> AD integration with the builtin CIFS server is dead easy. I've joined OI to >> 2003/2008 and 2012 native functioning domains with no issue. >> > The command "smbdadm join -u" runs w/o any problem. But when it comes to > idmap I have suffered a major screw-up just two days ago that cost me > dearly. As soon as the kerberos was configured, and * users and the > often-mentioned basic Domain Users and Domain Administrators groups where > added in idmap, no share including those with guest access could be > accessed anymore. Messages was flooded with "smbd[1862]: [ID 801593 > daemon.error] smb_idmap_batch_getmappings: Mapping not found or inhibited". > I couldn't find a way to solve that issue. > > Even when I left the domain, idmap continued to amok. idmap and smb/server > would hang with no way to kill it until I changed the workgroup to an > ephimeral value and flushed idmap after another re-boot of the whole > machine. This came with a serious but sneaking degradation of CIFS shares > access, kicking in after app. 8 hours from when I initially had left the > domain. >
I'm assuming you followed the Oracle docs on domain joining? http://docs.oracle.com/cd/E23824_01/html/821-1449/configuringoperationmodetm.html In my experience, idmap failures are a result of only a few things: 1. The username/group is misspelled somewhere in idmap. Verify in idmap list that it's winuser:[email protected] unixuser:user the FQDN is required for the Windows user portion IE not just domain\user or user@domain, but domain.com\user or [email protected]. 2. Connections to the DC are failing either because of networking issues or because kerberos wasn't happy about something. Usually clock skew. 3. A problem with the Windows user account, locked out/must change password at next logon/expired password 4. DNS on the OI box being pointed somewhere other than a GC DC. Check idmapping with idmap show -cV uid:UNIXUID to see what's happening when idmap tries to do the lookup. Is the OI box able to look up Windows hosts by shortname? > What is serving DNS for you? >> > The AD PDC. Windows box? What version? > Are you using WINS? >> > Not on OI, not on the DCs > Do you have NetBIOS enabled? >> > No > Do the clients know this? > Are you using IPv6? >> > Deactivated on fileserver, and all DCs. Some clients don't have IPv6 > deactivated, but the issue occurs on pure IPv4 clients as well. Do your XP clients face the same connection problems? >> > Probably related ones, yes. I am not sure if the explicit error message > occurred there. > What about Windows 8? >> > Not enough experience yet. > >> You've said you still get failures when accessing by IP, correct? On all >> clients at the same time, or sporadically across clients? >> > The issue is always sporadically on individual clients. > >> What applications are you using to access the server? IE: Are you opening >> things through Explorer, or are you opening things through Office? >> > Explorer and Office. In Office the outages are more extreme. > See if disabling SMB security signing checks on a couple clients eliminates the issue. Office is particularly finnicky about this, and I have no idea why. The registry changes in the Workaround section of this technet article will do what you need. http://support.microsoft.com/kb/982860 Disabling signing will make MITM attacks easier. > Are you using offline files? >> > Not that I am aware of. > > Thanks for your help. > > With kind regards, > > Sebastian > >> >> >> > >> >_____________________________**_**_________________ >> >OpenIndiana-discuss mailing list >> >OpenIndiana-discuss@**openind**iana.org <http://openindiana.org>< >> OpenIndiana-discuss@**openindiana.org<[email protected]> >> > >> >http://openindiana.org/****mailman/listinfo/openindiana-****discuss<http://openindiana.org/**mailman/listinfo/openindiana-**discuss> >> <http://openindiana.**org/mailman/listinfo/**openindiana-discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss> >> > >> > >> >> -- Seconds to the drop, but it seems like hours. http://www.openmedia.ca >> https://robbiecrash.me >> > > > ______________________________**_________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@**openindiana.org<[email protected]> > http://openindiana.org/**mailman/listinfo/openindiana-**discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss> > -- Seconds to the drop, but it seems like hours. http://www.openmedia.ca https://robbiecrash.me _______________________________________________ OpenIndiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
