Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | |||
|
|
Solution Type Technical Instruction Sure Solution 1007155.1 : Sun StorageTek[TM] 5000 Series NAS: Viewing and and Troubleshooting CIFS User Tokens
PreviouslyPublishedAs 209859 Description When a CIFS user successfully connects to a share on the Sun StorageTek[TM] 5000 Series NAS, the user's access token is stored on the NAS. This token contains data on group membership, primary group and other security details. This document describes how to read this information, and how to resolve issues updating these tokens when security changes are made to the user accounts. Steps to Follow Windows clients use an access token to assign user data, primary group, group membership and other security details. This token is generated by the Domain Controller and is sent to the NAS when the client connects to a CIFS share. The token information on the NAS is viewable using the procedure below and can be very useful for troubleshooting user access or credential mapping issues. When a user changes group membership or primary group membership, the change does not take effect until the next time the user connects. If the user is currently connected to the NAS, they must disconnect from the NAS and reconnect in order for the changes to take effect. Token Caching The access token is stored on the NAS for up to thirty seconds after the user logs out. In most cases, it is sufficient for the user to disconnect from the NAS, wait thirty seconds, then reconnect. However, there are some situations where this does not work. For example, if the user connects from multiple systems, multiple connections from the same system or does not correctly perform the disconnection properly it sometimes becomes necessary to examine the tokens on the NAS for troubleshooting purposes. The following steps can be taken as an alternative to looking at the tokens themselves, though some of them may be undesirable to the customer:
Viewing User Access Tokens This step must be performed from the NAS CLI. To access the token information, follow these steps: (NOTE: For OS versions prior to 4.21, it will be necessary to enter "admin" at the [menu] prompt before the second step)
This will provide a listing of all tokens for connected users. This is sample output: NAS1 > ls /proc/cifs BIGDOMAIN.nobody.00000000.083D5001 BIGDOMAIN.nobody.00000000.083D51F2 BIGDOMAIN.nobody.00000000.083A53E1 BIGDOMAIN.nobody.00000000.083D55D1 BIGDOMAIN.nobody.00000000.083D53C3 BIGDOMAIN.nobody.00000000.063D59B0 BIGDOMAIN.joem.00000000.063D5BA0 BIGDOMAIN.janez.00000000.C0A85B4A BIGDOMAIN.bobr.00000000.0F0B5000 BIGDOMAIN.samf.00000000.0F0B53E0 autohome files groups ntdomain pdc services sessions shares workers Disregard the files containing nobody and the entries with no dots. The remaining files are user tokens. The filenames begin with the domain name, then the user name, then some hexadecimal digits. The hexadecimal digits are a representation of the IP address, which can be converted to decimal and used to discern between multiple logins for a user or detect unauthorized logins. The token is stored in plain text and contains useful.information about currently connected users. Here is an example: User Sid: S-1-5-21-1329958366-319369312-1704127429-241 Account: janez Domain: BIGDOMAIN Client: 192.168.91.74 Logon Time: Thu Sep 20 06:52:57 2007 Groups: 1 S-1-5-21-1329958366-319369312-1704127429-513 S-1-5-21-1329958366-319369312-1704127429-1999 S-1-5-21-1329958366-319369312-1704127429-2114 Privileges: 0 Default Owner: S-1-5-21-1329958366-319369312-1704127429-241 FullName: janez PrimaryGrp Sid: S-1-5-21-1329958366-319369312-1704127429-513 PrimaryGrp Name: Domain Users Unix credentials Effective: 222 100 Real: 222 100 User RID: 241 (BIGDOMAIN) LocalIP=0.0.0.0 TTL=0 References=1 Flag=0x2 The most useful fields are Account, Client, Groups, PrimaryGrp Name, and Unix credentials. These can be used to determine group membership, primary group and effective UNIX user and group information. This information should be helpful in troubleshooting security and credential mapping issues. NOTE: Some of the information above is displayed as SIDs. To translate these to names, determine whether it is a group or user object, and check either /dvol/etc/group.map or /dvol/etc/users.map, which will have this number (the RID) in the fifth column. Product Sun StorageTek 5320 NAS Gateway/Cluster System Sun StorageTek 5320 NAS Appliance Sun StorageTek 5320 Sun StorageTek 5310 NAS Gateway/Cluster System Sun StorageTek 5310 NAS Gateway System Sun StorageTek 5310 NAS Appliance Sun StorageTek 5220 NAS Appliance Sun StorageTek 5220 Sun StorageTek 5210 NAS Appliance Internal Comments This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below: storage-nas-domain@sun.com The Knowledge Work Queue for this article is KNO-STO-NAS NAS, CIFS, shares, groups, credential mapping, access token, Audited Previously Published As 90737 Change History Date: 2007-10-03 User Name: 31620 Action: Approved Comment: Verified Metadata - ok Verified Keywords - ok (normalized) No dependent articles Verified still correct for audience - currently set to contract Audience left at contract as per FvF at http://kmo.central/howto/content/voyager-contributor-standards.html Checked review date - currently set to 2008-09-22 Checked for TM - added appropriate for STK products Publishing under the current publication rules of 18 Apr 2005: Version: 3 Attachments This solution has no attachment |
||||||||||||
|