Still more progress but no win yet.
After comparing the ldap options for one filer that does resolve AD users and groups to my flawed simulator, I can now run getXXbyYY and resolve users and groups in the AD. And if I su to the test user I can touch files and folders he owns. But not ones he should have access to right of a group membership.
Any ideas?
-----Original Message----- From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Rue, Randy Sent: Thursday, April 10, 2014 10:24 AM To: Michael Bergman; Toasters Subject: RE: nfs.authsys.extended_groups_ns.enable?
Should clarify I meant NFSv3. Typo.
I hadn't thought about that. Under this new scheme (the filer is ignoring the group information included via RPC in NFSv3 and instead getting an AD lookup for the user), where is the system mapping POSIX groups to/from AD groups?
But I suspect we're not even there yet. I'd like to get the 8.2 filer to recognize the AD users and see if I'm still broken.
-----Original Message----- From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Michael Bergman Sent: Thursday, April 10, 2014 9:52 AM To: Toasters Subject: Re: nfs.authsys.extended_groups_ns.enable?
Randy Rue wrote:
The real filer that I'm trying to add this to has so far only been serving NFS/unix even though CIFS is enabled and it's added to our AD. But so far it's only serving NFSv2 with auth_sys. Now I'm trying to enable the extended_groups magic and I'm guessing I need to add enough AD capability for users to map between unix and AD accounts. And sure enough, the usermap.cfg file on both the real and simulated filers is the default.
To make the mapping actually happen (user mapping is fine, but where's your UNIX group info? Nowhere? In MS AD somehow?) you might need to actually CIFS share the data paths you have NFS exported. I'm not sure, it could be enough to just have the CIFS service active and correctly configured in the vfiler in Q.
auth_sys is depending on UID & GID which come in inside the NFS packets. There's no translation or lookups anywhere taking place. It's the same for NFSv3 as v2, NFSv4 is different. So in a basic setup, there's no NIS or MS AD lookups taking place for antyhing that has to do with File Level ACLs *provided* you have unix style security for your data (which you have).
So far so good.
Now you've done this:
nfs.authsys.extended_groups_ns.enable on nfs.max_num_aux_groups 64 (or whatever)
Suddenly everything changes. Now ONTAP has to look up the user corresponding to the UID in the NFS packet, in group. Either NIS group or in /etc/group in the machine (if all this works via /etc/nsswitch.conf, I'm not sure as I've never tried it.)
It will then replace all the GIDs it got in the NFS packet that came in, with what it found in group. N.B. this includes the users primary GID :-(
I don't know if there's any connection to any MS AD "groups" in all this, if not then you can never get this to work the way you want. user <-> user mappings in usermap.cfg fine, but if you don't have any UNIX users anyway, neither in NIS nor in /etc/passwd & /etc/group in the filer, there's not really anything for the mapping function to do
Regards, /M
Added this to the usermap.cfg file:
NTDOM* == *
Where NTDOM is our AD domain. This should map NTDOM\whoever to the unix whoever in both directions? Rebooted the simulator to make sure this took effect. Still no luck.
Another new clue, running "getXXbyYY getpwbyname_r whoever" at the shell on the filer returns "Could not get passwd entry for name = whoever." Sure looks like the filer is not resolving AD accounts. And sure enough, if I run that command on the NFS-only filer that I'm trying to add extended_groups to, I get the same error. And if I run it on yet a different filer that's running multiprotocol, the user resolves.
What step have I missed?
Randy in Sunny Seattle
_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters