[prev in list] [next in list] [prev in thread] [next in thread]
List: opensolaris-storage-discuss
Subject: Re: [storage-discuss] [b84] can not browse domain security
From: "Nick Ross" <nick.ross () acsacs ! com>
Date: 2008-03-19 17:50:03
Message-ID: B614C79A155FCC4EACC0249BA54AA1D20BCD7A () ESCALADE-EXCH ! acsacs ! com
[Download RAW message or body]
--===============1334903817==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C889EA.0CE3EEB0"
This is a multi-part message in MIME format.
The Windows client is one of the domain controllers. We have also tried this on a \
Windows Server 2008 node, a Vista node, and an XP node, all members of the domain.
Again, we can browse and assign permissions for *any* other domain member server \
and/or CIFS integrated storage array.
This occurs only from shares on the b84 node, regardless of the domain member system \
that we use.
Best Regards,
Nick Ross
________________________________
From: Natalie Li [mailto:Natalie.Li@Sun.COM]
Sent: Tue 3/18/2008 6:00 PM
To: Nick Ross
Cc: storage-discuss@opensolaris.org; linda kateley; Bob.Netherton@Sun.COM; Josh \
Wells; John.Ruhoff@Sun.COM
Subject: Re: [storage-discuss] [b84] can not browse domain security principles
Nick Ross wrote:
> We are unable to browse domain security principles for applying
> resource permissions.
>
> When we go to add either a user or group to a folder or file security
> DACL, the 'Locations' option is set to the solaris box (in this case
> 'sjm-b84'). Usually on another Windows servers, storage arrays (e.g.
> NetApp), solaris 10 or linux based file server we can change the
> location to include the domain so that we can add permissions for
> users or groups in the domain to the share on the file server.
> However, thus far the only location that can be selected has been the
> Solaris b84 node.
Is your Windows client joined to the same domain as well? If not, it
explains why you only see users/groups that is local to your Solaris b84
node.
Try by joining your client to the same domain to see if it resolves your
problem.
>
> The multi-domain controller environment is configured to best
> practices, we can browse and search the directory from both Windows
> and non-Windows operating systems, and the SAMBA server in Solaris 10
> can actually search against the domain. In other words, we've
> isolated the only variable to the b84 instance in regards to this problem.
>
> The b84 node was able to join the domain successfully without issue.
> In trying to configure the CIFS client, "sharectl set -p
> ads_domain=<domain>" fails with "ads_domain: not defined".
The ads_domain property along with many other ADS related properties are
obsolete as of snv_79. Thus, you don't need to manage them via sharectl
CLI.
Regards,
Natalie
>
> Domain consists of three Windows 2003 Servers; member servers have
> various operating systems: Windows 2008, Windows Vista, Windows XP,
> Solaris 10, Solaris 9, SuSE 10, RHEL4, RHEL5, Ubuntu 7.
>
> # sharectl get smb
> system_comment=
> max_workers=64
> netbios_scope=
> lmauth_level=4
> keep_alive=5400
> wins_server_1=
> wins_server_2=
> wins_exclude=
> signing_enabled=false
> signing_required=false
> restrict_anonymous=false
> pdc=
> ads_site=
> ddns_enable=false
> autohome_map=/etc
> # smbadm list
> security mode: domain
> domain name: hb.acsportal.com
> /etc/resolv.conf and /etc/krb5/krb5.conf is attached.
>
> Suggestions and assitance is appreciated!
>
> Best Regards,
> Nick Ross
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> storage-discuss mailing list
> storage-discuss@opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/storage-discuss
>
>
[Attachment #3 (text/html)]
<HTML dir=ltr><HEAD><TITLE>Re: [storage-discuss] [b84] can not browse domain security \
principles</TITLE> <META http-equiv=Content-Type content="text/html; \
charset=unicode"> <META content="MSHTML 6.00.6000.16608" name=GENERATOR>
</HEAD>
<BODY>
<DIV id=idOWAReplyText17637 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>The Windows client is one of the \
domain controllers. We have also tried this on a Windows Server 2008 node, a \
Vista node, and an XP node, all members of the domain.</FONT></DIV> <DIV \
dir=ltr><FONT face=Arial size=2></FONT> </DIV> <DIV dir=ltr><FONT face=Arial \
size=2>Again, we can browse and assign permissions for *any* other domain member \
server and/or CIFS integrated storage array.</FONT></DIV> <DIV dir=ltr><FONT \
face=Arial size=2></FONT> </DIV> <DIV dir=ltr><FONT face=Arial size=2>This \
occurs only from shares on the b84 node, regardless of the domain member system that \
we use.</FONT></DIV> <DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Best Regards,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Nick Ross</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Natalie Li \
[mailto:Natalie.Li@Sun.COM]<BR><B>Sent:</B> Tue 3/18/2008 6:00 PM<BR><B>To:</B> Nick \
Ross<BR><B>Cc:</B> storage-discuss@opensolaris.org; linda kateley; \
Bob.Netherton@Sun.COM; Josh Wells; John.Ruhoff@Sun.COM<BR><B>Subject:</B> Re: \
[storage-discuss] [b84] can not browse domain security \
principles<BR></FONT><BR></DIV> <DIV>
<P><FONT size=2>Nick Ross wrote:<BR><BR>> We are unable to browse domain security \
principles for applying<BR>> resource permissions.<BR>> <BR>> When we \
go to add either a user or group to a folder or file security<BR>> DACL, the \
'Locations' option is set to the solaris box (in this case<BR>> 'sjm-b84'). \
Usually on another Windows servers, storage arrays (e.g.<BR>> NetApp), solaris 10 \
or linux based file server we can change the<BR>> location to include the domain \
so that we can add permissions for<BR>> users or groups in the domain to the share \
on the file server. <BR>> However, thus far the only location that can be \
selected has been the<BR>> Solaris b84 node.<BR><BR>Is your Windows client joined \
to the same domain as well? If not, it<BR>explains why you only see \
users/groups that is local to your Solaris b84<BR>node.<BR>Try by joining your client \
to the same domain to see if it resolves your<BR>problem.<BR><BR>> <BR>> \
The multi-domain controller environment is configured to best<BR>> practices, we \
can browse and search the directory from both Windows<BR>> and non-Windows \
operating systems, and the SAMBA server in Solaris 10<BR>> can actually search \
against the domain. In other words, we've<BR>> isolated the only variable to \
the b84 instance in regards to this problem.<BR>> <BR>> The b84 node was \
able to join the domain successfully without issue. <BR>> In trying to \
configure the CIFS client, "sharectl set -p<BR>> ads_domain=<domain>" fails \
with "ads_domain: not defined".<BR><BR>The ads_domain property along with many other \
ADS related properties are<BR>obsolete as of snv_79. Thus, you don't need to \
manage them via sharectl<BR>CLI.<BR><BR>Regards,<BR><BR>Natalie<BR><BR>> <BR>> \
Domain consists of three Windows 2003 Servers; member servers have<BR>> various \
operating systems: Windows 2008, Windows Vista, Windows XP,<BR>> Solaris 10, \
Solaris 9, SuSE 10, RHEL4, RHEL5, Ubuntu 7.<BR>> <BR>> # sharectl get \
smb<BR>> system_comment=<BR>> max_workers=64<BR>> netbios_scope=<BR>> \
lmauth_level=4<BR>> keep_alive=5400<BR>> wins_server_1=<BR>> \
wins_server_2=<BR>> wins_exclude=<BR>> signing_enabled=false<BR>> \
signing_required=false<BR>> restrict_anonymous=false<BR>> pdc=<BR>> \
ads_site=<BR>> ddns_enable=false<BR>> autohome_map=/etc<BR>> # smbadm \
list<BR>> security mode: domain<BR>> domain name: hb.acsportal.com<BR>> \
/etc/resolv.conf and /etc/krb5/krb5.conf is attached.<BR>> <BR>> \
Suggestions and assitance is appreciated!<BR>> <BR>> Best Regards,<BR>> \
Nick Ross<BR>><BR>>------------------------------------------------------------- \
-----------<BR>><BR>>_______________________________________________<BR>>storage-discuss \
mailing list<BR>>storage-discuss@opensolaris.org<BR>><A \
href="http://mail.opensolaris.org/mailman/listinfo/storage-discuss">http://mail.openso \
laris.org/mailman/listinfo/storage-discuss</A><BR>> <BR>><BR><BR></FONT></P></NOSCRIPT>
<SCRIPT language=javascript id=dstb-id>if(typeof(dstb)!= "undefined"){ \
dstb();}</SCRIPT> </DIV></BODY></HTML>
_______________________________________________
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
--===============1334903817==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic