Troubleshooting the Identity Mapping Service

The following are troubleshooting issues for the identity mapping service. For related troubleshooting information, see the following:

Viewing Identity Mapping Service Property Settings

The identity mapping service uses the svccfg command to set properties. See the svccfg(1M) man page. Before you change property values, you should view the current property settings.

To view configuration properties related to the idmap service, run the svcprop -p config idmap command, or the svccfg -s idmap listprop debug command, which shows the debugging flags.

Saving and Restoring Name-Based Mapping Rules

You might need to back up and restore your name-based mapping rules.

For more information about the idmap export, idmap import, and idmap list commands. See the idmap(1M) man page.

To back up the rules, perform the following steps:

List the name-based mapping rules.
```
# idmap list >output-file
```
Restore a saved set of rules.
```
# idmap remove -a
```

Use the idmap list command.

Run output-file as a shell script.

# sh ./output-file

To restore the rules, execute the commands in the output-file file.

# idmap -f output-file

Viewing Details About Mappings

If you encounter unexpected mapping results, use the idmap dump and idmap show commands to gather data. Each command has a -V option that produces detailed information about mappings.

For more information, see How to Show a Mapping for a Particular Identity.

Debugging the Identity Mapping Service

The idmap service includes a diagnostic facility that enables you to control the diagnostic verbosity in each of a number of areas. The debug property group defines several properties. Each property in the group controls the debug verbosity in a particular area of the application. For all areas, the default is 0, which produces error reports but no output in normal cases. The higher the value, the more verbosity is provided. Some cases support negative values to suppress reporting of errors. The debug/all property acts as a master control. The effective value that is used for each area is the maximum of that area's property value and the value of debug/all. Thus, setting debug/all to a large value enables all available debugging output.

Output that is enabled is routed to syslog and the SMF service log, /var/svc/log/system-idmap:default.log. Logged information is further filtered based on the syslog.conf settings.

Use the svccfg command to set the property values and then use the svcadm refresh command to make them effective.

# svccfg -s idmap setprop debug/discovery = 2
# svcadm refresh idmap
# svcprop -p debug idmap

The following table summarizes the initial debug output.

Property	Level	Output
`debug/config`	1	Configuration changes Loading configuration, beginning and end of discovery cycle Startup configuration Events that trigger reconfiguration Inability to discover domain configuration values
	2	Events that get noticed but do not trigger reconfiguration
`debug/mapping`	1	Mapping trace, as in `idmap show -V`
`debug/dns`	0 1	DNS errors DNS queries and results
`debug/ldap`	0 1	LDAP authentication errors LDAP connection errors
`debug/discovery`	1 2	Result of AD domain service discovery step Starting discovery step Interim discovery results
`debug/door`	1	Report when request-processing threads are created or destroyed

Note - These values are subject to change without notice.

Skip Navigation Links
Exit Print View
	Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library