Identity Mapping Troubleshooting

From Genunix

Copyright Notice

Contents 1 Identity Mapping Troubleshooting 1.1 Viewing Identity Mapping Service Property Settings 1.2 Saving and Restoring Name-Based Mapping Rules 1.3 Viewing Details About Mappings 1.4 idmap Commands Issue Domain not found Error 1.5 Cannot Add Local Users and Groups to ACLs 1.6 Handling Unresolvable SID Mapping

Identity Mapping Troubleshooting

For related troubleshooting information, see the following:

• Solaris CIFS Service Troubleshooting
• CIFS Service Troubleshooting
• CIFS Client Troubleshooting

For more information about Solaris CIFS, see the following:

• Getting Started With the Solaris CIFS Service
• What's New With Solaris CIFS

Viewing Identity Mapping Service Property Settings

The identity mapping service uses the svccfg(1M) command to set properties. Before you change property values, you should view the current property settings.

To view configuration properties related to the idmap service, run one of the following commands:

• # svccfg -s idmap listprop "config/*"
• # svcprop -p config svc:/system/idmap

To view all properties related to the idmap service, run one of the following commands:

• # svccfg -s idmap listprop
• # svcprop svc:/system/idmap

Saving and Restoring Name-Based Mapping Rules

You might need to back up and restore your name-based mapping rules.

For more information about the idmap export, idmap import, and idmap list commands, see the idmap(1M) man page.

To back up the rules, perform the following steps:

1. Save your name-based mapping rules in one of the following ways:
   • Export the rules.
     
     # idmap export -f output-file format
   • List the rules.
     
     # idmap list >output-file
2. Disable the idmap service.
   
   # svcadm disable idmap
3. Remove the idmap.db databases.
   
   # rm /var/idmap/idmap.db /var/run/idmap/idmap.db
4. Reboot the system.

To restore the rules, use the mapping rule output you saved during the backup procedure. Do one of the following to restore based on your backup method:

• Use the idmap import command.
  
  # idmap import -f input-file format
• Use the idmap list command.
  
  Run output-file as a shell script.
  
  # sh ./output-file

Viewing Details About Mappings

If you encounter unexpected mapping results, use the idmap dump and idmap show commands to gather data. Each command has a -v option that produces detailed information about mappings.

For more information, see “How to Show All Established Mappings” and “How to Show a Mapping for a Particular Identity” in the Solaris CIFS Administration Guide.

idmap Commands Issue Domain not found Error

This problem was introduced in Solaris Express Community Edition (SXCE) Build 90.

The idmap show command issues a Domain not found error.

For example, the following commands issue the Domain not found error:

# idmap show -c uid:20000
Mappings not obtained because of RPC problem (Domain not found)
# idmap show -c unixuser:cuser
unixuser:cuser -> winname:
Error: Domain not found

To work around this problem, specify any value for the default_domain property, and refresh the idmapd service.

# svccfg -s idmap setprop config/default_domain = astring: any-value
# svcadm refresh idmap

Cannot Add Local Users and Groups to ACLs

You might encounter problems on Windows XP or Vista systems when attempting to add local users and groups to ACLs.

The problem is caused by a mismatch between the number of subauthorities in a system SID generated by a Solaris system and a Windows system. A Windows system SID has four subauthorities and a Solaris system SID has five.

To workaround the problem, update the system running the Solaris CIFS service to use at least Solaris Express Community Edition Build 94. Also, remove the config/machine_sid property so that the idmap service can recreate a system SID with four subauthorities:

# svccfg -s idmap delprop config/machine_sid
# svcadm restart idmap

Handling Unresolvable SID Mapping

The idmap service maps between Windows identities and Solaris identities. This mapping can be done by name, user names and group names, and by identifiers, such as SIDs, UIDs and GIDs.

The idmap service can only map entities that can be resolved, which can result in access problems if security descriptors contain SIDs that cannot be resolved by the available domain controllers, possibly as a result of importing files from a foreign domain.

As a workaround, you can enable unresolvable SID mapping by setting the unresolvable_sid_mapping property to true and by refreshing the idmap service.

To enable the mapping of unresolvable SIDs, do the following:

$ svccfg -s idmap setprop config/unresolvable_sid_mapping = boolean: true
$ svcadm refresh idmap