cn=Computers,dc=lab,dc=xxxxxxxxxxxxxx,dc=com - search scope ONE
host object class: Computer
host attributes: cn, ipHostNumber, description
No netgroup base DN
So - here's my problem. I can open a windows share just fine, which is absolutely puzzling to me, because the secmap cache never gets updated. As I type this, I'm connected to the share \\labnas02\public with the user lab\administrator. However, here's my secmap:
server_cifssupport server_2 -secmap -list
SECMAP GROUP MAPPING TABLE
GID Origin Date of creation Name SID
32769 usermapper Tue Sep 14 00:43:59 2010 LAB\Domain Admins S-1-5-15-6e8b75da-370ca1cd-71a54d1a-200
32775 usermapper Tue Sep 14 22:13:53 2010 LAB\Domain Users S-1-5-15-6e8b75da-370ca1cd-71a54d1a-201
32773 usermapper Tue Sep 14 00:43:59 2010 LAB\Schema Admins S-1-5-15-6e8b75da-370ca1cd-71a54d1a-206
32772 usermapper Tue Sep 14 00:43:59 2010 LAB\Enterprise Admins S-1-5-15-6e8b75da-370ca1cd-71a54d1a-207
32771 usermapper Tue Sep 14 00:43:59 2010 LAB\Group Policy Creator Owners S-1-5-15-6e8b75da-370ca1cd-71a54d1a-208
32774 usermapper Tue Sep 14 00:43:59 2010 LAB\Denied RODC Password ReplicaS-1-5-15-6e8b75da-370ca1cd-71a54d1a-23c
Notice - NO user mapping table..
So, then I began to think. Why do I even need LDAP? Theoretically, the search should stop at the NIS (which it totally functional to all the clients) after it finds the corresponding username in the NIS for adminstrator and then write it to the secmap cache. Am I wrong?
Any help here would be greatly appreciated.
Chris
cmschube-dell
13 Posts
0
September 14th, 2010 16:00
Nevermind - I forgot that I had the drive mapped as another user... Here's the output.
So - this leads me to three questions:
1. Why is it not pulling the UID/GID from the NIS - which there is a valid entry
2. Why is the secmap not getting updated?
Thanks again,
Chris
cmschube-dell
13 Posts
0
September 14th, 2010 16:00
Hey Rainer -
Thanks for taking a look..
We don't have a VDM since we aren't going to be doing any replicating, I
remember the installer mentioning something about it and then saying that
we don't need one since we won't be replicating.
Do you have any suggestion on which switch/switches to throw on
server_cifssupport?
Thanks,
Chris
cmschube-dell
13 Posts
0
September 14th, 2010 16:00
Rainer,
The secmap is enabled -
Thanks,
Chris
Rainer_EMC
8.6K Posts
0
September 14th, 2010 16:00
are you using a VDM by any chance?
if yes then you might be looking at the wrong secmap - each vdm has it's own
if you can connect through CIFS then you definitely got a mapping from somewhere and server_cifssupport will tell you where it came from
without a mapped uid/gid the Celerra wouldn't allow the connect
Rainer
Rainer_EMC
8.6K Posts
0
September 14th, 2010 16:00
of course if you have disabled secmap through a param then looking at the secmap won't do you any good
you then need to use the other server_cifssupport options to check creds
Rainer_EMC
8.6K Posts
0
September 14th, 2010 16:00
then I would suggest to open a service request or try support live chat - maybe someone can dialin and take a look
using multiple mapping methods like NIS and LDAP can be confusing unless you know how it works and have a good reason to do so
Rainer_EMC
8.6K Posts
0
September 14th, 2010 16:00
sorry - not from memory
there should be a manual or technote about it on Powerlink
if you can write a file from Windows then you did get a mapping for uid/gid
we don't "make them up"
Rainer_EMC
8.6K Posts
0
September 14th, 2010 17:00
if you want to use NIS for user mapping you either need to have the passwd/group entries there with both domain and user or drop the domain via cifs.resolver param
also don't forget case sensitivity
In general - when doing multi-protocol I recommend reading and understanding the relevant manuals
Rainer_EMC
8.6K Posts
0
September 14th, 2010 17:00
you do realize you ldap.conf says to first look at LDAP - if it gets a mapping there it won't look at NIS
bergec
275 Posts
1
September 14th, 2010 23:00
Have you checked that you can get a valid UID or GID mapping with "server_ldap server_2 -lookup" (check exact syntax)
Also check CIFS resolver param. By default the DM searches user.domain (not just user). Use server_param command to change it, name of the facility is "cifs"
Claude
cmschube-dell
13 Posts
0
September 15th, 2010 04:00
Hey Claude -
Thanks for the response.
I did get this working last night. Funny though, the ultimate resolution was to disable the cifs facility param (set it to 1 - even though everything I read told me to leave it enabled for an AD/IdMU configuration). I disabled my usermapper service and had to clean out some residual entries. I didn't realize that disabling the usermapper service just caused the dm to continue to query the usermapper's exisiting entries, just not to add new entries.
One thing I did notice though is that I had to query LDAP for the UID via "server_ldap server_2 -lookup -uid" before I could get "server_ldap server_2 -lookup -name -domain " to work. I don't think that should be normal operation?
But anywho, that should take care of this problem. Now to figure out why NFS is so bloody slow (4Mb/sec MAX copy rate ).
Thanks again everyone for the replies.
Chris
Rainer_EMC
8.6K Posts
0
September 15th, 2010 08:00
keep in mind that secmap is a permanent cache - an entry there will never get updated or expire unless you explicitly delete it with server_cifssupport