SID - UID/GID Mapping

Question

Hey All - Thanks for reading this. Here's my problem: I have an Celerra that I'm having fits with as far as SID - UID/GID mapping. When I create a file on the Windows side on a CIFS share, the UID/GID are all messed up on the NFS export. Likewise vice versa, the windows perms are screwy when I create a file on the Unix side. Here's my setup: CIFS Share (Public) that is also an NFS export. I'm using an AD/IdMU environment. I disabled usermapper to no avail (since I learned that if the celerra can't find a UID/GID for the appropriate Windows user, it just makes one up.. which is what I don't want). Current nsswitch.conf # /.etc/nsswitch.conf :#passwd:         files ldap nisgroup:          files ldap nishosts:          dns nis files ldapnetgroup:       files nis ldap Current ldap.conf (taken from /.etc/ldap.conf.idmu_template_v1) #/.etc/ldap.conf:#nss_base_passwd cn=Users,dc=lab,dc=xxxxxxxxxxxxx,dc=comnss_base_group cn=Users,dc=lab,dc=xxxxxxxxxxxxxx,dc=comnss_base_hosts cn=Computers,dc=lab,dc=xxxxxxxxxxxxx,dc=com#nss_base_netgroup cn=netgroup,cn=mydomain,cn=DefaultMigrationContainer30,dc=mycomain,dc=com?one# Objectsnss_map_objectclass posixAccount Usernss_map_objectclass posixGroup Groupnss_map_objectclass ipHost Computer# Attributesnss_map_attribute userPassword unixUserPasswordnss_map_attribute homeDirectory unixHomeDirectory# eof server_ldap server_2 -info -verbose server_2 :LDAP domain: lab.xxxxxxxxxxxxx.com     base DN: dc=lab,dc=xxxxxxxxxxxxxx,dc=com     State: Configured - ConnectedNIS domain: lab.xxxxxxxxxxxxx.comProxy (Bind) DN: cn=administrator,cn=Users,dc=lab,dc=xxxxxxxxxxxx,dc=com     Configuration file - TTL: 1200 seconds     Next configuration update in 406 seconds     DIT schema type: MSLDAP configuration servers:     Server 192.168.xxx.200 port 389 : Active, disconnected       SSL not enabled, Persona: none specified, Cipher Suite List: none specifiedDomain naming contexts:     DC=lab,DC=xxxxxxxxxxxxxxx,DC=com     CN=Configuration,DC=lab,DC=xxxxxxxxxxxxxx,DC=com     CN=Schema,CN=Configuration,DC=lab,DC=xxxxxxxxxxxxxx,DC=com     DC=DomainDnsZones,DC=lab,DC=xxxxxxxxxxxxxxxxx,DC=com     DC=ForestDnsZones,DC=lab,DC=xxxxxxxxxxxxxxxxx,DC=comDomain supported authentication mechanisms:     GSSAPI     GSS-SPNEGO     EXTERNAL     DIGEST-MD5Default search base: dc=lab,dc=xxxxxxxxxxxxxxxxx,dc=comDomain default search scope: ONE     passwd base DN:          cn=Users,dc=lab,dc=xxxxxxxxxxxxxxxxx,dc=com - search scope ONE          passwd object class: User          passwd attributes: cn, uid, uidNumber, gidNumber, unixUserPassword, loginShell, gecos, description     group base DN:          cn=Users,dc=lab,dc=xxxxxxxxxxxxxxx,dc=com - search scope ONE          group object class: Group          group attributes: cn, gidNumber, unixUserPassword, memberUid, description     hosts base DN:          cn=Computers,dc=lab,dc=xxxxxxxxxxxxxx,dc=com - search scope ONE          host object class: Computer          host attributes: cn, ipHostNumber, description     No netgroup base DN So - here's my problem. I can open a windows share just fine, which is absolutely puzzling to me, because the secmap cache never gets updated. As I type this, I'm connected to the share \labnas02\public with the user lab\administrator. However, here's my secmap: server_cifssupport server_2 -secmap -list SECMAP GROUP MAPPING TABLEGID         Origin      Date of creation         Name                            SID32769       usermapper  Tue Sep 14 00:43:59 2010 LAB\Domain Admins               S-1-5-15-6e8b75da-370ca1cd-71a54d1a-20032775       usermapper  Tue Sep 14 22:13:53 2010 LAB\Domain Users                S-1-5-15-6e8b75da-370ca1cd-71a54d1a-20132773       usermapper  Tue Sep 14 00:43:59 2010 LAB\Schema Admins               S-1-5-15-6e8b75da-370ca1cd-71a54d1a-20632772       usermapper  Tue Sep 14 00:43:59 2010 LAB\Enterprise Admins           S-1-5-15-6e8b75da-370ca1cd-71a54d1a-20732771       usermapper  Tue Sep 14 00:43:59 2010 LAB\Group Policy Creator Owners S-1-5-15-6e8b75da-370ca1cd-71a54d1a-20832774       usermapper  Tue Sep 14 00:43:59 2010 LAB\Denied RODC Password ReplicaS-1-5-15-6e8b75da-370ca1cd-71a54d1a-23c Notice - NO user mapping table.. So, then I began to think. Why do I even need LDAP? Theoretically, the search should stop at the NIS (which it totally functional to all the clients) after it finds the corresponding username in the NIS for adminstrator and then write it to the secmap cache. Am I wrong? Any help here would be greatly appreciated. Chris

cmschube-dell · Answer

Nevermind - I forgot that I had the drive mapped as another user... Here's the output.

server_cifssupport server_2 -cred -name cmschube -domain lab
server_2 : done

ACCOUNT GENERAL INFORMATION

Name                     : cmschube
Domain                   : LAB
Server                   : LABNAS02
Primary SID              : S-1-5-15-6e8b75da-370ca1cd-71a54d1a-457
UID                      : 32768
GID                      : 32768
Authentification         : KERBEROS
Privileges               : 0x7f
                         : 0x00001 => SeTakeOwnerShip
                         : 0x00002 => SeBackup
                         : 0x00004 => SeRestore
                         : 0x00008 => SeChangeNotify
                         : 0x00010 => SeAudit
                         : 0x00020 => SeIncreaseQuota
                         : 0x00040 => SeSecurity
System privileges        : 0x3
                         : 0x00001 => SysOpenLocally
                         : 0x00002 => SysAccessNetworkLogon
Extra credential data    : 0xe
                         : 0x00002 => Bypass Traverse Checking
                         : 0x00004 => Security
                         : 0x00008 => Backup Or Restore Privileges
NT administrator         : True
NT credential capability : 0x2
                         : 0x00002 => Kerberos Auth Used

ACCOUNT GROUPS INFORMATION

Type UNIX ID    Name                Domain              SID
NT   32769      Domain Admins       LAB                 S-1-5-15-6e8b75da-370ca1cd-71a54d1a-200
NT   10000      Domain Users        LAB                 S-1-5-15-6e8b75da-370ca1cd-71a54d1a-201
NT   32774      Denied RODC Pass    LAB                 S-1-5-15-6e8b75da-370ca1cd-71a54d1a-23c
NT   4294967294 Everyone                                S-1-1-0
NT   4294967294 NETWORK             NT AUTHORITY        S-1-5-2
NT   4294967294 Authenticated Us    NT AUTHORITY        S-1-5-b
NT   2151678496 Administrators      BUILTIN             S-1-5-20-220
NT   2151678497 Users               BUILTIN             S-1-5-20-221
NT   1          UNIX GID=0x1 &ap                        S-1-5-12-2-1
UNIX 32769
UNIX 10000      Domain Users
UNIX 32774
UNIX 4294967294
UNIX 2151678496
UNIX 2151678497
UNIX 1

So - this leads me to three questions:

1. Why is it not pulling the UID/GID from the NIS - which there is a valid entry

2. Why is the secmap not getting updated?

Thanks again,

Chris

cmschube-dell · Answer

Hey Rainer -

Thanks for taking a look..

We don't have a VDM since we aren't going to be doing any replicating, I

remember the installer mentioning something about it and then saying that

we don't need one since we won't be replicating.

Do you have any suggestion on which switch/switches to throw on

server_cifssupport?

Thanks,

Chris

cmschube-dell · Answer

Rainer,

The secmap is enabled -

SECMAP GENERAL INFORMATION

Name             : server_2
State            : Enabled
Fs               : /
Used nodes       : 6
Used blocks      : 8192

SECMAP MAPPED DOMAIN

Name                    SID
lab                     S-1-5-15-6e8b75da-370ca1cd-71a54d1a-ffffffff

Thanks,

Chris

Rainer_EMC · Answer

are you using a VDM by any chance?

if yes then you might be looking at the wrong secmap - each vdm has it's own

if you can connect through CIFS then you definitely got a mapping from somewhere and server_cifssupport will tell you where it came from

without a mapped uid/gid the Celerra wouldn't allow the connect

Rainer

Rainer_EMC · Answer

of course if you have disabled secmap through a param then looking at the secmap won't do you any good you then need to use the other server_cifssupport options to check creds

Rainer_EMC · Answer

then I would suggest to open a service request or try support live chat - maybe someone can dialin and take a look

using multiple mapping methods like NIS and LDAP can be confusing unless you know how it works and have a good reason to do so

Rainer_EMC · Answer

sorry - not from memory there should be a manual or technote about it on Powerlinkif you can write a file from Windows then you did get a mapping for uid/gidwe don't 'make them up'

Rainer_EMC · Answer

if you want to use NIS for user mapping you either need to have the passwd/group entries there with both domain and user or drop the domain via cifs.resolver param

also don't forget case sensitivity

In general - when doing multi-protocol I recommend reading and understanding the relevant manuals

Rainer_EMC · Answer

you do realize you ldap.conf says to first look at LDAP - if it gets a mapping there it won't look at NIS

bergec · Answer

Have you checked that you can get a valid UID or GID mapping with "server_ldap server_2 -lookup" (check exact syntax)

Also check CIFS resolver param. By default the DM searches user.domain (not just user). Use server_param command to change it, name of the facility is "cifs"

Claude

cmschube-dell · Answer

Hey Claude -Thanks for the response.bergec wrote:Have you checked that you can get a valid UID or GID mapping with 'server_ldap server_2 -lookup' (check exact syntax)Also check CIFS resolver param. By default the DM searches user.domain (not just user). Use server_param command to change it, name of the facility is 'cifs'ClaudeI did get this working last night. Funny though, the ultimate resolution was to disable the cifs facility param (set it to 1 - even though everything I read told me to leave it enabled for an AD/IdMU configuration). I disabled my usermapper service and had to clean out some residual entries. I didn't realize that disabling the usermapper service just caused the dm to continue to query the usermapper's exisiting entries, just not to add new entries.One thing I did notice though is that I had to query LDAP for the UID via 'server_ldap server_2 -lookup -uid ' before I could get 'server_ldap server_2 -lookup -name -domain ' to work. I don't think that should be normal operation?But anywho, that should take care of this problem. Now to figure out why NFS is so bloody slow (4Mb/sec MAX copy rate ).Thanks again everyone for the replies. Chris

Rainer_EMC · Answer

keep in mind that secmap is a permanent cache - an entry there will never get updated or expire unless you explicitly delete it with server_cifssupport

Celerra

Was this post helpful?