On 2013-03-19 02:54, James Relph wrote:
Hi all,
I'm guessing this is a bug in idmap, but can someone just confirm if they have
ever seen this
# idmap list
add wingroup:administrators@DOMAIN.LOCAL unixgroup:winadm
I think we've hit this years ago in one SXCE installation, and just
forced lowercase domain names with entries like this (there are many
per-user definitions also, I am not sure if they are the real key to
success):
add winname:Guest@thumper unixuser:nobody
add winuser:Administrator@thumper unixuser:root
add wingroup:*@domain.ru unixgroup:*
add winuser:*@domain.ru unixuser:*
add "wingroup:Domain us...@domain.ru" unixgroup:staff
add "wingroup:Domain adm...@domain.ru" unixgroup:sysadmin
The LDAP-defined (or local /etc/passwd) POSIX users and windows MSAD
user textual names are kept in sync (manually so far; could be with
a replication script or with Sun DSEE IdSyncWin component or an IDM
system), so mappings work quite well - the Windows users access kCIFS
on the "\\thumper" and thanks to NFSv4 ACLs (manageable from Windows
too) have access to the non-individual shares, including those where
several admins can change distribs and so on. Files and directories
are owned by the initial uploader or even a local root, but manageable
by any admin. Proper inheritable ACL setup was a pain, and basically
anything under a given "root" has one policy (distribs, incomings,
a single user's home, etc), but works. Maintenance was scripted to
occasionally go over new files (i.e. make executable the unix binaries
and non-executable the data file types, etc.)
Integration of ZFS snapshots with Shadow Copies (Previous Versions)
works, as well as direct access to (hidden) .zfs/ subdirs where
available.
Also in /etc/krb/krb5.conf we defined both upper and lower cases,
obfuscated snippets follow:
[libdefaults]
# default_realm = ___default_realm___
default_realm = DOMAIN.RU
[realms]
DOMAIN.RU = {
default_domain = DOMAIN.RU
default_domain = domain.ru
kdc = pdc.domain.ru
kdc = bdc.domain.ru
admin_server = pdc.domain.ru
admin_server = bdc.domain.ru
kpasswd_server = pdc.domain.ru
kpasswd_server = bdc.domain.ru
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
# ___domainname___ = ___default_realm___
.DOMAIN.RU = DOMAIN.RU
.domain.ru = DOMAIN.RU
domain.ru = DOMAIN.RU
The DNS system is built on BIND, entries for MSAD domain are manually
defined there after some doc-reading and sniffing for requests. The
MSAD DC's don't even serve DNS, but they are clients of the master
nameserver (BIND) allowed to update it with client hostname entries.
Other hosts use slave replicas of the master name server (errors in
its config and typo's in zone files can cause failure of the DNS
server, but won't propagate and cause a network-wide nameless DoS).
HTH,
//Jim Klimov
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
