refresh AD users/groups in OmniOS/napp-it?

Discussion in 'Solaris, Nexenta, OpenIndiana, and napp-it' started by NOTORIOUS VR, Dec 8, 2015.

  1. NOTORIOUS VR

    NOTORIOUS VR Member

    Joined:
    Nov 24, 2015
    Messages:
    64
    Likes Received:
    7
    It seems after the AD connection via napp-it, it is a little selective on what groups and users it has sync'd

    Is there a way to refresh this or define certain OU's?

    Thanks!
     
    #1
  2. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,261
    Likes Received:
    750
    The answer is quite complex

    There are two philosophies for a SMB server on Unix/Linux
    1. reduce Windows options to a level that is Linux/Unix compatible
    This is how SAMBA works. It gives a Windows user access to a Linux/Unix filesystem

    2. be as Windows compatible as possible for a Unix system -
    even when it breaks Unix conventions

    This is what Sun/Oracle did with their CIFS server - simulate a Windows 2003 server
    from outside view. The problems were, that SMB groups are not compatible to Unix groups,
    Windows ntfs ACL work different than any ACL pendant on Unix, most similar are nfs4 ACL
    but with a complete different handling of deny rules.
    Unix filesystems use UID/GID for permissions (a simple number) while Windows use SID
    that are more complex with a machine or Domain reference.

    The result was
    Solaris use Windows SID for the SMB server as an extended ZFS attribute ,
    adds an additional SMB group management and use nfs4 ACL as they are
    Windows ntfs compatible- at least for allow rules

    But
    Management must be done mostly from outside, example, you need Windows computer
    management to request connected users or open files
    Permissions must be set from Windows when you need all AD users as reference

    Local napp-it permission management can manage all "known users" and adds what you
    cannot do from Windows like deny rules (Unix respects ACL in order while Windows checks
    first deny rules then allow rules) or set permissions independent from ACL settings.
    On Windows, you can lock out admin (must touch ACL for re.access), while on Unix you
    cannot lockout root. A huge advantage for administration.

    Fazit
    Only if users are known on Solaris, you can manage them completely locally,
    otherwise do this from Windows as root or AD-user mapped to root.

    This may change with the newest Illumos updates on AD management
    that should be available in next OmniOS stable together with SMB 2.1
     
    #2
  3. NOTORIOUS VR

    NOTORIOUS VR Member

    Joined:
    Nov 24, 2015
    Messages:
    64
    Likes Received:
    7
    Well thank you for the detailed explanation Gea!

    I must say though, on my old server with OI napp-it was able to completely map all my "extra" groups etc without issue, so that's what I was surprised that not all of the users and groups showed up. It seems like it's completely random on what OmniOS is detecting from my AD server.

    Either way, I did map my root group to my domain admins group so I can manage ACL's via windows, so I will try that now.

    MfG,
    Sascha

    EDIT: Well even with idmap mapped as root user, I cannot set any permissions for some reason?

    [​IMG]
    [​IMG]
     
    #3
    Last edited: Dec 9, 2015
  4. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,261
    Likes Received:
    750
    OmniOS and OI Hipster are quite up to date with Illumos development
    while OI 151a is a freeze of a quite old state.

    What I would check
    - is acl on share set to full access
    - has root full access for files and folders
    - is aclmode set to pass-through

    What happens if you reset acl recursively to a set with root=full on napp-it and set then this ACL?
     
    #4
Similar Threads: refresh users/groups
Forum Title Date
Solaris, Nexenta, OpenIndiana, and napp-it napp-it omnios active directory connection refresh Feb 13, 2019

Share This Page