[OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)
Hi, I've got a server hooked up to a 2003 AD and CIFS and netatalk are both allowing AD users to login (netatalk 3 via PAM). One thing that's a bit puzzling is that the afpd process correctly gets the correct username mapping (and shows up as being owned by the correct user with a ps listing), but whatever the user writes is only written as UID 60001 (ie. nobody). Has anyone got netatalk (or anything in fact) to use the same mapping that the CIFS service uses? I assumed at first that this may not be possible, but the fact that the actual afpd process does seem to be run under the correct UID seems to suggest that the mapping is at least going on. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)
> I've got a server hooked up to a 2003 AD and CIFS and netatalk are both > allowing AD users to login (netatalk 3 via PAM). One thing that's a bit > puzzling is that the afpd process correctly gets the correct username mapping > (and shows up as being owned by the correct user with a ps listing), but > whatever the user writes is only written as UID 60001 (ie. nobody). Update time; after a further dig I assume that the reason the UID isn't being written to the filesystem is due to this (from the idmap man page): "To prevent aliasing problems, all file systems, archive and backup formats, and protocols must store SIDs or map all UIDs and GIDs in the 2^31 to 2^32 - 2 range to the nobody user and group." So, the question becomes, is it possible to get OpenIndiana to store the SIDs for users, and if not, why will it store the GID as correctly mapped, but the UID is translated to 60001? I can get around this with static maps, but obviously that's not ideal based on duplicating the AD user listing (can be scripted at least). What's even weirder is that the CIFS server happily stores the UID in the filesystem even if the ephemerally mapped UID is in the 2^31 to 2^32 range. Very, very odd. Any insight gratefully appreciated! James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Code Bounty (Active Directory Integration)
As may have become obvious from my last few posts we've been looking at Active Directory integration for the past few weeks (and pretty hard for the past week). Obviously the CIFS server integration with AD seems pretty reasonable straight out of the box, but other services that want to use AD user details (et. netatalk in our case - NetAFP have been very helpful in looking into this with us) seem to have pretty poor integration unless you go towards LDAP integration with AD (that means either modifying the AD schema or something like IDMU - which means touching the AD again). We have a pretty big interest in getting something working that doesn't involve touching the AD too much, as that can immediately put off the Windows admins we tend to deal with. Ideally something with a similar featureset to the Mac OS X AD plugin would be ideal (obviously that's a system we know well!). The OS X plugin doesn't require any changes to the AD schema for general operation and can immediately be used by other services/applications on the local system without any further work. If anyone is interested in looking into improving the AD integration in OpenIndiana, if you drop me an email we can discuss a project bounty on this. We've got a potentially reasonably large budget for funding work on this as we can see some business opportunities that this would make significantly easier. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)
> I would say, OpenIndiana/ Solaris (as a fileserver) is useless without its > Windows compatible > Snap, ACL and CIFS features. These are the killer arguments to use OI/ > Solaris widely - the most compatible > Windows-server on Unix. I think the only thing you're missing moving to SAMBA+winbindd is the VSS integration? The snapshots are still there and all the other ZFS features, you just lose the right-click - restore previous versions option (which most enterprises seem to disable for clients anyway). James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)
> The problem that must be solved: > a File created from CIFS must have the same owner SID/ ACL/ UID/ GID > like those created with netatalk. (interoperabiity) The thing is that surely that's an API or system level requirement - it shouldn't be up to each server application to reverse-engineer what the CIFS/NFS server is already doing. If the capability exists in the CIFS/NFS server then it would seem to make more sense to expose that as a usable feature for any server/process. My experience is obviously more from the OS X side, but basically once an OS X client is hooked up to an AD it just becomes a secondary search path via DirectoryService, and OS X transparently maps the UID/GID for any process - without any need for changes to the AD (either schema or IDMU). We've started using OpenIndiana primarily for ZFS but we've found a lot of fantastic features as we've gone along (zones, crossbow etc.) and it is certainly a far stronger server platform than anything Apple have done recently. However, I've got to say that I think OS X has a far, far better approach to managing foreign directories - and it may be worth looking at that as a possible example of a really strong system for working in heterogenous environments. I think it could be massively useful and as I've said in another email we've got some resources we could throw at this for a developer that thinks they can get something a little bit neater - because it really feels a bit strange that at the moment the native AD integration is significantly better for just CIFS/NFS than for any other process. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Solaris privileges and seteuid()
Hi Frank, > ... > To prevent aliasing problems, all file systems, archive and > backup formats, and protocols must store SIDs or map all > UIDs and GIDs in the 2^31 to 2^32 - 2 range to the nobody > user and group. > ... > I guess my question from that after seeing what Gea has said is the "must store SIDs *or* map all UIDs", which makes me wonder if there's an easy way to store the SIDs that then lets you write the UIDs. That's obviously what the CIFS client is doing, but it's whether there's an API to do that. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Solaris privileges and seteuid()
>> > I haven't wrapped my head around what Gea tried to describe, so I > can't really comment on that but afaict it' wooly thinking (tm). > Shoop! > However, I think I was able to solve the problem described here (it > seems seteuid(0) is not enough if your effective gid is an ephemeral > one, after setegid(0) too the afpd process can call chown() at will), > which would mean the problem (at least for Netatalk) is solved: all > files and dirs created by Netatalk processes by an AD user have their > owen/and group set to uid and gid of the AD user, not nobody. That's interesting, although it'll give me a headache trying to work out which method would be best (definitely pluses and minuses to the built-in method, and to SAMBA). The ephemeral mappings are the bit that is somewhat confusing. From what I've been reading, it sounded like what it does is to actually store the SID on-disk and convert that on the fly to an ephemeral UID. That might mean that the non-persistence of the ephemeral IDs across reboots doesn't matter (as the SID itself is still stored), but it's hard working out from the documentation exactly what's going on. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Code Bounty (Active Directory Integration)
Hi Gordon, Apologies, missed this the other day. My advice would be to make it easier to use IDMU. The modifications to AD to support IDMU are quite widely accepted these days, at least in organizations that have both Windows and *nix. The problem is that some of the organisations we're used to integrating Mac clients with (tend to be FTSE companies) often are pretty much straight Windows shops, so anything that deviates from their standard is *really* hard to get through change control (especially now where we've been deploying Macs for years that "just work" with AD (to a fairly decent extent)). It sounds like Sun were actually looking at something like Mac OS X's handling of external directories at some point (from here: https://blogs.oracle.com/nico/entry/dealing_with_windows_sids_in ), but they obviously went the other way. I think now I've got a better understanding of ephemeral IDs (thanks for the confirmation by the way) then they make more sense, yet it still feels a little like the easier route was taken on the development side, leaving a slightly more complicated situation on the administrator side. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Solaris privileges and seteuid()
Yes, ephemeral IDs are temporary representations of Security Identifiers (SIDs). The idmapd(1m) daemon maintains these in a cache, with time-to-live (TTL) based expiration. There's a library API for turning an ephemeral ID back into a SID - see: idmap_get_sidbyuid http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libidmap/common/idmap_api.c Thanks very much for that confirmation, really doesn't seem obvious in a lot of the documentation! I don't have a system handy to test today (will do over the weekend) but I'll try and get a better idea of how that works over the weekend (in particular after a reboot, what UID/GID will a file/folder show (ie. with ls) until the same user logs in again and the new ephemeral mapping is created?). Thanks again, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Solaris privileges and seteuid()
> Really? Where is your evidence? I don't think I've ever seen one > change except after a reboot. > The cache TTL for idmap is only 10 minutes from what I've seen ( http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ). I read somewhere (sorry, can't find the source at the moment) that while a user is logged in their ephemeral UID won't change, but that may only apply to users logged in via the kernel CIFS server and I can't see anything that suggests that the mappings are returned after the TTL period on the idmap cache. I really don't understand why the ephemeral UIDs are quite so ephemeral (certainly keeping them static between reboots seems a bit of a minimum). Honestly would be willing to put up a respectable bounty if anyone wants to have a go at improving the AD integration! James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Solaris privileges and seteuid()
> The cache TTL for idmap is only 10 minutes from what I've seen ( > http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ). > I read somewhere (sorry, can't find the source at the moment) that while a > user is logged in their ephemeral UID won't change, but that may only apply > to users logged in via the kernel CIFS server and I can't see anything that > suggests that the mappings are returned after the TTL period on the idmap > cache. > > I really don't understand why the ephemeral UIDs are quite so ephemeral > (certainly keeping them static between reboots seems a bit of a minimum). > > Honestly would be willing to put up a respectable bounty if anyone wants to > have a go at improving the AD integration! > > James. Obviously not getting much of a bite in terms of a bounty on this, so is anyone aware of any developers who specialise in OI development who we could look at contracting for this? Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Solaris privileges and seteuid()
> The cache TTL for idmap is only 10 minutes from what I've seen ( > http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ). > I read somewhere (sorry, can't find the source at the moment) that while a > user is logged in their ephemeral UID won't change, but that may only apply > to users logged in via the kernel CIFS server and I can't see anything that > suggests that the mappings are returned after the TTL period on the idmap > cache. > > I really don't understand why the ephemeral UIDs are quite so ephemeral > (certainly keeping them static between reboots seems a bit of a minimum). > > Honestly would be willing to put up a respectable bounty if anyone wants to > have a go at improving the AD integration! > > James. Obviously not getting much of a bite in terms of a bounty on this, so is anyone aware of any developers who specialise in OI development who we could look at contracting for this? Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] "OpenIndiana lead Alasdair Lumsden resigns"
That will require a better groomed Netatalk package & SMF manifest. Right now that's a slightly messy thing to set up. This to some extent goes back to something I've been talking about recently. The current version of netatalk (v3) is actually excellent on OI. NetAFP added cross-protocol file locking with the native CIFS client and netatalk will use ZFS xattrs to store Mac xattrs.The actual problem has turned out to be the Windows integration, because it's either: -Modify the AD schema or use IDMU (making changes to AD is really not popular in a lot of Windows environments) -Use ephemeral UIDs NetAFP managed to get ephemeral UIDs working with netatalk, but then they saw an ephemeral UID change while a user was logged in (from the existing documentation that seems possible - but there appears to be no actual definitive documentation stating either way - which is another problem in itself). This changing UID broke netatalk quite badly. >From my point of view both Mac OS X and Linux have far better methods for >integrating with Active Directory (without making changes to AD) - and the >lack of that in OI is a big turn-off for a lot of Windows admins. OI with >netatalk is an awesome AFP server, but for ease-of-deployment the AD >integration is a big hurdle, and I think that really needs looking at because >AD is so common it's too big to be ignored (which is why Apple spent so much >time with the AD plugin for OS X - which is frighteningly easy to setup). James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos as a NAS
> AD issues are going to require someone tenacious, motivated, and a bit > masochistic as it's historically been a bit of a moving target. AD seems reasonably stable these days, and in fact the current Illumos strategy works 90% of the way, it's the idmap that actually breaks down because of the approach taken with ephemeral UIDs. It's the only system that I've seen use that approach, and it just seems almost guaranteed to make it difficult for apps that don't have the special hooks that the CIFS server uses. The opendirectoryd (Mac OS X) and winbind approaches seems much more reliable - map a user to a generated UID which will be the same across the domain. Then apps don't need to worry about local or AD users, they just > Low hanging fruit is to ignore the AD integration for now, make this a good > NAS for home users without the AD integration issues resolved. Example of a > common use case: iTunes media library. 2+ TB of music, movies, books, > podcasts, etc. becomes more than a bit unwieldy to handle natively on a > Mac, but Illumos is well suited to handle this workload. No AD integration > is necessary for this use case. Local system auth is "good enough". The home market is definitely interesting, but from our point of view, Apple have basically stopped selling all but basic server systems, and we're seeing a lot of small/medium businesses (10-50 users) and at the other end of the scale enterprise users (1000+ users) who are looking to replace Xserves. OI with ZFS and netatalk 3 is *awesome* for that (seriously, customers used to Xserves using HFS+ with no snapshotting, native compression, scrubbing etc. see ZFS as almost magical). The problem is that a lot of these companies have an AD of one form of another (SBS or full blown multi-site forests). We're just viewing this from the perspective of a Mac consultancy, and we're really seeing lots of opportunities that involve AD integration, if you add in the number of full Windows businesses it's a massive potential market. The other thing is - because we've got a commercial opportunity here we're willing to support that kind of development financially - and I've offered bounties (and asked if anyone knows any developers looking for contract work) on this exact problem - and we'd be willing to talk pretty decent amounts - we are seeing a lot of interest in ZFS based systems! I think that's the main benefit of looking at commercial opportunities like AD integration because you can get businesses willing to fund developments that benefit the entire community (and Linux in particular has benefitted massively from the support of companies like IBM and RedHat). James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos as a NAS
> what about using winbind? Works with Netatalk and I guess it will also > work with Solaris CIFS. > > We haven't been able to get supplementary groups working, but I'm > pretty sure that could be solved, possibly by installing an updated > winbind from sources. Hi Frank, Winbind worked straight away with netatalk, and was tons more reliable/configurable (you can just give it a UID range to use). The problem was getting the Solaris CIFS server to work with it, which didn't seem to be possible. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos as a NAS
>> > really? Can you elaborate? The thing is, I'm in the process of > compiling and updated winbind from latest Samba sources (and > documenting that process) in order to test with that if the problems > with supplementary groups go away and if it works with Solaris CIFS. After I'd installed winbind and had that up and running, doing a svcadm start smb just put it straight into maintenance mode. I didn't do much investigation beyond that as it wasn't critical at the time, but I assumed there was some kind of conflict in terms of ports. Have you had any luck getting it working? Best regards, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos as a NAS
> You need to post and/or analyse the errorlog of the smb service. > Assuming killed more cats than curiosity ;-) > I know, but this had been a bit of a marathon getting to this point alone, and all I needed at the time was AFP. I will have another look when I get half an hour. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos as a NAS
> Having winbind and Solaris CIFS joined to AD at the same time can not > be done by default, as both will try to associate the computer account > in AD with their own authentication system and change the machine > password. Back to square one. > -f Do you need CIFS to be joined to AD? Can you not just give it winbind as a pam module and leave it in Workgroup mode? James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] iSCSI target in a zone
Hi all, I'm guessing the answer to this is no, but does anyone know if it is possible to get COMSTAR running inside a non-global zone? I've tried a pkg install storage-server (which seems to go OK) but I can't get stmf started up (just not aware of the service) nor iscsi/target. It's not critical but I was trying to find a shortcut to something so I thought it was worth a quick look! Thanks, James Principal Consultant ACSA 10.5 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] iSCSI CHAP Authentication Failure
Hi all, Bit of a curious one this, but is anyone aware of anything that could cause CHAP authentication failure from certain initiators? We're setting up VMware against a storage box, and for one of the VM initiators it's working fine (can see the LUN no problem). For another initiator, setup the same way, it's giving auth errors. Really strange, host groups look fine, and obviously the first one we setup worked no problem. Do they need to have unique CHAP secrets or should that not cause a problem (clutching at straws a little here). Thanks in advance, James Principal Consultant Website:www.themacplace.co.uk Blog: www.themacplace.co.uk/blog.html ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Dying iSCSI Initiator
Hi all, I wonder if anyone has seen this problem before. We're running OI 151a7 under VMware 5. We had the system go down (hardware failure effectively) and when we brought it back up, it can no longer access any iscsi targets (also OI 151a7, but running on baremetal on the storage side). The system is actually unresponsive unless I boot with milestone=none and clear the iSCSI configuration. The server can ping, ssh and otherwise connect fine to the storage servers, but we get lots of: iscsi discovery failure - SendTargets (x.x.x.x) errors. If I reboot to milestone=none, I can wipe out the iSCSI config and the machine will boot fine. In /var/adm/messages we get: iscsi session resource is in use but I can't find anything that seems relevant when searching for that. I'd be grateful for any tips! Thanks, James Principal Consultant Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Dying iSCSI Initiator
Hi Gonzalo, Thanks for the reply. Nothing in the logs on the storage server (which is OI151a7 so I would expect fairly decent compatibility!), and the IQNs definitely haven't changed. Bit of a puzzler. James Principal Consultant www.themacplace.co.uk On 30 Nov 2012, at 20:17, Gonzalo Seoane wrote: > Hi james, > Could you check any message from storage console? > Check the initiator iqn mame, maybe for some reason change and iscsi group > on storage side must change. > Also its good to know you have scripts from storage vendors who check any > error on server side and solve it. > I dont know wich one u use ( storage ) > El 30/11/2012 17:08, "James Relph" escribió: > >> Hi all, >> >> I wonder if anyone has seen this problem before. We're running OI 151a7 >> under VMware 5. We had the system go down (hardware failure effectively) >> and when we brought it back up, it can no longer access any iscsi targets >> (also OI 151a7, but running on baremetal on the storage side). >> >> The system is actually unresponsive unless I boot with milestone=none and >> clear the iSCSI configuration. The server can ping, ssh and otherwise >> connect fine to the storage servers, but we get lots of: >> >> iscsi discovery failure - SendTargets (x.x.x.x) >> >> errors. If I reboot to milestone=none, I can wipe out the iSCSI config >> and the machine will boot fine. In /var/adm/messages we get: >> >> iscsi session resource is in use >> >> but I can't find anything that seems relevant when searching for that. >> >> I'd be grateful for any tips! >> >> Thanks, >> >> James >> >> Principal Consultant >> >> Website:www.themacplace.co.uk >> ___ >> OpenIndiana-discuss mailing list >> OpenIndiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss >> > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Dying iSCSI Initiator
> very strange so i got some basic questions : > > are you using only one path ? Single path over four 10Gbe as an LACP aggregate. > are you using jumbo frames ( host, storage, switch ) Yup, 9000 on everything. > iscsi services are up i guess Yep. > from storage side are you able to see the initiator host ? Yep. Still can't work out what it's doing. I think the "resource busy" error is probably the core issue, but I can't find any information as to what that relates to. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Dying iSCSI Initiator
>> very strange so i got some basic questions : >> >> are you using only one path ? > > Single path over four 10Gbe as an LACP aggregate. Actually, just realised I did that the wrong way around. The storage servers are all setup like that. The VMs have failover on the physical side, but access the storage network by one vmxnet3 instance (10Gb). James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] VMware vmxnet3
Hi all, We've been running a few instances of Oi151a7 under VMware 5.1 and have been able to get the vmxnet3 driver working reasonably well, except oddly for iSCSI traffic (CIFS and AFP via netatalk are absolutely fine). After a while running iSCSI over the interface crashes the system and iSCSI won't come back up over that interface. It seems like a really odd error and I wondered if anyone had any ideas? Thanks, James. Sent from my iPhone ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OpenIndiana roadmap
> This sort of thing is more easily done if the people doing the work receive > compensation for it rather than doing the work in their spare time from a > different paying job. > > If there was an "OpenIndiana Foundation" which could receive > contributions/payments, then it would be possible to pay someone to act as a > security coordinator with sufficiently real-time response. That's certainly something we'd be very interested in contributing to, I've offered bounties before, but without an official structure it's just been via this list and hasn't been replied to (if ever even read by someone who could do it). James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OpenIndiana roadmap
> Would a Kickstarter project to fund an OI support group be possible? The > problem is you need a certain level of commitments to justify setting up a > support operation. > > I was quite happy to pay Sun for a 3 year Gold level contract on my Ultra 20 > when I bought it. $250/yr to fund someone to help when I run into problems > would be money well spent to me. I'm sure it would be possible, but whether Kickstarter would be the best way or not would need looking into. I guess the real question is who is currently "in charge" of Oi, how many developers are actively involved and what they think? James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OpenIndiana roadmap
> As I understand it the strategy was always to encourage the proliferation of > solution providers and integrators to fulfill this function.These It was > thought would form in the market where a stable release,sufficient > development had taken place to provide significant market penetration and > adoption.If this time has come perhaps it maybe helpful to welcome the > listing of interested parties on the website? Which is fine to some extent, but what that has led to are a lot of quite specific solutions for situations not everyone is in (SmartOS is obviously heavily cloud-oriented) or companies very focussed on selling (not necessarily cheap) support. I'd quite like to see OpenIndiana thrive as a community supported general purpose OS based on Illumos. James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OpenIndiana roadmap
> Which is fine to some extent, but what that has led to are a lot of quite > specific solutions for situations not everyone is in (SmartOS is obviously > heavily cloud-oriented) or companies very focussed on selling (not > necessarily cheap) support. I'd quite like to see OpenIndiana thrive as a > community supported general purpose OS based on Illumos. > > James > Just as an addendum, we're happy to pay for support/development (and we're deploying Nexenta somewhere at the moment), but it's not the solution for a lot of our clients (either smaller businesses or large cheap storage for bigger companies) and yet we don't have the staff who can really contribute directly with code, or the connections/capital to find and hire a bunch of developers to create our own distro. James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Funding Martin, was Re: OpenIndiana roadmap
> As Martin mentions SCHUFA it seems Martin is already fallen off the > cliff, so I'd like to encourage anbody who's considering to donate > something to Martin's efforts to act *now*. > --f I've sent something as well Martin, hope we can get rid of that negative symbol James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Developer funding model musings
> How about something along the lines of the following: > > List active developers on the website for OI along w/ what they are working > on. > > If you want to fund that person's work, you sign up to provide a certain > amount which is divided into equal allotments for each month remaining in the > calendar year. Your choice of how much. > > The amounts currently committed for the calendar year per developer are shown > so that people can make intelligent choices of where to commit funds. Beyond > a certain point more money to one developer will not make the work go faster. > It effectively "crowdsources" hiring and pay raises. > > For a sensible person to work full time on OI they need some sense of > stability and predictability. Martin's doing wonderful stuff, but I don't > think he's being sensible. But sometimes being sensible conflicts w/ major > achievement. > > There needs to be a way to keep the transaction costs down. The Paypal skim > gets pretty hefty for a small monthly payment. If Paypal would be willing to > take a single payment and split it into multiple equal payments with only a > single transaction charge it would be pretty easy to set this up. Does > anyone deal w/ Paypal enough to know if they'd do this? > > The idea being to make it possible for an individual to work on OI as they > would a regular contract job. There's staggeringly high unemployment > worldwide and in Europe especially. That ought to get us some good talent at > bargain rates if we can just work out a viable payment model. > > Have Fun! > Reg That sounds a pretty reasonable approach, although there's 2 things I'd add: - The possibility to add bounties for requested features. - As Jonathan mentions - having a common pot (eg. 20% of donations go to that). Not just for tickets/marketing etc., but perhaps there needs to be a mechanism to distribute that across all developers (I'm thinking of a way to avoid the situation where, for example, a neat ZFS project gets loads of funding, but really critical (but maybe more boring) security projects don't get enough? James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Developer funding model musings
> I'd like to suggest as a social convention that the initial "license fee" be > 10% of system cost and "support fee" after the first year at 5%. Purely > voluntary the way tipping service staff in restaurants used to be. No > distinction between used or new equipment. So if you spin up an old SPARC > system using Martin's work you contribute 10% of the purchase price. 2% to > the general support coffers and the rest to your choice of staff (which in > this case should clearly be Martin). I personally wouldn't like the idea of any specific payment levels set, either by convention or otherwise. I just know that from a business perspective we're making money off Oi and could actually afford to provide quite a bit (it makes business sense as well). Others may not be in the same position. > On further reflection I think there should also be a tally of who's > contributed and how much. My assumption is that there are people building > systems for clients. It would provide a means of evaluating how much OI > based work they're doing which would be valuable to potential clients looking > for a system or support. There might be a value in having some sponsor pages for donations past a certain threshold, but announcing actual figures might put some people off. I think we really need to get the devs involved though, to see if they're actually interested in any of this! James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Developer funding model musings
> I, personally, appreciate their efforts very much. I just think that funding > individual developers is probably the best we can reasonably hope for at this > time. It's not as complete of a solution as paying one or more people to > work on OI full time; but at least it would be a step in that direction. It might be workable though, I guess the question would be what would be the next step in setting this up, and who would we need to talk to? I have to be honest and say I couldn't actually name many Oi devs! James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OI_151a7 install grumble
> However, in case that your filesystems for some reason rely on ACLs > and extended attributes (not so for the default installation) you > might have to use the Sun tar or cpio (not the GNU variants). For what it's worth you can build the 3.0.10-dev versions of rsync with Solaris xattr and ACL support, whic seems to work well. We actually did tests syncing files with extended attributes from OS X to Oi 151 and even that worked (the OS X xattrs were stored as ZFS xattrs as well). Quite neat really. James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OpenIndiana roadmap
> If you want security updates, there's no reason why some of you can't get > together and start your own business offering these updates for a fee. OI is > open source. You wouldn't necessarily have to start your own distribution, > although you could do that, too. But the code base is out there. You can > charge a fee for these services. And if you want to be real nice, contribute > the security fixes back to OI for inclusion in later releases. > > That'd be do-able, and probably the closest to a win-win situation that > you're likely to find. > > I, personally, doubt if you could make enough money on it to make it worth > your while; but perhaps you could. You actually wouldn't need to make enough money on it in and of itself to make it worthwhile. If we could find developers interested then we'd actually be happy to pay a few for some work as it would help in other areas of our business. I think there's probably a few businesses like that. If we're making money with boxes using Oi (which we are) it makes sense for us to make Oi better. We've not got the budget of Nexenta, Joyent etc., but we've got a bit. The problem is finding appropriate developers, we've advertised, asked around online and at two Universities near us, and not had anyone either with any Solaris/Illumos experience, or interested in learning. We may have found one person now interested in some contract work on specific features, but that's it! James Principal Consultant Tel:01642 688065 Mob:07734 655931 Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Diagonal Mapping
Hi all, I just wondered if anyone here was particularly familiar with idmap's diagonal mapping? It looked like it could be quite handy for adding group permissions with static maps (eg. Windows Group is mapped to a single unix user), but I'm wondering if it is possible to use it like that. When testing with one user, it works brilliantly, if I add: idmap add wingroup:tmp@themacplace.private unixuser:tmp then login with the first account, james, I can write (and then read) files/folders and it creates them as the unix user tmp. That all looked really promising, but in looking at something else I tested that with a different user (also a member of tmp@themacplace.private) and it is writing the file with an ephemeral ID: drwx--+ 2 angela@themacplace.private Domain Users@themacplace.private 2 Feb 24 12:36 Test Folder - angela drwx--+ 2 tmp other 2 Feb 24 12:36 Test Folder - james What is odd, is that idmap itself actually seems to be working, it looks like it should be mapping angela to the tmp user: # idmap list james@themacplace.private add wingroup:tmp@themacplace.privateunixuser:tmp # idmap list angela@themacplace.private add wingroup:tmp@themacplace.privateunixuser:tmp Does anyone know why that would be working like that? Thanks, James Principal Consultant Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] idmap timeout
Hi all, Another idmap issue! Just trying a new VM for some troubleshooting and I can't seem to get the name_cache_timeout and id_cache_timeout settings to work on here. I've run: svccfg -s svc:/system/idmap setprop config/name_cache_timeout=count: 31536000 svccfg -s svc:/system/idmap setprop config/id_cache_timeout=count: 31536000 but I'm still seeing UIDs changing every 10 minutes (cron job here running an id to a file every minute): 13:05:00 uid=2147491845 gid=2147483650(Domain Users@themacplace.private) 13:06:00 uid=2147491845 gid=2147483650(Domain Users@themacplace.private) 13:07:00 uid=2147491845 gid=2147483650(Domain Users@themacplace.private) 13:08:00 uid=2147491845 gid=2147483650(Domain Users@themacplace.private) 13:09:00 uid=2147491845 gid=2147483650(Domain Users@themacplace.private) 13:10:00 uid=2147491845 gid=2147483650(Domain Users@themacplace.private) 13:11:00 uid=2147491846(james@themacplace.private) gid=2147483650(Domain Users@themacplace.private) 13:12:00 uid=2147491846(james@themacplace.private) gid=2147483650(Domain Users@themacplace.private) 13:13:00 uid=2147491846 gid=2147483650(Domain Users@themacplace.private) 13:14:00 uid=2147491846 gid=2147483650(Domain Users@themacplace.private) 13:15:00 uid=2147491846 gid=2147483650(Domain Users@themacplace.private) 13:16:00 uid=2147491846 gid=2147483650(Domain Users@themacplace.private) 13:17:00 uid=2147491846 gid=2147483650(Domain Users@themacplace.private) Does anyone know if this is a bug, or expected behaviour? Obviously doesn't affect CIFS at all, but I'm trying to do some troubleshooting against another service. What also seems a bit weird is the output format of id changes when the id ticks over (adds the username into brackets)? Thanks, James. Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap timeout
Hi Reg,
> svccfg -s svc:/system/idmap listprop "config/*"
config/list_size_limit count0
config/stabilityastring Unstable
config/value_authorization astring solaris.smf.value.idmap
config/machine_sid astring S-1-5-21-3389328288-2012474116-2712525247
config/domain_name astring themacplace.private
config/name_cache_timeout count31536000
config/id_cache_timeout count31536000
> Also, did you "svcadm restart idmap" after setting the timeouts?
Yep!
> What are you using to make the query in the cron job?
#/bin/bash
datestring=$(date +"%H:%M:%S")
userdata=$(/usr/bin/id james@themacplace.private)
echo "$datestring" " " "$userdata" >> /root/idtest.log
> Checking idmap.db per the notes in feature #677 shows the expiration time
> being set properly in the database in oi_151a7.
Yeah, I did that, and the expiration time did change:
INSERT INTO idmap_cache
VALUES('S-1-5-21-422489907-454740634-3148902543',1105,'themacplace.private','james','james',2147500059,NULL,1,1,1,1,4,NULL,NULL,NULL,NULL,NULL,NULL,0,1393348328)
The current epoch time is 1361813013, so 1393348328 - 1361813013 gives
31535315, so it looks like it's working absolutely fine in terms of changing
the settings, it just doesn't appear to be having much effect. I've left it
running and it's still doing it!
17:11:00 uid=2147500057 gid=2147483650(Domain Users@themacplace.private)
17:12:00 uid=2147500058(james@themacplace.private) gid=2147483650(Domain
Users@themacplace.private)
17:13:00 uid=2147500058(james@themacplace.private) gid=2147483650(Domain
Users@themacplace.private)
17:14:00 uid=2147500058(james@themacplace.private) gid=2147483650(Domain
Users@themacplace.private)
17:15:00 uid=2147500058 gid=2147483650(Domain Users@themacplace.private)
17:16:00 uid=2147500058 gid=2147483650(Domain Users@themacplace.private)
17:17:00 uid=2147500058 gid=2147483650(Domain Users@themacplace.private)
17:18:00 uid=2147500058 gid=2147483650(Domain Users@themacplace.private)
17:19:00 uid=2147500058 gid=2147483650(Domain Users@themacplace.private)
17:20:00 uid=2147500058 gid=2147483650(Domain Users@themacplace.private)
17:21:00 uid=2147500058 gid=2147483650(Domain Users@themacplace.private)
17:22:00 uid=2147500059 gid=2147483650(Domain Users@themacplace.private)
17:23:00 uid=2147500059 gid=2147483650(Domain Users@themacplace.private)
17:24:00 uid=2147500059 gid=2147483650(Domain Users@themacplace.private)
Cheers,
James.
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap timeout
> Just in case, you also did "svcadm refresh idmap" after changing SMF > service properties and before restarting the service, right? ;) I think so, although you've got me wondering now. Although saying that, it's appearing correctly in the idmap database, so presumably I did and that should be in effect anyway? James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap timeout
> FWIW "svcadm restart idmap" loads the new setting properly on oi_151a7 w/o an > "svcadm refresh idmap". Yep, didn't make any difference: 18:30:00 uid=2147508225(james@themacplace.private) gid=2147483650(Domain Users@themacplace.private) 18:31:00 uid=2147508225(james@themacplace.private) gid=2147483650(Domain Users@themacplace.private) 18:32:00 uid=2147508225 gid=2147483650(Domain Users@themacplace.private) 18:33:00 uid=2147508225 gid=2147483650(Domain Users@themacplace.private) 18:34:00 uid=2147508225 gid=2147483650(Domain Users@themacplace.private) 18:35:00 uid=2147508225 gid=2147483650(Domain Users@themacplace.private) 18:36:00 uid=2147508225 gid=2147483650(Domain Users@themacplace.private) 18:37:00 uid=2147508225 gid=2147483650(Domain Users@themacplace.private) 18:38:00 uid=2147508225 gid=2147483650(Domain Users@themacplace.private) 18:39:00 uid=2147508226(james@themacplace.private) gid=2147483650(Domain Users@themacplace.private) James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap timeout
> Try modifying your cron job to do a: > > "idmap dump -nv" I'll add that in, see what drops out. > Writing a static set of name rules using awk should be pretty trivial if one > can query Windows and Mac OS for authorized user name lists. Updating could > be triggered by a request that didn't have a mapping yet. This would then > all persist across boots. I did think of that, but it's things like triggering that, keeping it up to date (ie. when users are removed from AD) and the rest, and I thought it might become quite a big project really and something that may be better written as some kind of alternate idmap option (i.e. instead of just having static and ephemeral, have static, ephemeral and cached - with cached basically being automatically created user mappings). To be fair if idmap was able to just use static mapping to a range of IDs that would be good enough. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap timeout
> I did think of that, but it's things like triggering that, keeping it up to > date (ie. when users are removed from AD) and the rest, and I thought it > might become quite a big project really and something that may be better > written as some kind of alternate idmap option (i.e. instead of just having > static and ephemeral, have static, ephemeral and cached - with cached > basically being automatically created user mappings). When I say cached I mean a cached copy of the users in AD (with some ADs that could be a big ask though...). I added idmap dump -nv | grep james to the script, and I'm getting effectively the same issue: 18:56:00 uid=2147508227 gid=2147483650(Domain Users@themacplace.private) 18:56:00 winuser:james@themacplace.private== uid:2147508228 18:57:00 uid=2147508227 gid=2147483650(Domain Users@themacplace.private) 18:57:00 winuser:james@themacplace.private== uid:2147508228 18:58:00 uid=2147508227 gid=2147483650(Domain Users@themacplace.private) 18:58:00 winuser:james@themacplace.private== uid:2147508228 18:59:00 uid=2147508228(james@themacplace.private) gid=2147483650(Domain Users@themacplace.private) 18:59:00 winuser:james@themacplace.private== uid:2147508229 19:00:00 uid=2147508228(james@themacplace.private) gid=2147483650(Domain Users@themacplace.private) 19:00:00 winuser:james@themacplace.private== uid:2147508229 19:01:00 uid=2147508228 gid=2147483650(Domain Users@themacplace.private) 19:01:00 winuser:james@themacplace.private== uid:2147508229 The id command seems to lag a little behind the idmap dump command, I'm guessing a cached problem there. Still, they do still keep changing... James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap timeout
> Unless I've badly misunderstood what I've read it can do that now. Of > course, comments and code are not always in agreement. Or perhaps the more > common, "However, if you did that then, you can't do this now." The thing is that there doesn't seem to be anything anywhere that actually says "ephemeral IDs will persist". There's a cache, which you can change the timeouts for, but from what I can see it either updates the cache anyway, or updates the UID of cached objects. > Ignoring that the only limitation I see is what will Windows & Mac OS reveal > w/o requiring installing a program. If OI can query the AD hosts, then idmap > can trigger an update on a fail of identifier lookup. That's a pretty clean > change. One function call in the right place. It's getting someone who can write the function call that is tricky! James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap timeout
> Are you saying there's another copy besides idmap.db? I'd not seen evidence > of that. No, but even if an object is already in the cache, it still seems to be updating the UID. It doesn't seem to be the case that an entry in the idmap cache is a static entry. Either that or the cache timeout settings just aren't actually being used correctly (it is odd that this is changing every 10 minutes - which is the default cache time). > The hard part is finding one person who understands the internals of 3 > systems well. They shouldn't really need to; OS X uses LDAP natively if you use OS X Server (uncommon) so that would just work straight away, no problems there. In terms of what we though most of the time Mac users will be accessing with Active Directory credentials (because that's what enterprises tend to use these days). > Given a program which will run on OI and return a text file w/ the current > set of user IDs in the host domain, the rest is trivial. It's a non-blocking > fork-exec of the update program. On a rare event it's as non-invasive as it > gets. The thing is that the whole problem with Active Directory is that (natively) it doesn't have user IDs, it has SIDs - so you need to look up the SID and then generate a UID. This is what winbind and Mac OS X do and importantly their mappings are automatically generated, but static. So if user jbloggs logs into an OS X system bound to AD, he gets a UID generated for him, and that will always be his UID (on a Mac bound to that AD - it's generated based on the SID). The problem with ephemeral IDs is the ephemeral part! If you could just have an idmap setting which was basically: use IDs 5-75000 for AD users that would solve the problem, once an AD user access the system they get assigned a fixed UID. As mentioned OS X is slightly more clever as the UID is generated procedurally from information from the AD, but that would be nice, rather than critical. Basically if you could have idmap so it would do: S-1-5-21-422489907-454740634-3148902543 >> 2147483650 with the Windows SID on the left and the UNIX UID on the right, and have that not change, that would be it. You can do that now by doing name based mappings, so you can get: S-1-5-21-422489907-454740634-3148902543 >> name-of-local-user but it isn't automatic and it's a bit inflexible. You could write a bash script that did: - LDAP query of AD to get user and group names - Create matching users and groups on Oi system - Create static maps between AD users/groups and Oi users/groups I wouldn't think that would be fast though, and I wouldn't know the best way of triggering it. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] idmap case sensitivity
Hi all, I'm guessing this is a bug in idmap, but can someone just confirm if they have ever seen this # idmap list add wingroup:administrators@DOMAIN.LOCAL unixgroup:winadm # getent group "administrators@domain.local" administrators@coolblue.local::102: # getent group "administrators@DOMAIN.LOCAL" administrators@DOMAIN.LOCAL::2147483662: The documentation says that idmap should be case insensitive on the windows username side, but it doesn't appear to be? For some reason it will only map successfully if the domain is specified lower case. This is breaking permissions mapping because CIFS users always seem to effectively authenticate using the @DOMAIN.LOCAL capitalisation. Anyone know of a fix for this? Thanks, James Principal Consultant Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] idmap case sensitivity
Hi Jim, > I think we've hit this years ago in one SXCE installation, and just > forced lowercase domain names with entries like this (there are many > per-user definitions also, I am not sure if they are the real key to > success): > > add winname:Guest@thumper unixuser:nobody > add winuser:Administrator@thumper unixuser:root > add wingroup:*@domain.ru unixgroup:* > add winuser:*@domain.ruunixuser:* > add "wingroup:Domain us...@domain.ru" unixgroup:staff > add "wingroup:Domain adm...@domain.ru" unixgroup:sysadmin Thanks, did try that, but whether we were using upper or lowercase domain names in the idmap listings, it was only matching against lower-case logins. We've got both upper-case and lower-case specified in the krb5.conf file as well. In the end I've used: add -d winuser:username@* unixuser:username That works, but it's unidirectional, so not ideal. Best regards, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Out of interest...
Hi all, I just wondered if anyone knew why a COMSTAR iSCSI re-share would show up as "Drive type unknown" using the format command, whereas other luns (from different hosts) are unaffected (show up as COMSTAR OI)? It doesn't seem to be causing any problems, I just thought it was odd! Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Yubico on OpenIndiana
Hi all, I've managed to get a YubiKey ( http://www.yubico.com ) working on Oi151a7 (follow up post on that shortly) but I just wondered if anyone knew if it was possible to use that with the build in SSH service, or if it does require OpenSSH installing? I've got to the point where it asks for the YubiKey OTP (and seems to accept it) on login over SSH, but when it asks for the user password after that it then just goes round in circles for a bit asking for a new OTP and then the password again. The examples I've seen on similar systems (SmartOS for example - http://blogs.everycity.co.uk/alasdair/2013/01/two-factor-ssh-authentication-with-yubico-yubikeys-on-smartos/ ) use OpenSSH but I wasn't sure if that was via choice or necessity? Thanks, James Principal Consultant Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Library/tool updates
Hi all, I am going to stick a wiki page up explaining the process involved in getting the YubiKey software installed, and I just wondered about how much I had needed to update/install to get it working. In terms of software other than the YubiKey software I needed to put on new versions of autoconf and automake, as well as install libtool. The versions that were on seemed relatively out-of-date, yet the newest releases built absolutely fine. Is the bug reporting mechanism the right way to recommend updates to these tools/libraries? Thanks, James Principal Consultant Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Yubico on OpenIndiana
Talking to myself here, but the answer is no, it doesn't need OpenSSH. It works fine with the built-in SSH server. I was having a few problems getting it working but tracked it down to a typo in the yubikey_mappings file. Works a treat! Thanks, James. On 26 Mar 2013, at 09:56, James Relph wrote: > Hi all, > > I've managed to get a YubiKey ( http://www.yubico.com ) working on Oi151a7 > (follow up post on that shortly) but I just wondered if anyone knew if it was > possible to use that with the build in SSH service, or if it does require > OpenSSH installing? I've got to the point where it asks for the YubiKey OTP > (and seems to accept it) on login over SSH, but when it asks for the user > password after that it then just goes round in circles for a bit asking for a > new OTP and then the password again. The examples I've seen on similar > systems (SmartOS for example - > http://blogs.everycity.co.uk/alasdair/2013/01/two-factor-ssh-authentication-with-yubico-yubikeys-on-smartos/ > ) use OpenSSH but I wasn't sure if that was via choice or necessity? > > Thanks, > > James > > Principal Consultant > > Website: www.themacplace.co.uk > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] pkg error
Hi all, Has anyone seen the below error with pkg before? This is with a brand new install of 151a7, in the global zone: Traceback (most recent call last): File "/usr/bin/pkg", line 45, in import pkg.client.api as api File "/usr/lib/python2.6/vendor-packages/pkg/client/api.py", line 34, in import pkg.client.image as image File "/usr/lib/python2.6/vendor-packages/pkg/client/image.py", line 39, in import pkg.client.transport.transport as transport File "/usr/lib/python2.6/vendor-packages/pkg/client/transport/transport.py", line 23, in import pkg.client.transport.repo as trepo File "/usr/lib/python2.6/vendor-packages/pkg/client/transport/repo.py", line 22, in import pkg.server.repository as svr_repo File "/usr/lib/python2.6/vendor-packages/pkg/server/repository.py", line 34, in import pkg.query_parser as qp File "/usr/lib/python2.6/vendor-packages/pkg/query_parser.py", line 14, in import cgi ValueError: bad marshal data Thanks, James Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] pkg error
Thanks, I actually thought that with it being that close to install (and not having been used) it was probably safer to wipe and reinstall (it made me wonder what else was missing). Probably safer in the long run! James Principal Consultant Website:www.themacplace.co.uk On 27 Mar 2013, at 18:36, Alexander Eremin wrote: > Sometimes this is due bad *.pyc somewhere. You can try to delete them in > vendor-packages/pkg > directory before. > > Alexander > > On 27.03.2013, at 20:58, James Relph wrote: > >> Hi all, >> >> Has anyone seen the below error with pkg before? This is with a brand new >> install of 151a7, in the global zone: >> >> Traceback (most recent call last): >> File "/usr/bin/pkg", line 45, in >> import pkg.client.api as api >> File "/usr/lib/python2.6/vendor-packages/pkg/client/api.py", line 34, in >> >> import pkg.client.image as image >> File "/usr/lib/python2.6/vendor-packages/pkg/client/image.py", line 39, in >> >> import pkg.client.transport.transport as transport >> File "/usr/lib/python2.6/vendor-packages/pkg/client/transport/transport.py", >> line 23, in >> import pkg.client.transport.repo as trepo >> File "/usr/lib/python2.6/vendor-packages/pkg/client/transport/repo.py", line >> 22, in >> import pkg.server.repository as svr_repo >> File "/usr/lib/python2.6/vendor-packages/pkg/server/repository.py", line 34, >> in >> import pkg.query_parser as qp >> File "/usr/lib/python2.6/vendor-packages/pkg/query_parser.py", line 14, in >> >> import cgi >> ValueError: bad marshal data >> >> >> Thanks, >> >> James >> Website:www.themacplace.co.uk >> ___ >> OpenIndiana-discuss mailing list >> OpenIndiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Odd Samba/winbind issue
Hi, Apologies for cross posting, but I'm not sure if this is an Oi issue or a cswsamba issue. I've installed cswsamba (3.6.15) and cswsamba_winbind on an OI box (151a7). I've got it bound to AD fine, and winbind itself seems to be operating perfectly (I've actually got netatalk happily authenticating AD users via winbind). If I run wbinfo -u or getent passwd, I get the expected information back. Oddly though Samba itself isn't authenticating users. If I try and login (with a few variations of DOMAIN\username or username@DOMAIN) it just kicks it back as an unknown user (see below). The only thing that I can think of is that the cswsamba is actually still calling the previously installed (but turned off) winbind that I installed with the original OI samba install. With that not running though I wouldn't have thought that would have happened (but if that could be it - how do I make sure that cswsamba uses cswsamba_winbind). I have symlinked the csw nss_winbind libraries into /lib, I just don't know if there's anything else that could cause this. Thanks for any help. James Principal Consultant Mapping user [DOMAIN]\[james] from workstation [server03] attempting to make a user_info for james (james) making strings for james's user_info struct making blobs for james's user_info struct check_ntlm_password: Checking password for unmapped user [DOMAIN]\[james]@[server03] with the new password interface check_ntlm_password: mapped user is: [DOMAIN]\[james]@[server03] Finding user DOMAIN\james Trying _Get_Pwnam(), username as lowercase is DOMAIN\james Trying _Get_Pwnam(), username as given is DOMAIN\james Checking combinations of 0 uppercase letters in DOMAIN\james Get_Pwnam_internals didn't find user [DOMAIN\james]! Finding user james Trying _Get_Pwnam(), username as lowercase is james Checking combinations of 0 uppercase letters in james Get_Pwnam_internals didn't find user [james]! Failed to find authenticated user DOMAIN\james via getpwnam(), denying access. check_ntlm_password: winbind authentication for user [james] FAILED with error NT_STATUS_NO_SUCH_USER check_ntlm_password: Authentication for user [james] -> [james] FAILED with error NT_STATUS_NO_SUCH_USER Got user=[ja...@domain.corp] domain=[DOMAIN] workstation=[server03] len1=24 len2=124 Mapping user [DOMAIN]\[ja...@domain.corp] from workstation [server03] attempting to make a user_info for ja...@domain.corp (ja...@domain.corp) making strings for ja...@domain.corp's user_info struct making blobs for ja...@domain.corp's user_info struct check_ntlm_password: Checking password for unmapped user [DOMAIN]\[ja...@domain.corp]@[server03] with the new password interface check_ntlm_password: mapped user is: [DOMAIN]\[ja...@domain.corp]@[server03] check_ntlm_password: winbind authentication for user [ja...@domain.corp] FAILED with error NT_STATUS_NO_SUCH_USER check_ntlm_password: Authentication for user [ja...@domain.corp] -> [ja...@domain.corp] FAILED with error NT_STATUS_NO_SUCH_USER Got user=[ja...@domain.corp] domain=[DOMAIN] workstation=[server03] len1=24 len2=124 Mapping user [DOMAIN]\[ja...@domain.corp] from workstation [server03] attempting to make a user_info for ja...@domain.corp (ja...@domain.corp) making strings for ja...@domain.corp's user_info struct making blobs for ja...@domain.corp's user_info struct check_ntlm_password: Checking password for unmapped user [DOMAIN]\[ja...@domain.corp]@[server03] with the new password interface check_ntlm_password: mapped user is: [DOMAIN]\[ja...@domain.corp]@[server03] check_ntlm_password: winbind authentication for user [ja...@domain.corp] FAILED with error NT_STATUS_NO_SUCH_USER check_ntlm_password: Authentication for user [ja...@domain.corp] -> [ja...@domain.corp] FAILED with error NT_STATUS_NO_SUCH_USER ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
Thanks Laurent, appreciate the help. > I'm maintaining that package, I do want to keep it running on OI as well, so > it's good to know it's working there. Both cswsamba and cswwinbind do seem to be working fine, they're just not talking to each other! > It might be a Samba configuration issue, but before trying on a > Samba-specific list, we can surely dig here first :-) > Can you post the output of: > > ldd -v /opt/csw/sbin/smbd /opt/csw/sbin/nmbd /opt/csw/sbin/winbindd /opt/csw/sbin/smbd: find object=libc.so.1; required by /opt/csw/sbin/smbd libc.so.1 => /lib/libc.so.1 find version=libc.so.1 libc.so.1 (SUNW_1.18) => /lib/libc.so.1 libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1 object=/lib/libc.so.1; filter for /usr/lib/ld.so.1 object=/lib/libc.so.1; filter for libm.so.2 find object=libm.so.2; required by /lib/libc.so.1 libm.so.2 => /lib/libm.so.2 find object=libc.so.1; required by /lib/libm.so.2 find version=libc.so.1 libc.so.1 (SUNW_1.1) => /lib/libc.so.1 libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1 /opt/csw/sbin/nmbd: find object=libc.so.1; required by /opt/csw/sbin/nmbd libc.so.1 => /lib/libc.so.1 find version=libc.so.1 libc.so.1 (SUNW_1.18) => /lib/libc.so.1 libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1 object=/lib/libc.so.1; filter for /usr/lib/ld.so.1 object=/lib/libc.so.1; filter for libm.so.2 find object=libm.so.2; required by /lib/libc.so.1 libm.so.2 => /lib/libm.so.2 find object=libc.so.1; required by /lib/libm.so.2 find version=libc.so.1 libc.so.1 (SUNW_1.1) => /lib/libc.so.1 libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1 /opt/csw/sbin/winbindd: find object=libc.so.1; required by /opt/csw/sbin/winbindd libc.so.1 => /lib/libc.so.1 find version=libc.so.1 libc.so.1 (SUNW_1.18) => /lib/libc.so.1 libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1 object=/lib/libc.so.1; filter for /usr/lib/ld.so.1 object=/lib/libc.so.1; filter for libm.so.2 find object=libm.so.2; required by /lib/libc.so.1 libm.so.2 => /lib/libm.so.2 find object=libc.so.1; required by /lib/libm.so.2 find version=libc.so.1 libc.so.1 (SUNW_1.1) => /lib/libc.so.1 libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1 > ps -edf | egrep 'smbd|nmbd|winbind' root 19244 19243 0 06:37:01 ? 1:15 /opt/csw/sbin/winbindd -D root 19260 19243 0 06:38:26 ? 0:02 /opt/csw/sbin/winbindd -D root 19255 19243 0 06:38:26 ? 0:08 /opt/csw/sbin/winbindd -D root 21427 19243 0 09:06:04 ? 1:02 /opt/csw/sbin/winbindd -D root 19257 19243 0 06:38:26 ? 0:08 /opt/csw/sbin/winbindd -D root 19239 17386 0 06:36:59 ? 0:00 /opt/csw/sbin/smbd -D root 19258 19243 0 06:38:26 ? 0:02 /opt/csw/sbin/winbindd -D root 19243 17386 0 06:37:01 ? 0:21 /opt/csw/sbin/winbindd -D root 19240 19239 0 06:36:59 ? 0:00 /opt/csw/sbin/smbd -D root 19251 19243 0 06:37:51 ? 0:00 /opt/csw/sbin/winbindd -D root 19254 19243 0 06:38:26 ? 0:08 /opt/csw/sbin/winbindd -D root 26205 26165 0 13:48:20 pts/1 0:00 egrep smbd|nmbd|winbind root 19256 19243 0 06:38:26 ? 0:07 /opt/csw/sbin/winbindd -D root 19261 19243 0 06:38:26 ? 0:08 /opt/csw/sbin/winbindd -D root 19238 17386 0 06:36:59 ? 0:06 /opt/csw/sbin/nmbd -D root 19252 19243 0 06:37:51 ? 0:00 /opt/csw/sbin/winbindd -D root 19262 19243 0 06:38:26 ? 0:08 /opt/csw/sbin/winbindd -D root 19259 19243 0 06:38:26 ? 0:08 /opt/csw/sbin/winbindd -D root 26201 19239 0 13:48:07 ? 0:00 /opt/csw/sbin/smbd -D > Also, do you have any log on the AD side about the try, and how it looked? It didn't seem to even try the AD side, but I can check again. Obviously just odd that it's working via other apps (ie. those using PAM) but not Samba itself. > While it s probably not hurting, I think that's not a good idea, and should > not be needed in any case. Using PAM with winbind didn't work until I made those symlinks (and they were recommended elsewhere)? Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> Well, the lines you had shown appeared to show they were talking, just the > answer was negative for some reason. Interesting, odd that the PAM side is working though. It's been very annoying I'll say that. > Do you remember where? Here: https://www.opencsw.org/mantis/view.php?id=5020 > Have you tried the pam module from CSWwinbind or only the Solaris one? I'm using the cswwinbind module, so for instance for netatalk I've got: netatalk auth requisite pam_authtok_get.so.1 netatalk auth required pam_dhkeys.so.1 netatalk auth required pam_unix_cred.so.1 netatalk auth sufficient/opt/csw/lib/security/pam_winbind.so use_first_pass netatalk account requisite pam_roles.so.1 netatalk account sufficient /opt/csw/lib/security/pam_winbind.so > It should be possible to configure them in /etc/pam.conf (I've not tried it > yet myself). > > And like Jonathan, I'd like to see the configuration. Thanks again, output of testparm is below (sanitised a little): Load smb config files from /etc/opt/csw/samba/smb.conf rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384) WARNING: The "idmap uid" option is deprecated WARNING: The "idmap gid" option is deprecated Processing section "[FileShare]" Processing section "[STUDIO]" Loaded services file OK. WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = BURBERRY.CORP server string = server01 security = ADS password server = ukhfhwdct01.burberry.corp map untrusted to domain = Yes log file = /var/samba/samba.log load printers = No dns proxy = No template homedir = /export/home/%U template shell = /usr/bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 5 idmap config * : range = 16777216-33554431 idmap config * : backend = tdb [FileShare] comment = FileShare path = /shared/server01/FileShare read only = No [STUDIO] comment = STUDIO path = /shared/server01/STUDIO read only = No ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> I think might be a problem. Those are the 32 bit modules. I don't think > you're running the system 32 bit, so apps requesting 64 bit pam will not be > happy. > I think you should try with $ISA (implicit for the relative names), something > like that: > /opt/csw/lib/$ISA/security/pam_winbind.so I initially dropped the 64-bit versions in and it freaked out big style (couldn't login initially). The netatalk bit seems to be running fine with those as well. Does samba even use PAM for talking with winbind or deal directly? >> Thanks again, output of testparm is below (sanitised a little): > > I don't see anything trivially wrong, but it's been a while. My only concern > is why are you using the tdb backend instead of something deterministic like > rid? But it should not be an issue here. I hope you can get some details from > the AD side. It doesn't look like it's asking the AD oddly (yet the PAM modules do), I need to run Wireshark on there and see what's actually happening. Thanksm James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> You need to have both, hence the $ISA, since 32 and 64 bits apps will > each need the proper binary. > And I realized I gave you a wrong path earlier for the ldd, forgotten I > had just introduced both 32/64 Samba binaries, I should have noticed it > was way too short: > /opt/csw/sbin/amd64 or /opt/csw/sbin/sparcv9 is where they are. > > And it does link against libpam: > find object=libpam.so.1; required by /opt/csw/sbin/amd64/smbd > Sadly changing it to include $ISA doesn't make a difference, worth a try though. > Also raising the Samba debug level and trying to find some nuggets of > information there. I'll bump it up again and run some more tests, see if anything different pops up. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
Just been looking into this a bit and I wondered if the was any chance that this group issue could be causing problems (users are in a lot of groups): https://bugzilla.samba.org/process_bug.cgi Does the current version of cswsamba have those patches? I tried compiling a version from scratch, but it's a bit of a pain (getting issues configuring --with-ads due to missing ldap_initialize - which I can't quite solve). Samba4 is a LOT easier to compile (I think it includes a lot of it's own stuff) but the patches don't work against that as yet. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> If Andrew doesn't respond, let me know. It shouldn't be too hard to get these > right for Samba 4. Thanks Frank, I think Samba4 looks in general a little easier - even the compilation seems more straightforward than 3. The benefit there is I can get Samba4 to actually use winbind properly! All the best, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> You should be able to just upgrade to them: > pkgutil -t http://buildfarm.opencsw.org/opencsw/experimental/laurent -u Hi Lauren, Thanks for that, the patches seem to work and I can use netatalk with winbind still (with more groups now!), but SMB is still a no go, I just get: check_ntlm_password: Authentication for user [james] -> [james] FAILED with error NT_STATUS_NO_SUCH_USER It seems really odd, because if I do: id james uid=16777216(james) gid=16777216(domain users) Or: getent passwd "james" james:*:16777216:16777216::/export/home/james:/usr/bin/bash I'm just not sure why everything would be able to see the user via winbind, except for Samba, nothing in the logs and when you try and authenticate over samba it doesn't even seem to get as far as asking the AD. Yet if you use netatalk (via PAM and winbind) that's checking and authenticating against AD fine. Puzzling. Thanks again, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> Laurent with a 't', so it's male, just for the record ;-) Sorry, typo there, I did get it right earlier! > > Careful, IIRC, the "No such user" answer for Samba is an authentication > issue, you can get that even when the user is indeed there, but with eg a bad > password. While the pam results you get above are purely a user description. > But if netatalk does authenticate, that could be good. Can you also get > authenticated with, say, "su - james"? Have you tried connecting with > smbclient to the server? Yep, if I setup other PAM bits I can login via (for instance) SSH, and netatalk worked pretty much straight away. I'll bring this up on the samba lists and see if anyone has any ideas. Samba4 is working pretty well, so that might be an option, there's just (ironically) an issue with netatalk on that side (but I think the guys at NetAFP are pretty confident that they can remedy that quickly). Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> What do you get when you do wbinfo -a user or wbinfo -k user? Plaintext and Kerberos authentication succeeds, but challenge-response doesn't for some reason. Not sure if that's related? Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
>> > Depends I guess. I have the same results but things work over here...but then > I did build a patched version of samba and I don't just run vanilla samba > like what csw built. > I tried the same approach myself but ran into a problem building samba as it was complaining about being unable to find ldap_initialize (despite openldap being installed). Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> LDAP_LIBS="-lldap-2.4 -llber-2.4" > > You may also need to add -I/usr/include/openldap to CFLAGS. Thanks, that got me past the LDAP error! Just a Kerberos error now... sigh... checking for working krb5-config... no. Fallback to previous krb5 detection strategy I've got Kerberos installed and I can see the krb5.h file on there, just not sure why it can't see it... James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> Thanks, that got me past the LDAP error! Just a Kerberos error now... sigh... For reference this fixes that: export CPPFLAGS="-I/usr/include/kerberosv5" James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
Hi all, I still haven't been able to get Samba 3.6 working (of any variety), but I have managed to get Samba4 up and running, and it's pretty good. I'll check these notes to make sure these are accurate, but these are the steps to have a non-global zone in Oi 151a7 sharing out SMB and AFP with AD logins. **In the global glone added to/etc/system: set ngroups_max = 1024 and rebooted the global zone** **In the non-global zone** pkg install ar pkg install illumos-gcc pkg install gnu-binutils pkg install git pkg install gdb pkg install system/header pkg install system/library/math/header-math pkg install developer/library/lint pkg install cups pkg install wget pkg install samba wget http://www.samba.org/samba/ftp/samba-latest.tar.gz tar -xvzf samba—latest.tar.gz cd samba-4.0.6 export PATH=“/usr/sbin:/usr/bin:/opt/gcc/4.4.4/bin:/usr/xpg4/bin:/usr/gnu/bin“ export LDFLAGS="-L/root/samba-4.0.6/bin/shared/private -R/usr/local/samba/lib/private -L/usr/gnu/lib -R/usr/gnu/lib -L/usr/lib -R/usr/local/samba/lib" ./configure --with-ad make make install ln -s /usr/local/samba/lib/nss_winbind.so.1 /lib/nss_winbind.so.1 ln -s /usr/local/samba/lib/nss_winbind.so.1 /lib/nss_winbind.so.2 ln -s /usr/local/samba/lib/nss_winbind.so.1 /lib/libnss_winbind.so.1 crle -l /lib:/usr/lib:/etc/lib:/opt/gcc/4.4.4/lib:/usr/local/samba/lib:/usr/local/samba/lib/private ** In /usr/local/samba/etc/smb.conf added ** [global] security = ads realm = EXAMPLE.COM password server = server.example.com workgroup = EXAMPLE winbind enum users = yes winbind enum groups = yes winbind cache time = 300 winbind use default domain = yes winbind expand groups = 5 idmap config * : range = 16777216-33554431 idmap config * : backend = tdb template homedir = /export/home/%U template shell = /bin/bash log file = /var/samba/samba.log log level = 5 [test] comment = test path = /test browseable = yes writeable = yes /usr/local/samba/bin net ads join -U ja...@example.com ** Installed netatalk ** ** Added to /etc/pam.conf for netatalk access ** netatalk auth requisite pam_authtok_get.so.1 netatalk auth required pam_dhkeys.so.1 netatalk auth required pam_unix_cred.so.1 netatalk auth sufficient/usr/local/samba/lib/security/pam_winbind.so netatalk account requisite pam_roles.so.1 netatalk account sufficient pam_winbind.so Thanks for all the help everyone, it helped me get it all working in a pretty neat way in the end. All the best, James Principal Consultant ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> All the rest is good but that crle line - ugh. Ignore that, I should have deleted it out. I was using that while trying to sort out the LDFLAGS bit, but it's not necessary. One thing in terms of the LDFLAGS line actually that you might know (I really don't compile stuff this complicated very often!) but I've currently got: -L/root/samba-4.0.6/bin/shared/private -R/usr/local/samba/lib/private In there. The installation copies the contents of the bin/shared/private folder in the installation directory to /usr/local/samba/lib/private, so is that the correct method, or could I have put -L/usr/local/samba/lib/private -R/usr/local/samba/lib/private (ie. would the compiler have been aware that that's where those libraries were destined for)? Thanks, James ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Odd Samba/winbind issue
> Okay, now I am tempted. You built samba4 on oi151a7 with gcc? Yep, it's actually pretty straightforward when you work out the requirements, there's not tons of dependencies or other bits, my final working solution (I did this in a zone, so there's a few extra bits in here that aren't needed in a global zone) was: pkg install ar illumos-gcc gnu-binutils git gdb system/header system/library/math/header-math developer/library/lint cups wget samba gnu-patch wget http://www.samba.org/samba/ftp/samba-latest.tar.gz tar -xvzf samba—latest.tar.gz cd samba-4.0.6 export PATH="/usr/sbin:/usr/bin:/opt/gcc/4.4.4/bin:/usr/xpg4/bin:/usr/gnu/bin" export LDFLAGS="-L/root/samba-4.0.6/bin/shared/private -R/usr/local/samba/lib/private -L/root/samba-4.0.6/bin/shared -R/usr/local/samba/lib -L/usr/gnu/lib -R/usr/gnu/lib -L/usr/lib -R/usr/lib -L/lib -R/lib -L/opt/gcc/4.4.4/lib -R/opt/gcc/4.4.4/lib" ./configure --with-ad make make install ln -s /usr/local/samba/lib/nss_winbind.so.1 /lib/nss_winbind.so.1 ln -s /usr/local/samba/lib/nss_winbind.so.1 /lib/nss_winbind.so.2 ln -s /usr/local/samba/lib/nss_winbind.so.1 /lib/libnss_winbind.so.1 If I had a bit more time I'd dig out what was installed by the samba pkg that was required by samba4, but I'll get around to that at some point. I need to get a smf manifest sorted out a bit more urgently :-) James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] FC HBA
Hi all, Just wondered if anyone could confirm something here, I've got a Oi151a7 box with a Qlogic FC card and I'm having a few issues with mpxio multipathing on there (ie. it won't do it). One thing I wondered though, should this be using the qlc driver? The card seems to work, but I'm seeing it listed as: /devices/pci@79,0/pci8086,3c04@2/pci1077,15d@0/fp@0,0:devctl CONNECTED /devices/pci@79,0/pci8086,3c04@2/pci1077,15d@0,1/fp@0,0:devctl CONNECTED I thought I should see qlc@ there rather than fp@? Thanks, James Principal Consultant www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] FC HBA
Hi Karl, > I think we need more information to be able to help. > Have you enabled mpxio? Have a look at the stmsboot command. mpxio is enabled. > What kind of Qlogic card do you have. Oem or original Qlogic, and model. > In "old" Sun days you could buy Sun OEM Qlogic cards that used the QLC driver > or from Qlogic that used the QLA driver. > So search for qla instead of qlc. The cards are Qlogic QLE2562 cards, they actually work absolutely fine in terms of the arrays they're connected to show up absolutely fine in the system, and are 100% usable (all the different paths for the arrays show up for instance under format). It's just that after adding the things required into scsi_vhci.conf, and running stmsboot -e, it doesn't actually use mpxio after a reboot. The only thing that I wondered is whether the system is picking up a generic FC HBA driver rather than a specific Qlogic driver, and that's what's stopping the system using mpxio. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] FC HBA
Turns out that the settings provided by the manufacturer of the array were incorrect (typically). For what it's worth the setting to get RamSan units using multipath is to add: scsi-vhci-failover-override = "TMS RamSan", "f_sym"; Just the two lines, works fine now. The documentation I'd had from the supplier used the old device-type-scsi-options-list = and I hadn't twigged that that had been replaced with the above - so was looking for errors in the wrong places. Thanks for the replies, appreciate the time and at least it was a (very) simple one in the end. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Samba4 and ZFS ACLs
Hi all, Just as a follow up from the samba4 build (which has been working fine in terms of basic access and winbind for netatalk), has anyone had any success using Samba with ZFS ACLs? I've built Samba (4 again) with: --with-shared-modules=nfs4_acls,vfs_zfsacl and in smb.conf I have: [Share] comment = Share path = /tank/share browseable = Yes read only = No ea support = Yes map archive = No map readonly = No map system = No vfs objects = zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes zfsacl: acesort = dontcare But ACLs are ignored (POSIX permissions do work though - and user accounts are seen correctly - a file created will correctly pick up user's id and gid). Thanks, James Principal Consultant Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Samba4 and ZFS ACLs
Just as a bit more detail on this, the module itself does seem to be loading OK: Loading module 'zfsacl': Trying to load from /usr/local/samba/lib/vfs/zfsacl.so [2013/07/31 00:07:13.741651, 2] ../lib/util/modules.c:199(do_smb_load_module) Module 'zfsacl' loaded [2013/07/31 00:07:13.741725, 5] ../source3/smbd/vfs.c:103(smb_register_vfs) Successfully added vfs backend 'zfsacl' Successfully loaded vfs module [zfsacl] with the new modules system No obvious errors in samba.log (log level set to 5), but just seems to be ignoring the ACLs still. James. On 30 Jul 2013, at 22:56, James Relph wrote: > Hi all, > > Just as a follow up from the samba4 build (which has been working fine in > terms of basic access and winbind for netatalk), has anyone had any success > using Samba with ZFS ACLs? > > I've built Samba (4 again) with: > > --with-shared-modules=nfs4_acls,vfs_zfsacl > > and in smb.conf I have: > > [Share] > comment = Share > path = /tank/share > browseable = Yes > read only = No > ea support = Yes > map archive = No > map readonly = No > map system = No > vfs objects = zfsacl > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = yes > zfsacl: acesort = dontcare > > But ACLs are ignored (POSIX permissions do work though - and user accounts > are seen correctly - a file created will correctly pick up user's id and gid). > > Thanks, > > James > > Principal Consultant > > Website: www.themacplace.co.uk > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Samba4 and ZFS ACLs
OK, getting peculiar behaviour here, but no particular errors, currently I have SAMBA 4.0.6 compiled with: ./configure --with-ad —with-acl-support —with-shared-modules=nfs4_acls,vfs_zfsacl What's odd, is now if I connect to the share, I (temporarily) have the correct and expected ACL-based access. So I can create a folder, rename a folder, delete a folder etc. Once I have done one action (ie. created a folder called test) it's then as if it "forgets" the user's permissions and it won't let any other actions take place. So if I: 1) login to server 2) create folder test 3) rename folder test it will fail at the third step and any subsequent attempts (eg. creating a test2 folder) also aren't allowed (no permission). However, if I do: 1) login to server 2) create folder test 3) logout 4) login to server 5) rename folder test this works absolutely fine. Furthermore if I logout and log back in another time, I can keep performing single write actions to the share with each login. So it seems as though it is *half* working, it's working for one write/modify/delete operation per user login. James Principal Consultant Website:www.themacplace.co.uk On 31 Jul 2013, at 00:40, James Relph wrote: > Just as a bit more detail on this, the module itself does seem to be loading > OK: > > Loading module 'zfsacl': Trying to load from > /usr/local/samba/lib/vfs/zfsacl.so > [2013/07/31 00:07:13.741651, 2] ../lib/util/modules.c:199(do_smb_load_module) > Module 'zfsacl' loaded > [2013/07/31 00:07:13.741725, 5] ../source3/smbd/vfs.c:103(smb_register_vfs) > Successfully added vfs backend 'zfsacl' > Successfully loaded vfs module [zfsacl] with the new modules system > > No obvious errors in samba.log (log level set to 5), but just seems to be > ignoring the ACLs still. > > James. > > On 30 Jul 2013, at 22:56, James Relph wrote: > >> Hi all, >> >> Just as a follow up from the samba4 build (which has been working fine in >> terms of basic access and winbind for netatalk), has anyone had any success >> using Samba with ZFS ACLs? >> >> I've built Samba (4 again) with: >> >> --with-shared-modules=nfs4_acls,vfs_zfsacl >> >> and in smb.conf I have: >> >> [Share] >> comment = Share >> path = /tank/share >> browseable = Yes >> read only = No >> ea support = Yes >> map archive = No >> map readonly = No >> map system = No >> vfs objects = zfsacl >> nfs4:mode = special >> nfs4:acedup = merge >> nfs4:chown = yes >> zfsacl: acesort = dontcare >> >> But ACLs are ignored (POSIX permissions do work though - and user accounts >> are seen correctly - a file created will correctly pick up user's id and >> gid). >> >> Thanks, >> >> James >> >> Principal Consultant >> >> Website: www.themacplace.co.uk >> >> ___ >> OpenIndiana-discuss mailing list >> OpenIndiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] mpt timeouts
Hi all, Does anyone know if the current version of OpenIndiana (either 151a7 or hipster) has a fix in for this issue (in terms of mpt timeouts being honoured): http://blogs.everycity.co.uk/alasdair/2011/05/adjusting-drive-timeouts-with-mdb-on-solaris-or-openindiana/ I had a look at the associated bugs and it looked like there wasn't a specific patch included, but I wasn't 100% sure. Thanks, James Website:www.themacplace.co.uk ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] VMware
Hi all, Is anybody using Oi as a data store for VMware using NFS or iSCSI? Thanks, James. Sent from my iPhone ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] VMware
Hi Ed, Chip, Thanks for the responses, it was basically to see whether people had been having any compatibility issues with Oi as backend storage. We've seen datastore disconnects in the ESXi hosts over both iSCSI and NFS, and it seemed odd that there'd be the same problems across both protocols. Didn't really show up in testing and I've seen other people running this kind of setup without issue, so it was really a question to see if there were any other people seeing the same thing. At the same time as the hosts were seeing disconnects we had other machines using the same iSCSI targets without any errors at all, so it is all a bit odd. Thanks, James On 10 Aug 2013, at 14:32, Edward Ned Harvey (openindiana) wrote: >> From: James Relph [mailto:ja...@themacplace.co.uk] >> Sent: Saturday, August 10, 2013 6:12 AM >> >> Is anybody using Oi as a data store for VMware using NFS or iSCSI? > > I have done both. What do you want to know? > > I couldn't measure any performance difference nfs vs iscsi. Theoretically, > iscsi should be more reliable, by default setting the refreservation and > supposedly guaranteeing there will always be disk space available for writes, > but I haven't found that to be reality. I have bumped into full disk > problems with iscsi just as much as nfs, so it's important to simply monitor > and manage intelligently. And the comstar stuff seems to be kind of > unreliable, not to mention confusing. NFS seems to be considerably easier to > manage. So I would recommend NFS rather than iscsi. > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] VMware
I'll pass that on to someone actually, thanks, although would we lose pings with that (had pings running to test for a network issue and never had packet loss)? It's a bit of a puzzler! James. Sent from my iPhone > On 11 Aug 2013, at 10:43, "Jim Klimov" wrote: > >> On 2013-08-11 11:13, James Relph wrote: >> Hi Ed, Chip, >> >> Thanks for the responses, it was basically to see whether people had been >> having any compatibility issues with Oi as backend storage. We've seen >> datastore disconnects in the ESXi hosts over both iSCSI and NFS, and it >> seemed odd that there'd be the same problems across both protocols. Didn't >> really show up in testing and I've seen other people running this kind of >> setup without issue, so it was really a question to see if there were any >> other people seeing the same thing. At the same time as the hosts were >> seeing disconnects we had other machines using the same iSCSI targets >> without any errors at all, so it is all a bit odd. > > Maybe something with networking? Like trunked connections and some > links going down (temporarily) and hash-routed packets to them are > not delivered properly (until the failure is detected or clink comes > back up)? Possibly, if a master (first) interface on an aggregation > becomes lost, there may also be fun with MAC address changes... > > Wild shots in the dark, though not completely without practical basis ;) > > HTH, > //Jim > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] VMware
> Also, does your host use ipfilter to filter and/or NAT access to the > iSCSI and NFS services? Nope, dedicated physical 10Gb network for iSCSI/NFS traffic, with 4x 10Gb links (in an LACP bond) per device. Should be pretty solid really. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] VMware
> If I recall correctly, you can set LACP parameters that determine how > fast the switch-over occurs between ports, the interval at which the > interfaces send LACP packets, and more. These can be set on either the > OS or switch side depending on the vendor. So if you've determined > that there is nothing wrong at either the physical layer or network > and above, then the link layer is your most likely culprit. Applying > the process of elimination or some other methodology is most advisable > for these types of troubleshooting situations. I'll have to have a look, but the thing is that we were seeing these datastore drops while at the same time we were running pings showing no dropped packets and no significant network latency. If it was an LACP issue (ports dropping etc.) causing iSCSI issues, wouldn't we see dropped packets at the same time? Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] VMware
> I think we found your smoking gun. You're getting ping loss on a local > network, and you're using 4x 10Gb LACP bonded network. And for some reason > you say "should be pretty solid." What you've described is basically the > definition of unstable, if you ask me. No, we're not getting any ping loss, that's the thing. The network looks entirely faultless. We've run pings for 24 hours with no ping loss. > Before anything else, know this: In LACP, only one network interface can be > used per data stream. So if you have a server with LACP, then each client > can go up to 10Gb, but if you have 4 clients simultaneously, they can each go > up to 10Gb. You cannot push 40Gb to a single client. Each storage server has 5 clients. > Also, your hard disks are all 1Gbit. So every 10 disks you have in the > server add up to a single 10Gb network interface. It is absolutely pointless > to use LACP in this situation unless you have a huge honking server. > (Meaning >40 disks). They've got 38 disks. > In my experience, LACP is usually unstable, unless you buy a really expensive > switch The switches are pretty expensive, we've got Arista switches and SolarFlare NICs in the servers (well, the bond is across a SolarFlare NIC and an Intel NIC). > and QA test the hell out of your configuration before using it. I hear lots > of people say their LACP is stable and reliable where they are - but it's > only because they have never tested it and haven't noticed the problems. The > problems are specifically as you've described. Occasional packet loss, which > people tend to think is ok, but in reality, the only acceptable level of > packet loss is 0%. Yep, 0% packet loss, sorry if I've mis-worded something somewhere, but definitely no dropped packets. > > Figure out how to observe & clear the error counters on all the network > interfaces. Login to the switch to measure them there ... Login to the > server to measure them there ... Login to each client to measure them there. > Reset them all to 0. And then start hammering the shit out of the whole > system. Get all the clients to drive the network hard, both transmit and > receive. If you see error counters increasing, you have a problem. I'll double check but pretty sure that we've reset witnessed no CRC errors over test periods, even when hammering the system. James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] VMware (OpenIndiana-discuss Digest, Vol 37, Issue 15)
I've looked at subsystem performance and had things like zpool iostat running when the issue was occurring, and there's just nothing stressing the systems enough. Plus the OpenIndiana servers using the same servers as iSCSI targets has no iSCSI errors at the same time as VMware is freaking out. I would have expected the Oi initiators to at least log a few re-writes or iSCSI errors if it was a general "the iSCSI target is misbehaving" problem. Thanks, James Principal Consultant Website:www.themacplace.co.uk On 14 Aug 2013, at 08:33, Ong Yu-Phing wrote: > so far we've been discussing network. How about the disk subsystem side? > I've had a situation where a rebuild (RAID10 equivalent with 3x RAID1 vdevs, > had to replace a faulty disk), together with an overnight snapshot and > replication to another server, was "enough" to cause iscsi timeouts. > > On 13/08/2013 21:18, Doug Hughes wrote: >> We have lacp working between force10, hp, and cisco switches in all possible >> combinations with no difficulties. We do monitor and alert on excessive >> errors and drops for interfaces, but lacp isnt a culprit. If anything, it's >> an underlying interface when we find them. Also, it beats the heck out of >> spanning tree and is 2 orders of magnitude simpler than ospf, and 1 order >> simpler and more portable than ecmp. I am quite surprised by your >> observations. >> >> Sent from my android device. >> >> -Original Message- >> From: "Edward Ned Harvey (openindiana)" >> To: Discussion list for OpenIndiana >> Sent: Tue, 13 Aug 2013 7:22 AM >> Subject: Re: [OpenIndiana-discuss] VMware >> >>> From: James Relph [mailto:ja...@themacplace.co.uk] >>> Sent: Monday, August 12, 2013 4:47 PM >>> >>> No, we're not getting any ping loss, that's the thing. The network looks >>> entirely faultless. We've run pings for 24 hours with no ping loss. >> Yeah, I swore you said you had ping loss before - but if not - I don't think >> ping alone is sufficient. You have to find the error counters on the LACP >> interfaces. Everybody everywhere seems to blindly assume LACP works >> reliably, but to me, simply saying the term "LACP" is a red flag. It's >> extremely temperamental, and the resultant behavior is exactly as you've >> described. >> >> ___ >> OpenIndiana-discuss mailing list >> OpenIndiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss >> >> > > Disclaimer: use of our emails are governed by terms at > http://360-jambo.com/emd > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] VMware (OpenIndiana-discuss Digest, Vol 37, Issue 15)
>> the same servers as iSCSI targets has no iSCSI errors at the same time as >> VMware is freaking out > > Is VMware using iSCSI as well or NFS? Tried it with both (iSCSI originally), and oddly it's basically the exact same issue (frequent disconnects) between NFS and iSCSI. You would be convinced it's network related, but nothing shows up obviously wrong in the switch logs and obviously the OpenIndiana iSCSI initiators (two of which are guest OSs on the VMware cluster!) aren't affected at all. You get a bizarre situation where VMware is complaining about iSCSI going up and down, yet the VMs themselves don't register any problems whatsoever. Thanks, James. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
