This post is more than 5 years old
1 Rookie
•
41 Posts
0
2986
December 13th, 2016 04:00
OneFS 7.2.1.2 - CIFS/SMB SIDs not resolving
Hello,
I am setting up a new Isilon which currently has OneFS Version: 7.2.1.2. When I view permissions on a folder in a SMB share the SIDs only resolve about half the time:
Does anyone know how I can resolve this?
Thank you!!
0 events found
No Events found!
JohnnyWalker1
3 Posts
1
January 4th, 2017 05:00
Yes Zbot - it indeed did!
We had to extend the AD Schema (instructions below). Not only did it correct the SID issue, it also substantially increased the speed of our end user connections to the SMB Shares.
--------
From Knowledge Base Article 16559 - OneFS: How to configure OneFS and Active Directory for RFC2307 compliance
Configure Active Directory to allow search queries on UID, GID and Alias by publishing RFC 2307 attributes to the global Catalog:
1. Log on to Windows Server Active Directory using an Administrator Account
2. Load the Active Directory Schema Snap-in
To install the Active Directory Schema Snap-in, see the following Microsoft TechNet Articles:
For Win Server 2008 RS, see install the Active directory Schema Snap-in
For cause: The UID attribute is not set to replicate to the AD Global Catalog and the cluster requests UID resolution to a DC without this attribute available. (this makes total sense as to why it would show names sometimes and not other times - it was hitting a DC without the UID attributes).
3. Navigate to the Attributes folder and ensure that the following check boxes are selected for each attribute:
CAUTION! Do not modify any other check boxes.
A. gidNumber: Select the Replicate this attribute to the global catalog check box.
B. uidNumber: Select the Replicate this attribute to the global catalog and the Index this attribute check boxes.
C. uid: Select the Replicate this attribute to the global catalog and the index this attribute check boxes.
The attributes are copied to the global catalog. Depending on your system configuration, this process might take up to 24 hours to complete.
The storage team did configure RFC 2307 on the Isilon as well, prior to our doing the AD Schema update.
Please post back if this fixes your SID issue. Good Luck!!!
AdamFox
254 Posts
1
December 13th, 2016 06:00
That's a local SID so your Windows host most likely has no way to resolve it. It looks like a local user, most likely a UNIX user with UID 1000. If you have a valid user mapping for UID 1000 to a domain-based SID, it should resolve.
ZBoT
1 Rookie
•
41 Posts
0
December 13th, 2016 08:00
Thanks! Are you referring to these SMB security settings?
ZBoT
1 Rookie
•
41 Posts
0
December 13th, 2016 08:00
Your post got me thinking more. Here is another example:
That is my home folder and that should be resolving my Domain user account. Here are the details in my account in AD:
As you see, that doesn't match my SID. We have Unix Attributes enabled for our domain. So I looked at that tab on my account. The last part of the "SID" in the file permissions matches my UID here:
So it's like it's mapping to the Unix UID and not the Windows SID. Perhaps it is flopping back and forth between these?
Any help is much appreciated.
Thanks!!
sluetze
2 Intern
•
300 Posts
0
December 13th, 2016 08:00
check your ACL configuration... if you configured it for nfs only / unix only you have no SID ACLs on your file/folder
ZBoT
1 Rookie
•
41 Posts
0
December 13th, 2016 11:00
I forgot to mention, that 1000 GID in the first post is "Domain Users"
# isi auth groups view --group="Domain Users"
Name: Domain Users
DN: CN=Domain Users,CN=Users,DC=lsi,DC=umich,DC=edu
SID: S-1-5-21-3088655886-3068517834-3379253519-513
GID: 1000
Domain: LSI
Sam Account Name: Domain Users
Provider: lsa-activedirectory-provider
Generated GID: No
RobChang-Isilon
136 Posts
0
December 13th, 2016 13:00
Hi zbot,
I think sluetze is referring to "On-Disk Identity" settings.
From my OneFS 8.0 cluster, it is located under the "Access" menu, then "Settings". There are 3 options available: native, unix, and sid. Use unix in environments that are UNIX-only, and sid for Windows-only environments, or native for mixed UNIX/Windows environments.
ZBoT
1 Rookie
•
41 Posts
0
December 14th, 2016 04:00
Hi RobChang! Thanks for clarifying. We have it set to native. Which makes sense for our environment since we will be creating nfs/smb mixed shares down the road.
JohnnyWalker1
3 Posts
0
December 19th, 2016 05:00
Our Isilon has the same settings as above (native), and we are seeing SIDS on some directories and the actual user name on others. Is this behavior expected???? This is only happening on Home directories - none of the other Windows shares that have Active directory Workgroup permissions applied on the same system are exhibiting this.
RobChang-Isilon
136 Posts
0
December 19th, 2016 18:00
Hi johnnywalker & zbot,
Have you contacted DELL EMC Support regarding this type of issue? This sounds like something right up their alley.
Thanks.
JohnnyWalker1
3 Posts
0
December 20th, 2016 06:00
I put a ticket in with EMC Support on this yesterday morning. Have not heard anything from them at all about it yet.
ZBoT
1 Rookie
•
41 Posts
0
December 20th, 2016 10:00
Hi johnnywalker,
Let me know what you hear back please. Otherwise I'll open a ticket myself as well.
Thanks!
ZBoT
1 Rookie
•
41 Posts
0
January 4th, 2017 04:00
Hi johnnywalker
Did this get resolved with your ticket to EMC?
Thanks!!
ZBoT
1 Rookie
•
41 Posts
0
January 4th, 2017 11:00
Yes this seemed to fix my issue as well!!! Thank you!!!