Post by andrewphilipsmith on Feb 11, 2011 19:31:26 GMT 7
Hello,
I've been trying to get consistent idmapping working for my N8800Pro. Judging by this and various other Thecus forums I'm not the only one. I've managed to find a method for doing this that doesn't require hacking the NAS firmware. I've posted it here in the hope it is helpful for someone - YMMV.....
Broadly the situation is that my NAS and various other Linux (CentOS 5.5) servers are all members of an Active Directory. In order to mount folders on the NAS, onto a centos server using NFS, both the NAS and the Centos server must map windows SIDs to Unix user UIDs and group GIDs in a consistent and predictable manner.
NAS details:
Model N8800Pro, Firmware 3.03.00.4, Samba v3.4.3
Other linux details:
CentOS release 5.5 (Final), Samba v3.3.8-0.52.el5_5.2
So poking around on the NAS (using the SYSUSER and SSHD modules) I get something that looks like this:
Get the SID of the domain:
Get the UID, GID and SID of a user:
Get the UID, GID and SID of a different user:
Get the SID of the "domain users" group (even though we could work this out using the the domain SID and this page support.microsoft.com/kb/243330):
Summary:
myuser
sid sufix = 3143
uid 87857
myuser2
sid sufix = 3182
uid 87896
domain users
sid sufix = 513
gid 85227
therefore:
uid or gid = sid-suffix + 84714
So 84714 is the magic number - not sure where it comes from though. The various "idmap" parameters in the samba smb.conf file *should* control how the uid/gid and sids map to one another. However when we look the config file:
(Note that there are various copies of smb.conf on certain Thecus boxes and firmware combinations - see these posts:
forums.hexus.net/thecus-care-hexus/117081-n5200b-pro-manually-configuring-samba.html
forum.thecus.com/viewtopic.php?f=34&t=1026
naswebsite.com/wiki/Thecus_N41000PRO_Tweaking_Samba
)
The config file parameters would imply that UIDs and GIDs should start a 20000 (uid or gid = sid-suffix + 20000) but clearly that is not the case. It is possible that the "base_rid" parameter it getting set somewhere else, but I couldn't find it (see www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html). I tried applying the same idmap parameters to the smb.conf in my centos box but that gave me the uids I excepted (ie 23143, 23182 and 20513), not the ones that the thecus box gives.
Another option at this point is to install the IMGDUP module on the thecus and edit the script (/img/bin/rc/assemble_conf) that re-writes the smb.conf on reboot. Clearly some other people have got this to work (see forums.hexus.net/thecus-care-hexus/117081-n5200b-pro-manually-configuring-samba.html). Sadly I did not, besides messing around with the firmware like this is a bit hairy, simply to get SMB and NFS to work simultaneously.
Eventually I tried this; I edited the smb.conf on each of my centos machines, adding in these line and commenting out any conflicting lines:
I then rebooted each machine and whilst logged in as a non-AD user, I ran:
This had the desired effect that my NAS and CentOS machines now map the same SIDs to the same UID/GIDs. However there are a few caveats:
I'd add my voice to those who have already suggested that the Thecus WebUI should give some options to allow users to specify some of the idmap parameters suitable for their networks. Also it would be helpful if it were possible to see where the thecus is getting it parameters, because it seems to use more than just the smb.conf file.
I've been trying to get consistent idmapping working for my N8800Pro. Judging by this and various other Thecus forums I'm not the only one. I've managed to find a method for doing this that doesn't require hacking the NAS firmware. I've posted it here in the hope it is helpful for someone - YMMV.....
Broadly the situation is that my NAS and various other Linux (CentOS 5.5) servers are all members of an Active Directory. In order to mount folders on the NAS, onto a centos server using NFS, both the NAS and the Centos server must map windows SIDs to Unix user UIDs and group GIDs in a consistent and predictable manner.
NAS details:
Model N8800Pro, Firmware 3.03.00.4, Samba v3.4.3
root@127.0.0.1:~# uname -a
Linux my-nas-box 2.6.23N7700 #1 SMP Fri May 21 13:26:56 CST 2010 i686 unknown
Other linux details:
CentOS release 5.5 (Final), Samba v3.3.8-0.52.el5_5.2
$ uname -a
Linux my-other-linux 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010 x86_64 x86_64 x86_64 GNU/Linux
So poking around on the NAS (using the SYSUSER and SSHD modules) I get something that looks like this:
Get the SID of the domain:
root@127.0.0.1:~# /opt/samba/bin/wbinfo --domain-info MYWINDOMAIN
Name : MYWINDOMAIN
Alt_Name : MYWINDOMAIN.local
SID : S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
Active Directory : Yes
Native : Yes
Primary : Yes
Get the UID, GID and SID of a user:
root@127.0.0.1:~# /opt/samba/bin/wbinfo -i myuser
myuser:*:87857:85227:MyUser:/home/MYWINDOMAIN/myuser:/bin/false
root@127.0.0.1:~# /opt/samba/bin/wbinfo -n myuser
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-3143 User (1)
Get the UID, GID and SID of a different user:
root@127.0.0.1:~# /opt/samba/bin/wbinfo -i myuser2
myuser2:*:87896:85227:MySecoundUser:/home/MYWINDOMAIN/myuser2:/bin/false
root@127.0.0.1:~# /opt/samba/bin/wbinfo -n myuser2
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-3182 User (1)
Get the SID of the "domain users" group (even though we could work this out using the the domain SID and this page support.microsoft.com/kb/243330):
root@127.0.0.1:~# /opt/samba/bin/wbinfo -n domain\ users
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-513 Domain Group (2)
Summary:
myuser
sid sufix = 3143
uid 87857
myuser2
sid sufix = 3182
uid 87896
domain users
sid sufix = 513
gid 85227
therefore:
uid or gid = sid-suffix + 84714
So 84714 is the magic number - not sure where it comes from though. The various "idmap" parameters in the samba smb.conf file *should* control how the uid/gid and sids map to one another. However when we look the config file:
root@127.0.0.1:~# more /etc/samba/smb.conf | grep idmap
idmap uid = 20000-60000000
idmap gid = 20000-60000000
idmap backend = rid:MYWINDOMAIN=20000-60000000
(Note that there are various copies of smb.conf on certain Thecus boxes and firmware combinations - see these posts:
forums.hexus.net/thecus-care-hexus/117081-n5200b-pro-manually-configuring-samba.html
forum.thecus.com/viewtopic.php?f=34&t=1026
naswebsite.com/wiki/Thecus_N41000PRO_Tweaking_Samba
)
The config file parameters would imply that UIDs and GIDs should start a 20000 (uid or gid = sid-suffix + 20000) but clearly that is not the case. It is possible that the "base_rid" parameter it getting set somewhere else, but I couldn't find it (see www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html). I tried applying the same idmap parameters to the smb.conf in my centos box but that gave me the uids I excepted (ie 23143, 23182 and 20513), not the ones that the thecus box gives.
Another option at this point is to install the IMGDUP module on the thecus and edit the script (/img/bin/rc/assemble_conf) that re-writes the smb.conf on reboot. Clearly some other people have got this to work (see forums.hexus.net/thecus-care-hexus/117081-n5200b-pro-manually-configuring-samba.html). Sadly I did not, besides messing around with the firmware like this is a bit hairy, simply to get SMB and NFS to work simultaneously.
Eventually I tried this; I edited the smb.conf on each of my centos machines, adding in these line and commenting out any conflicting lines:
idmap uid = 84714-60000000
idmap gid = 84714-60000000
idmap config MYWINDOMAIN:backend = rid
idmap config MYWINDOMAIN:base_rid = 0
idmap config MYWINDOMAIN:range = 84714-60000000
I then rebooted each machine and whilst logged in as a non-AD user, I ran:
# sudo net cache flush
This had the desired effect that my NAS and CentOS machines now map the same SIDs to the same UID/GIDs. However there are a few caveats:
- Note this required commenting out the "idmap uid = 16777216-33554431 and "idmap gid = 16777216-33554431" lines which are inserted in the authconfig section of smb.conf. I'll wait and see what happens next time I need to upgrade/edit/change any authconfig settings.
- Because this changed the UID and GIDs on my centos machines I needed to chown any files owned by any AD-users or groups. Not too much hassle in my case, but could be a pain on more populated servers.
- I still have no idea where the value 84714 comes from. Nor do I know if it is consistent across different Thecus models/firmware versions or different domains. (Of course possibly I should be looking for 64714 since the thecus' smb.conf specifies a start range of 20000.)
- This solution is not scalable. If you have a second device on your network, which like the Thecus has an embedded version of Samba (meaning that you don't full control of samba's plugins or config file), and that uses different (arbitrary) parameters to the thecus then you might be out of luck. This only works for me because I can make everything on my network work around the peculiarities of the Thecus, rather than make the Thecus fit my network.
I'd add my voice to those who have already suggested that the Thecus WebUI should give some options to allow users to specify some of the idmap parameters suitable for their networks. Also it would be helpful if it were possible to see where the thecus is getting it parameters, because it seems to use more than just the smb.conf file.