Actually, there is already bug 846560 for this issue. And it's fixed in a future release.

Thanks for that. I noticed another strange behaviour. I have now setup a windows group with unix members and I'm able to see the group membership on the cdot filer:

GEDASAN::*> secd authentication show-creds -node GEDASAN-02 -vserver Corporate -unix-user-name oweinmann

UNIX UID: oweinmann <> Windows User: A\oweinmann (Domain User)

GID: Domain Users

Supplementary GIDs:

  Up NETAPPTESTMIG de_dt Da Lg

  Up YTEST de_dt Da Lg

GEDASAN::*> secd authentication show-creds -node GEDASAN-02 -vserver Corporate -win-name oweinmann

UNIX UID: oweinmann <> Windows User: A\oweinmann (Domain User)

GID: Domain Users

Supplementary GIDs:

  Up NETAPPTESTMIG de_dt Da Lg

  Up YTEST de_dt Da Lg

When I ran the command yesterday the newly added group "Up YTEST de_dt Da Lg" only showed up when looking up "unix-name" but not "win-name". I guess I have to change the cache lifetime. But I'm not sure which one to change. Under 7Mode there was just the wcc credentials cache setting to control it.

secd cache show-config -node ...

When I try to access a folder with unix permissions via CIFS I get a permission denied. The permissions on that folder allow the members of the group "Up YTEST de_dt Da Lg" full access and I'm a member of that group. I can access it via NFS but not via CIFS. Is there an additional setting for this? I have no user mappings defined as the default ones are just fine.

Ok, it seems that this behaviour is also controlled by an option under 7Mode:

cifs.perm_check_use_gid

On our systems this is off, but it is overruled by the setting:

cifs.nfs_root_ignore_acl

Both settings are not available under CDOT. I can't believe this...

Ok, I logged off from my windows host and after logging in again the access works. My group membership was not updated. The option "cifs.perm_check_use_gid" is not really required under CDot as it checks group memberships by default if the user was successfully mapped. It was just that my users group membership wasn't updated in my running windows session.

But I'm still struggling to have the cache cleared. Just added another user to the unix groups and it only gets listed when resolving unix-username. I cleared all possible caches, even the nblade cache. Is there another cache?

Best Regards,

Oliver

I'll also be interested at some point in having such documentation available.  That point in time appears to be when we upgrade to 8.3 which will certainly be sometime after the GA release.

It's good to see that according to bug 675476, 8.3 will indeed include support for the RFC 2307bis schema.

Should we just expect TR-4073 to be updated to reflect?  I'm mainly looking for information on how we can transition from our current setup using most settings from AD-IDMU schema.

Hi,

can you please explain how you got the rfc2307 working? Because on our system it is just not working as expected. Running a lookup on a user shows no additional GIDs:

GEDASAN::*> diag secd authentication show-creds -node GEDASAN-02 -vserver Corporate -unix-user-name tuser

 UNIX UID: tuser <> Windows User: A\tuser (Windows Domain User)

 GID: 10000
 Supplementary GIDs:
  10000

So accessing a file with unix permissions from windows fails....

I'm not sure which particular one(s) trigger(s) it, but here are the ones I clear that do the trick.

diag secd cache clear -node <node> -vserver <vserver> -cache-name ldap-XXXXXXX

1. ldap-groupname-to-id
2. ldap-userid-to-creds
3. ldap-userid-to-name
4. ldap-username-to-creds

Thanks. I figured it goes quicker if I change an attribute of the ldap client schema back and forth. I noticed the problem with RFC2307BIS implementation on CDOT is that is not able to retrieve Unix enabled groups of a user which are nested.

e.g.

We have global / universal groups containing the users and local groups containing the global / universal group:

User 1 -> Group A universal -> no GID

Group A local ->Group A universal - > GID 10001

If the universal group A has no GID the local group A will not be listed by:

set -privilege diag

diag secd authentication show-creds -node Node-01 -vserver CIFS -unix-user-name tuser

 This only causes problems when using NFSv(3/4) and Kerberos security... I thought, but under CDOT, this also causes problems when accessing files with unix security via CIFS. We use winbind and this is well capable of listing a users groups even if only the local group has a GID. In NetApp TR 4073 http://www.netapp.com/us/media/tr-4073.pdf sssd daemon is used instead of winbind. I haven't tested it yet, but I assume sssd is also capable of doing that. The reason for not wanting too many GIDs is that there are limitations in NFS for group memberships:

sec = sys = 16 groups

sec = krb5 = 32 groups?

Our users are in many groups as they have to work on many different projects. The only workaround so far is to add the users to the memberUid ldap attribute with a small Powershell script. The script takes 10-15 minutes for 3000+ groups.

Strangely on our old 7Mode system the behaviour is a bit different. The groups are also not listed, but the users can access files with unix security if they are member of the group in AD.