Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1007155.1
Update Date:2009-04-14
Keywords:

Solution Type  Technical Instruction Sure

Solution  1007155.1 :   Sun StorageTek[TM] 5000 Series NAS: Viewing and and Troubleshooting CIFS User Tokens  


Related Items
  • Sun Storage 5210 NAS Appliance
  •  
  • Sun Storage 5220 NAS Appliance
  •  
  • Sun Storage 5310 NAS Appliance
  •  
  • Sun Storage 5320 NAS Gateway/Cluster System
  •  
  • Sun Storage 5320 NAS Appliance
  •  
  • Sun Storage 5310 NAS Gateway System
  •  
Related Categories
  • GCS>Sun Microsystems>Storage - Disk>Network Attached Storage
  •  

PreviouslyPublishedAs
209859


Description
When a CIFS user successfully connects to a share on the Sun StorageTek[TM] 5000 Series NAS, the user's access token is stored on the NAS. This token contains data on group membership, primary group and other security details. This document describes how to read this information, and how to resolve issues updating these tokens when security changes are made to the user accounts.


Steps to Follow
Windows clients use an access token to assign user data, primary group, group membership and other security details. This token is generated by the Domain Controller and is sent to the NAS when the client connects to a CIFS share. The token information on the NAS is viewable using the procedure below and can be very useful for troubleshooting user access or credential mapping issues.
When a user changes group membership or primary group membership, the change does not take effect until the next time the user connects. If the user is currently connected to the NAS, they must disconnect from the NAS and reconnect in order for the changes to take effect.

Token Caching

The access token is stored on the NAS for up to thirty seconds after the user logs out. In most cases, it is sufficient for the user to disconnect from the NAS, wait thirty seconds, then reconnect. However, there are some situations where this does not work. For example, if the user connects from multiple systems, multiple connections from the same system or does not correctly perform the disconnection properly it sometimes becomes necessary to examine the tokens on the NAS for troubleshooting purposes.

The following steps can be taken as an alternative to looking at the tokens themselves, though some of them may be undesirable to the customer:

  • Disconnect the share and wait 30-60 seconds before reconnecting. (net use X: /DELETE)
  • Log out of the workstation.
  • Reboot the workstation
  • Reboot the NAS. This is generally not done except during scheduled maintenance, after many user accounts have been changed and some may still be connected.

Viewing User Access Tokens

This step must be performed from the NAS CLI. To access the token information, follow these steps:

(NOTE: For OS versions prior to 4.21, it will be necessary to enter "admin" at the [menu] prompt before the second step)

  • Open a telnet or ssh connection to the NAS
  • Type the administrator password
  • At the CLI, enter ls /proc/cifs

This will provide a listing of all tokens for connected users. This is sample output:

NAS1 > ls /proc/cifs
BIGDOMAIN.nobody.00000000.083D5001
BIGDOMAIN.nobody.00000000.083D51F2
BIGDOMAIN.nobody.00000000.083A53E1
BIGDOMAIN.nobody.00000000.083D55D1
BIGDOMAIN.nobody.00000000.083D53C3
BIGDOMAIN.nobody.00000000.063D59B0
BIGDOMAIN.joem.00000000.063D5BA0
BIGDOMAIN.janez.00000000.C0A85B4A
BIGDOMAIN.bobr.00000000.0F0B5000
BIGDOMAIN.samf.00000000.0F0B53E0        autohome        files
groups          ntdomain        pdc             services        sessions
shares          workers

Disregard the files containing nobody and the entries with no dots. The remaining files are user tokens. The filenames begin with the domain name, then the user name, then some hexadecimal digits. The hexadecimal digits are a representation of the IP address, which can be converted to decimal and used to discern between multiple logins for a user or detect unauthorized logins. The token is stored in plain text and contains useful.information about currently connected users. Here is an example:

User Sid:   S-1-5-21-1329958366-319369312-1704127429-241
Account:    janez
Domain:     BIGDOMAIN
Client:     192.168.91.74
Logon Time: Thu Sep 20 06:52:57 2007
Groups: 1
S-1-5-21-1329958366-319369312-1704127429-513
S-1-5-21-1329958366-319369312-1704127429-1999
S-1-5-21-1329958366-319369312-1704127429-2114
Privileges: 0
Default Owner:    S-1-5-21-1329958366-319369312-1704127429-241
FullName:   janez
PrimaryGrp Sid:   S-1-5-21-1329958366-319369312-1704127429-513
PrimaryGrp Name:  Domain Users
Unix credentials
Effective: 222 100
Real: 222 100
User RID: 241 (BIGDOMAIN)
LocalIP=0.0.0.0
TTL=0
References=1
Flag=0x2

The most useful fields are Account, Client, Groups, PrimaryGrp Name, and Unix credentials. These can be used to determine group membership, primary group and effective UNIX user and group information. This information should be helpful in troubleshooting security and credential mapping issues.

NOTE: Some of the information above is displayed as SIDs. To translate these to names, determine whether it is a group or user object, and check either /dvol/etc/group.map or /dvol/etc/users.map, which will have this number (the RID) in the fifth column.



Product
Sun StorageTek 5320 NAS Gateway/Cluster System
Sun StorageTek 5320 NAS Appliance
Sun StorageTek 5320
Sun StorageTek 5310 NAS Gateway/Cluster System
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5220 NAS Appliance
Sun StorageTek 5220
Sun StorageTek 5210 NAS Appliance

Internal Comments
This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:

storage-nas-domain@sun.com


The Knowledge Work Queue for this article is KNO-STO-NAS
NAS, CIFS, shares, groups, credential mapping, access token, Audited
Previously Published As
90737

Change History
Date: 2007-10-03
User Name: 31620
Action: Approved
Comment: Verified Metadata - ok
Verified Keywords - ok (normalized)
No dependent articles
Verified still correct for audience - currently set to contract
Audience left at contract as per FvF at
http://kmo.central/howto/content/voyager-contributor-standards.html
Checked review date - currently set to 2008-09-22
Checked for TM - added appropriate for STK products
Publishing under the current publication rules of 18 Apr 2005:
Version: 3

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback