Isilon Ldap samba authenticating issue

Hello AndrewF76,

Here are a few links to some kb’s that maybe of assistance.

https://dell.to/37hFgzZ

https://dell.to/3KgHjDm

https://dell.to/35D4Hvs

Hi Sam,

As the manual from the first link suggests I added the sambaNTPassword but it seems that didn't help.

The LDAP server supports NTLM v1 and v2.

The configs are:

gyar-1# isi auth ldap view --provider-name=xserve01.local
Name: xserve01.local
Base DN: dc=xserve01,dc=local
Server Uris: ldap://192.168.100.30
Status: online
Alternate Security Identities Attribute:
Authentication: Yes
Balance Servers: No
Bind DN:
Bind Timeout: 10
Cache Entry Expiry: 15m
Certificate Authority File:
Check Online Interval: 3m
CN Attribute: cn
Create Home Directory: No
Crypt Password Attribute:
Email Attribute: mail
Enabled: Yes
Enumerate Groups: Yes
Enumerate Users: Yes
Findable Groups: -
Findable Users: -
GECOS Attribute: gecos
GID Attribute: gidNumber
Group Base DN:
Group Domain: LDAP_GROUPS
Group Filter: (objectClass=posixGroup)
Group Members Attribute: memberUid
Group Search Scope: default
Home Directory Template:
Homedir Attribute: homeDirectory
Ignore TLS Errors: No
Listable Groups: -
Listable Users: -
Login Shell:
Member Of Attribute:
Name Attribute: uid
Netgroup Base DN:
Netgroup Filter: (objectClass=nisNetgroup)
Netgroup Members Attribute: memberNisNetgroup
Netgroup Search Scope: default
Netgroup Triple Attribute: nisNetgroupTriple
Normalize Groups: No
Normalize Users: No
Nt Password Attribute: sambaNTPassword
Ntlm Support: all
Provider Domain:
Require Secure Connection: No
Restrict Findable: No
Restrict Listable: No
Search Scope: subtree
Search Timeout: 100
Shell Attribute: loginShell
UID Attribute: uidNumber
Unfindable Groups: -
Unfindable Users: -
Unique Group Members Attribute:
Unlistable Groups: -
Unlistable Users: -
User Base DN:
User Domain: LDAP_USERS
User Filter: (objectClass=posixAccount)
User Search Scope: default
gyar-1#

gyar-1# isi smb settings global view
Access Based Share Enum: No
Dot Snap Accessible Child: Yes
Dot Snap Accessible Root: Yes
Dot Snap Visible Child: No
Dot Snap Visible Root: Yes
Enable Security Signatures: No
Guest User: nobody
Ignore Eas: No
Onefs Cpu Multiplier: 4
Onefs Num Workers: 0
Require Security Signatures: No
Server String: isilon server
Srv Cpu Multiplier: 4
Srv Num Workers: 0
Support Multichannel: Yes
Support NetBIOS: Yes
Support Smb2: Yes

gyar-1# isi smb settings shares view
Access Based Enumeration: No
Access Based Enumeration Root Only: No
Allow Delete Readonly: No
Allow Execute Always: No
Change Notify: norecurse
Create Permissions: default acl
Directory Create Mask: 0775
Directory Create Mode: 0775
File Create Mask: 0775
File Create Mode: 0775
Hide Dot Files: No
Host ACL: -
Impersonate Guest: never
Impersonate User:
Mangle Byte Start: 0XED00
Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1
Ntfs ACL Support: Yes
Oplocks: Yes
Strict Flush: Yes
Strict Locking: No
gyar-1#

The permission check from the 3rd link isn't working, the syntax isn't correct:

gyar-1# isi auth mapping token --name=VMTEST\\testuser1 -v
unknown option name
Usage:
isi auth mapping token { | --uid | --kerberos-principal }
[--zone ]
[--primary-gid ]
[--gid ]
[{--help | -h}]
See 'isi auth mapping token --help' for more information.

So I'm still stuck...

Hello AndrewF76,

For this issue it is best to open a support case so that we can take a deeper look into your issue.

Hi Sam,

We don't have support contract on this cluster, it's not the latest model... I think that contacting support would be a bit too expensive, but I might be wrong.

Maybe, if someone is willing to help us privately could contact me...

Andrew

Hi Sam,

Is there a log file on the Isilon that might be worth checking to see what is the reason (error message) for not mounting with smb?

Thx

Best

Andrew

@AndrewF76,

try
isi auth mapping token --user=VMTEST\\testuser1 -v

I was planning to do an upgrade to 8.1.2 but I'm not sure about the licenses, I read that when upgrading to 8.1.x.x I need to request new licenses.

gyar-3# isi auth mapping token --user=testuser1
Failed to map user 'testuser1': No such user
gyar-3#

Hi,

gyar-3# isi auth mapping token --user=VMTEST\\testuser1 -v
unknown option v
Usage:
isi auth mapping token { | --uid | --kerberos-principal
}
[--zone ]
[--primary-gid ]
[--gid ]
[{--help | -h}]
See 'isi auth mapping token --help' for more information.
gyar-3#

gyar-3# isi auth mapping token --user=VMTEST\\testuser1
Failed to map user 'VMTEST\testuser1': No such user
gyar-3#

@AndrewF76 

upgrade to OneFS 8.1.2

try  
isi auth mapping token --user=testuser1

@AndrewF76,

what OneFS you have now?  The upgrade should preserve your existing licenses.

upgrade to OneFS 8.0.0.x to avoid OneFS 8.1 "unsigned" licensing would be best

https://www.dell.com/community/Isilon/Isilon-license-key-issue/m-p/7706381

...
Howwever, if your licenses have been issued for OneFS 7.x and after reformating you have installed OneFS 8.x, the licenses cannot be actived on the new system. They would have been migrated automatically with a regular OneFS upgrade, though.

hth

-- Peter

@AndrewF76,

Did you add ldap  xserve01.local to zone System auth provider?

[lamp@elvis 2022-03-24-001]$ cat local/isi_auth |more
/usr/bin/isi zone zones list --verbose
Name: System
Path: /ifs
Cache Size: 9.54M
Map Untrusted:
Auth Providers: -                   <--empty
NetBIOS Name:
All Auth Providers: Yes
User Mapping Rules: -
Home Directory Umask: 0077
...

7.1.1.11