Unsolved
This post is more than 5 years old
5 Posts
0
3705
November 27th, 2015 03:00
Isilon OneFS Query - User Mapping
Hi,
I have an Isilon Cluster which I am using to share files between our Windows and Linux worlds. At present we have two Zones setup, the default System zone which is tied to one AD and a second Zone that is joined to our corporate AD.
I therefore have multiple authentication providers setup, two AD providers with an extra NIS pool serving the Linux community. I currently have the NIS provider added to both zones.
Zone 1: AD & NIS
Zone 2: Corporate AD & NIS
I would like to setup username mapping between the two authentication providers on Zone 2, so that *if* there is a commonality in the user names between AD and NIS, the Isilon will perform mapping between the two. I would have expected this to happen automagically, but the behavior does not reflect this.
At present if I create a file on the Linux world, it does indeed map to the AD account when I look at the security properties on Windows.
If I create a file on Windows, when I look at the file on Linux it is mapped to a random auto-generated UID.
I'd like the mapping to be bi-directional but this does not seem to work, even if I setup a mapping rule in the "User Mapping" section of Membership & Roles.
Can anyone tell me what I'm doing wrong?
Thanks,
John.
carlilek
2 Intern
•
205 Posts
0
November 27th, 2015 04:00
What's your on-disk identity set to? How about your ACL settings.
Peter_Sero
4 Operator
•
1.2K Posts
1
November 27th, 2015 06:00
What exact type of mapping are you using? The bi-directional mapping is achieved by the "Join" mapping type.
-- Peter
JFlann
5 Posts
0
November 27th, 2015 07:00
Hi Carlilek,
On-Disk Identity is set to native.
ACL is set to balanced.
Regards,
John.
JFlann
5 Posts
0
November 27th, 2015 07:00
Hi Peter_Sero,
I am using the Join for the mapping.
I tried adding a map for my username on both the zones.
It seems to ignore it completely, and always creates files in Windows with the autogenerated UID.
: (
Thanks,
John.
carlilek
2 Intern
•
205 Posts
1
November 27th, 2015 09:00
Also, in AD settings, what are your settings under If no UID is present... and If no GID is present...
carlilek
2 Intern
•
205 Posts
1
November 27th, 2015 10:00
Hi John,
If the user mapping has already been (incorrectly) established, you will need to delete that mapping when you make the change to the mode you're using; otherwise it decides that how it is is how it should be. So use isi auth mapping delete --2way --source-sid= --target-uid=
Then try again and see if it maps correctly.
--Ken
JFlann
5 Posts
0
November 30th, 2015 01:00
Thanks to everyone for all the constructive suggestions. I'll be throwing some time at this today to try and come to a resolution. I'll make sure I come back with the resolution, and hopefully save someone else the pain .....
: )
JFlann
5 Posts
0
November 30th, 2015 06:00
Right! I think I'm almost there!!
I enabled SFU on the corporate domain within the advanced settings for the AD provider. Then I created a file on Windows and BOOM ... the username got mapped when I check the file properties in Linux. It did not however map the GId, and I fretted about this for all of a minute ... then realised that none of the AD groups actually exists in Linux so there is nothing to map to.
Will do some further testing and see if the GID mapping is working as well.
Thanks to ALL for the constructive suggestions. Although no one actually suggested switching on SFU, I would not have spotted that option without being pointed to the AD settings.
Cheers,
John.