winbind sid mappings
357 views
Skip to first unread message
Ryan Palamara
Feb 6, 2015, 8:16:14 AM2/6/15
to isilon-u...@googlegroups.com
I saw a post dated from 2013 that referred to a script that Isilon support write that mapped the uid to sids to match what winbind does. The script was not posted but I am going someone else here may have a copy. Does anyone here know about this script?
John Beranek - PA
Feb 6, 2015, 8:59:00 AM2/6/15
to isilon-u...@googlegroups.com
I opened an SR on this topic (RID-based ID mapping) last year, and it came to no conclusion at all.
No solution was offered other than populating our AD with POSIX attributes.
Cheers,
John
Richard Kunert
Feb 6, 2015, 12:01:25 PM2/6/15
to isilon-u...@googlegroups.com
The original post was mine. Here is the script, which we call uidmap.sh. Basically it sucks in all of the accounts from AD and makes corresponding users and groups on the Isilon. It uses the same logic as RID mapping (take the last part of the SID and add a constant) to generate the UIDs and GIDs. It was originally provided by Isilon as an unsupported AS IS solution (so don’t ask them for help with it). Since then I’ve modified it a couple of times to accommodate changes in OneFS commands, other than that it’s run entirely without issues. We’ve been using it for four years along with RID mapping on our Linux clients, with the idmap uid and idmap gid parameters in smb.conf set to 10000-20000 (10000 corresponds to the uidadvance and gidadvance variables below). We run it once a day on a cron job, or manually if we need to have a new account show up immediately.
The script in our case lives in /etc/isilon/scripts. It saves a couple of text files in /ifs/data/compare and I have the cron job save the output to /ifs/data/uidmap.log. We are about to upgrade from OneFS 6.5.x to a new cluster running OneFS 7.1.x, at that point I imagine I’ll have to tweak the script again.
Richard Kunert
--
#!/bin/bash
#This script assumes that the cluster is in a domain and the node running the script
#has access to a valid Active Directory Server
#Originally written for OneFS 5.5.4 and 5.5.6
#Modified to support OneFS 6.5, Jan 2013 RK
#Script currently does not support removing deleted accounts
#User Set Variables
#uidadvance - This is the number that the cluster will advance the UID over the last
#set of digits in the SID field
uidadvance=10000
#guiadvance - This is the number that the cluster will advance the GID over the last
#set of digits in the SID field
gidadvance=10000
#path - Sets the path that the comparison files will be located in. If the
#current.mapped.accounts.txt file has been removed the cluster will assume that
#all accounts must be remapped. If individual accounts are removed from that file
#only those accounts will be remapped.
path='/ifs/data/compare'
domain=‘YOURDOMAINSHORTNAME'
#timestamp for log
date
#Cluster Set Variables
#Checking for the base file and path
if [ -d "$path" ]
then
clearcache=0
if ! [ -f "$path/current.mapped.user.accounts.txt" ]
then
echo "No currently mapped user accounts, remapping all user accounts"
touch $path/current.mapped.user.accounts.txt
clearcache=1
fi
if ! [ -f "$path/current.mapped.group.accounts.txt" ]
then
echo "No currently mapped group accounts, remapping all group accounts"
touch $path/current.mapped.group.accounts.txt
clearcache=1
fi
#Creating the current user and group list
isi auth ads user list > $path/new.user.list.txt
isi auth ads group list > $path/new.group.list.txt
#User Comparison and mapping Script
diff -f $path/current.mapped.user.accounts.txt $path/new.user.list.txt | grep -i $domain | awk -F \\ '{print $2}' | while read line
do
variable="$domain\\$line"
sourcesid=`isi auth ads users list -v --name="$variable" | fgrep Sid: | awk '{print $2}'`
# remove all but the last part of SID, then add base UID
targetuid=$((${sourcesid##*-} + $uidadvance))
if [ $uidadvance -ne $targetuid ]
then
isi auth mapping modify --source-sid="$sourcesid" --target-uid="$targetuid" --2way --replace
echo $variable
fi
done
cp $path/new.user.list.txt $path/current.mapped.user.accounts.txt
#Group Comparison and mapping Script
diff -f $path/current.mapped.group.accounts.txt $path/new.group.list.txt | grep -i $domain | awk -F \\ '{print $2}' | while read line
do
variable="$domain\\$line"
sourcesid=`isi auth ads groups list -v --name="$variable" | fgrep Sid: | awk '{print $2}'`
# remove all but the last part of SID, then add base GID
targetgid=$((${sourcesid##*-} + $gidadvance))
if [ $gidadvance -ne $targetgid ]
then
isi auth mapping modify --source-sid="$sourcesid" --target-gid="$targetgid" --2way --replace
echo $variable
fi
done
cp $path/new.group.list.txt $path/current.mapped.group.accounts.txt
#Clearing the AD cache if neccessary
if [ $clearcache -eq 1 ]
then
isi_for_array -s 'lw-ad-cache --delete-all'
fi
else
echo "Path cannot be found, please create $path or set new script path"
fi--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ryan Palamara
Feb 6, 2015, 12:12:58 PM2/6/15
to isilon-u...@googlegroups.com
Thank Richard, I was looking for you but could not find your address. This is exactly what I was looking for. Was going to write my own script, but this is much faster :) I am running on 7.1.x right now, so I will start working on the conversion. I will post back once working.
I know that Isilon support says to just use RFC2307 and AD, but I already have 100 servers using winbind in production and the task of changing those versus just running a script on the Isilon is a big difference.
Thank you,
Ryan
--
You received this message because you are subscribed to a topic in the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/isilon-user-group/WPtdmxfHlQs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to isilon-user-gr...@googlegroups.com.
Dan Pritts
Feb 6, 2015, 12:14:21 PM2/6/15
to isilon-u...@googlegroups.com
I opened an SR on this topic (RID-based ID mapping) last year, and it came to no conclusion at all.No solution was offered other than populating our AD with POSIX attributes.
Just for the record, you don't have to only populate AD with the required posix attributes - you need to do so with AD's Services For Unix extension.
Just adding the appropriate attributes to the user and group objects does not work. They are ignored. Unfortunately.
danno
--
Dan Pritts
ICPSR Computing & Network Services
University of Michigan
+1 (734)615-7362
Dan Pritts
ICPSR Computing & Network Services
University of Michigan
+1 (734)615-7362
Richard Kunert
Feb 6, 2015, 12:19:44 PM2/6/15
to isilon-u...@googlegroups.com, Ryan Palamara
No problem. Small correction, the script doesn’t “make” users and groups on the Isilon, it generates mapping entries using isi auth mapping. I don’t believe any local accounts are created. Occasionally I’ve noticed that rather than just adding new accounts it will redo the entire set - that doesn’t create any issues, at least in my environment with a few hundred accounts.
I was seriously surprised and impressed when Isilon offered this as a solution, there have been one or two other cases where they have written scripts as solutions for us. That was all pre-EMC, not sure if they are still providing that type of service.
Richard
John Beranek - PA
Feb 6, 2015, 12:32:11 PM2/6/15
to isilon-u...@googlegroups.com
Our AD does already have the required schema change, and it's likely that we'll approach the issue by writing our own script to populate AD with POSIX UIDs and GIDs as calculated by SSSD (in our case)/winbind.
We'll also be populating shell and home directory properties for users, though I found this had an interesting side effect when I tested it on our Isilon.
If I login to the Isilon as my AD user, the shell is started in my standard home directory, /home/AD/johnb, which doesn't exist on the Isilon, of course. I then don't get any Bash config, so end up not in a home directory with no useful command prompt etc. Not ideal...is there a solution to this to override the AD-specified home directory on the Isilon cluster for administrators?
John
Peter Serocka
Feb 9, 2015, 5:18:41 AM2/9/15
to isilon-u...@googlegroups.com
On 2015 Feb 7. md, at 01:32 st, John Beranek - PA wrote:
Our AD does already have the required schema change, and it's likely that we'll approach the issue by writing our own script to populate AD with POSIX UIDs and GIDs as calculated by SSSD (in our case)/winbind.We'll also be populating shell and home directory properties for users, though I found this had an interesting side effect when I tested it on our Isilon.If I login to the Isilon as my AD user, the shell is started in my standard home directory, /home/AD/johnb, which doesn't exist on the Isilon, of course. I then don't get any Bash config, so end up not in a home directory with no useful command prompt etc. Not ideal...is there a solution to this to override the AD-specified home directory on the Isilon cluster for administrators?
Symlinks did it for us so far... ugly I know
/home/tarzan -> /ifs/.../home/tarzan
-- Peter
John
On Friday, 6 February 2015 17:14:21 UTC, Daniel Pritts wrote:I opened an SR on this topic (RID-based ID mapping) last year, and it came to no conclusion at all.No solution was offered other than populating our AD with POSIX attributes.
Just for the record, you don't have to only populate AD with the required posix attributes - you need to do so with AD's Services For Unix extension.
Just adding the appropriate attributes to the user and group objects does not work. They are ignored. Unfortunately.
danno
--
Dan Pritts
ICPSR Computing & Network Services
University of Michigan
+1 (734)615-7362
--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Peter Serocka
CAS-MPG Partner Institute for Computational Biology (PICB)
Shanghai Institutes for Biological Sciences (SIBS)
Chinese Academy of Sciences (CAS)
320 Yue Yang Rd, Shanghai 200031, China
John Beranek - PA
Feb 10, 2015, 5:52:30 PM2/10/15
to isilon-u...@googlegroups.com
Did consider symlinks, but:
a) Yuck
b) Need them separately on each node, though to be honest, I only tend to login to the smartconnect node.
John
Richard Kunert
Feb 23, 2015, 10:50:28 AM2/23/15
to isilon-u...@googlegroups.com, Ryan Palamara
We got a 7.1 cluster so I modified the UID mapping script to support it.
#!/bin/bash
#This script assumes that the cluster is in a domain and the node running the script
#has access to a valid Active Directory Server
#Originally written for OneFS 5.5.4 and 5.5.6
#Modified to support OneFS 7.1, Feb 2015 RK
isi auth users list --domain $domain --no-header --no-footer > $path/new.user.list.txt
isi auth groups list --domain $domain --no-header --no-footer > $path/new.group.list.txt
#User Comparison and mapping Script
diff -f $path/current.mapped.user.accounts.txt $path/new.user.list.txt | while read line
do
variable="$domain\\$line"
sourcesid=`isi auth users view "$variable" | fgrep SID: | awk '{print $2}'`
# remove all but the last part of SID, then add base UID
targetuid=$((${sourcesid##*-} + $uidadvance))
if [ $uidadvance -ne $targetuid ]
then
isi auth mapping modify --source-sid="$sourcesid" --target-uid="$targetuid" --2way --replace
echo $variable
fi
done
cp $path/new.user.list.txt $path/current.mapped.user.accounts.txt
#Group Comparison and mapping Script
diff -f $path/current.mapped.group.accounts.txt $path/new.group.list.txt | while read line
do
variable="$domain\\$line"
sourcesid=`isi auth groups view "$variable" | fgrep SID: | awk '{print $2}'`
# remove all but the last part of SID, then add base GID
targetgid=$((${sourcesid##*-} + $gidadvance))
if [ $gidadvance -ne $targetgid ]
then
isi auth mapping modify --source-sid="$sourcesid" --target-gid="$targetgid" --2way --replace
echo $variable
fi
done
cp $path/new.group.list.txt $path/current.mapped.group.accounts.txt
#Clearing the caches if neccessary
if [ $clearcache -eq 1 ]
then
isi auth users flush
isi auth groups flush
fi
else
echo "Path cannot be found, please create $path or set new script path"
fi
Reply all
Reply to author
Forward
0 new messages