Loading...
Loading...
Multiprotocol access may not work as expected if there are inconsistencies in mappings between SID and UID/GID between an authentication provider and the PowerScale mapping database.
Inconsistencies between Unix and SID attributes can occur if PowerScale has mapped an autogenerated UID/GID to the SID and it is later configured with Unix attributes. When PowerScale creates a mapping token for a SID and a native on-disk identity is set on PowerScale, a SID will be mapped to a UID/GID. If there is no UID/GID configured in the authentication providers (such as AD using RFC 2307), PowerScale autogenerates a UID/GID to be mapped to the SID. If the SID is then updated with a UID/GID in AD, the PowerScale will not map the new UID/GID. The Isilon mapping database must be updated by deleting the old SID to UID/GID mapping and allowing OneFS to create a new mapping. Example of a synthetic mapping (autogenerated unix attribute) to SID on OneFS 7.2.1.x # isi auth mapping dump | grep S-1-5-21-448539723-1767777339-1801674531-1384361 ["ZID:1", "GID:1000006", [["SID:S-1-5-21-448539723-1767777339-1801674531-1384361", 0]]] ["ZID:1", "SID:S-1-5-21-448539723-1767777339-1801674531-1384361", [["GID:1000006", 0]]] GID 1000006 in the autogenerated range: # isi auth settings mapping view GID Range Enabled: Yes GID Range Min: 1000000 GID Range Max: 2000000 GID Range Next: 1000000 UID Range Enabled: Yes UID Range Min: 1000000 UID Range Max: 2000000 UID Range Next: 1000000 Cache Entry Expiry: 4H If the GID in Active Directory has been updated to 1001, for example, the mapping on the Isilon must be re-created:
Remove mapping entries with isi auth mapping delete command either specific mappings or the entire database. Refer to the corresponding OneFS CLI guide for specific syntax as needed. 7.2.1.x example continued for the new GID 1001: Delete entry: # isi auth mapping delete --2way --source-sid S-1-5-21-448539723-1767777339-1801674531-1384361 --target-gid 1000006 Flush cache: # isi auth mapping flush View the new mapping once the mapping database is repopulated, which may not show up immediately but authentication should work: # isi auth mapping dump | grep S-1-5-21-448539723-1767777339-1801674531-1384361 ["ZID:1", "GID: 1001 ", [["SID:S-1-5-21-448539723-1767777339-1801674531-1384361", 0]]] ["ZID:1", "SID:S-1-5-21-448539723-1767777339-1801674531-1384361", [["GID:1000006", 0]]] OneFS 8.0 example of clearing out the mapping database for only generated UID/GID mappings Backup the database: # isi auth mapping dump /ifs/data/Isilon_Support/mapping_backup.$(date +%m%d%Y).db Clear out database for generated UID/GID mappings: # isi auth mapping delete --all --only-generated Are you sure you want to delete generated identity mappings in current access zone? (yes/[no]): YES Flush cache: # isi auth mapping flush --all In OneFS 9.x and later the commands are zone-based, zone target needs added to the commands. For example, The synthetic mapping appears in zone 2: ["ZID:2", "GID:1000006", [["SID:S-1-5-21-474563383-198902381-1512181889-713313", 48]]] ["ZID:2", "SID:S-1-5-21-474563383-198902381-1512181889-713313", [["GID:1000006", 32]]] Zone ID 2 refers to App zone: Name: App <<<<<<<<< Path: /ifs/App Groupnet: groupnet0 Map Untrusted: Auth Providers: lsa-local-provider:System, lsa-local-provider:App NetBIOS Name: User Mapping Rules: - Home Directory Umask: 0077 Skeleton Directory: /usr/share/skel Cache Entry Expiry: 4H Negative Cache Entry Expiry: 1m Zone ID: 2 <<<<<<<<<<< To delete the single 2-way mapping: isi auth mapping delete --2way --source-sid=S-1-5-21-474563383-198902381-1512181889-713313 --target-gid=1000006 --zone=App To clear all the generated mapping from App zone: isi auth mapping delete --only-generated --all --zone=App There may be some performance impact while the mapping database is re-created. The mapping database may take some time to show new entries, but authentication should work as designed.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.