Bug #150
idmap fails for unknown unixuser (and produces "Internal error")
| Status: | New | Start: | May 26, 2011 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
Posted this to the forum, but no replies yet...
Running CE 3.0.5 with LDAP and AD. Everything appears to be working ok.
We have the following idmap entries:
winuser:*@lle.rochester.edu == unixuser:* winuser:*@lle.rochester.edu => unixuser:nobody winuser:bofh@lle.rochester.edu == unixuser:root
When copying a file that has an owner in AD that doesn't exist in LDAP, we get the error:
File creation error - No mapping between account names and security IDs was done.
For example, the user "dabe" exists in AD (and happens to be disabled, but I've tried it both ways). The command "idmap show -cV dabe@lle.rochester.edu" produces the following output:
Error: Internal error
Failed Method: Name Rule
Rule: add winname: unixgroup:""
Trace:
winname dabe@lle.rochester.edu -> unknown - Start mapping
winname dabe@lle.rochester.edu -> unixname - Not a well-known account
winname dabe@lle.rochester.edu -> unixname - Not a local SID
winname dabe@lle.rochester.edu -> unixname - Not found in mapping cache
winname dabe@lle.rochester.edu -> unixname - Not found in name cache
winuser dabe@lle.rochester.edu S-1-5-21-2047304932-763628285-134157935-9758 -> unixname - Found with LSA
winuser dabe@lle.rochester.edu S-1-5-21-2047304932-763628285-134157935-9758 -> unixuser - Matching rule: *@lle.rochester.edu -> *
winuser dabe@lle.rochester.edu S-1-5-21-2047304932-763628285-134157935-9758 -> unixuser - Looking up dabe error=-9999
winuser dabe@lle.rochester.edu S-1-5-21-2047304932-763628285-134157935-9758 -> unixuser - Rule processing error, code=-9999
winuser dabe@lle.rochester.edu S-1-5-21-2047304932-763628285-134157935-9758 -> unixuser - Rule-based mapping error=-9999
winuser dabe@lle.rochester.edu S-1-5-21-2047304932-763628285-134157935-9758 -> unixuser 60001 Error -9999 - Done
You can work around the issue by creating idmap entries for EVERY user that doesn't exist in LDAP. E.g. An explicit entry for the user "gabe" (above) resolves the issue:
winuser:gabe@lle.rochester.edu => unixuser:nobody
This can be quite difficult to maintain and causes significant issues when attempting to migrate from a Windows CIFS server to Nexenta.
History
Updated by Gordon Ross about 1 year ago
The configuration above looks odd to me. I'm not sure how the 2nd entry (the one with "nobody") would work.
In general I don't recommend "wildcard name based mapping" as shown in the first entry, unless you really need it, i.e. when you're also export the same files via NFS and want Unix owners to show up there.
If that's not the case, I suggest just removing the * rules from idmap, and "take ownership" of files belonging to each user. Of course, that's some work if you already have a lot of user files stored.
If you're going to stick with wild-card name-based mapping, then all of your CIFS (AD) users need to have mappings. Either found via the wild card (*) rules, or with explicit entries. So the other way you could fix this is add explicit mappings for the users that are seeing these errors.