Solaris CIFS Administration Guide

Configuring DNS for Identity Mapping in Domain Mode

The idmap service requires that DNS be configured properly before you join a Solaris system to an AD domain.

Note –

This DNS configuration is only required for domain mode though the idmap service operates in workgroup mode as well. When in workgroup mode, domain name-based mapping is not performed.

The idmapd daemon uses DNS information that is specified in the /etc/resolv.conf configuration file to discover its domain.

The domain is specified by the value of the domain or search configuration directive.

If both the domain and search directives are used, the last directive that is specified determines the domain to be used for auto-discovery.

The idmapd daemon discovers the domain controller and the global catalog by performing DNS lookups for SRV records. These SRV records are generated by the DNS server that is part of AD on the Windows domain controller. Therefore, the simplest way to configure DNS is to point to the DNS server on the Windows domain controller.

The idmap service looks for the following SRV records:


You can verify that the configuration is working properly by running the following, which should return the name of the Windows domain controller:

# dig _ldap._tcp.domain-name SRV +short

For example, the following returns the domain controller for the domain:

# dig SRV +short
0 100 389

After DNS is correctly configured, you can join the Solaris system to an AD domain by using the smbadm or kclient utility. For more information about using the smbadm command see, How to Configure the Solaris CIFS Service in Domain Mode and the smbadm(1M) man page. For information about the kclient command, see the kclient(1M) man page.

Note –

If the idmap service is unable to discover an AD server, the service only handles mappings for well-known SIDs and local SIDs.