test

Solaris CIFS Administration Guide

ProcedureHow to Add a User Mapping Rule

The idmap command enables you to create rule-based mappings between Windows users and Solaris users. By default, the Solaris CIFS service uses ephemeral identity mapping.

Shell special characters, such as the double quote character ("), the asterisk character (*), and the backslash character (\), must be quoted when used as user names and domain names.

  1. Become superuser, assume an equivalent role, obtain the solaris.admin.idmap.rules RBAC authorization, or use the “Idmap Service Management” RBAC profile.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Determine the user names that you want to map.

    1. Determine the domain and name of the Windows user that you want to map to a Solaris user.

      The Windows user name must be specified by using one of the following formats:

      • winuser:username@domain-name

      • winuser:'domain-name\username'

    2. Determine the name of the Solaris user that you want to map to the Windows user.

      The Solaris user name must be specified by using the format unixuser:username.

    If username is the empty string (""), mapping is inhibited. Only directional mappings can have an empty string as their target identity. No mapping is created by the identity mapping service, and the nobody ID is used for access control. Note that a user name of "" should not be used to preclude logins by unmapped Windows users.

    If username uses the wildcard (*), it matches all user names that are not matched by other mappings. Similarly, if username is the wildcard Windows name (*@*), it matches all user names in all domains that are not matched by other mappings.

  3. Create the user mapping.

    By default, identity mappings are bidirectional, which means that the Windows name is mapped to the Solaris name and the Solaris name is mapped to the Windows name. If you want the mapping to be unidirectional, specify the -d option.

    If username uses the wildcard on both sides of the mapping, the user name is the same for both Windows and Solaris users. For example, if the rule is '*@example.com' == '*', the jp@example.com Windows user name would match this rule and map to the jp Solaris user name.

    Caution – Caution –

    Be careful when creating rule-based mappings that use wildcards for the user names. Windows user names are case insensitive, while Solaris user names are case sensitive. Note that the case of Windows names that appear in idmap name rules and in idmap show commands is irrelevant.

    Solaris environments typically use lowercase characters for user names, but uppercase characters are permitted. Therefore, using a wildcard to map Windows names to Solaris user names might not produce the expected results. Rule-based mapping rules that use the unixuser:* target map to the Solaris user name as follows:

    • Map the canonical Windows name, which uses the found in the directory entry, to the matching Solaris user name.

    • If no such Solaris user name exists, fold the case of the canonical Windows name to lower case and use it as the Solaris CIFS user name.

    As a result of this differing treatment of case, user names that appear to be alike might not be recognized as matches. You must create rules to handle such pairings of strings that differ only in case. For example, to map Solaris user Kerry to Windows user kerry@example.com, you must create the following rule:


    # idmap add winuser:'*@example.com' unixuser:'*'
# idmap add winuser:kerry@example.com unixuser:Kerry

    • Create a bidirectional mapping between a Windows user name and a Solaris user name.


      # idmap add winuser:username@domain-name unixuser:username

    • Create a unidirectional mapping between a Windows user name and a Solaris user name.


      # idmap add -d winuser:username@domain-name unixuser:username

    • Create a unidirectional mapping between a Solaris user name and a Windows user name.


      # idmap add -d unixuser:username winuser:username@domain-name