How to Add a Group Mapping Rule (Solaris CIFS Administration Guide)

Solaris CIFS Administration Guide

How to Add a Group Mapping Rule

The idmap command enables you to create rule-based mappings between Windows groups and Solaris groups. By default, the Solaris CIFS service uses ephemeral identity mapping.

You can also create diagonal mappings to maps between a Windows group and a Solaris user and between a Solaris group and a Windows user. These mappings are needed when Windows uses a group identity as a file owner or a user identity as a file group.

Shell special characters, such as the double quote character ("), the asterisk character (*), and the backslash character (\), must be quoted when used as group names and domain names.

Become superuser, assume an equivalent role, obtain the solaris.admin.idmap.rules RBAC authorization, or use the “Idmap Service Management” RBAC profile.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

Determine the group names that you want to map.
1. Determine the domain and name of the Windows group that you want to map to a Solaris group.
  
  The Windows group name must be specified by using one of the following formats:
  - wingroup:group-name@domain-name
  - wingroup:'domain-name\group-name'
2. Determine the name of the Solaris user or group that you want to map to the Windows group.
  
  The Solaris group name must be specified by using the format unixgroup:group-name. The Solaris user name must be specified by using the format unixuser:username.
If group-name is the empty string (""), mapping is inhibited.

If group-name uses the wildcard (*), it matches all group names that are not matched by other mappings. Similarly, if group-name is the wildcard Windows name (*@*), it matches all group names in all domains that are not matched by other mappings.

Create the group mapping.

By default, identity mappings are bidirectional, which means that the Windows group name is mapped to the Solaris group name, and the Solaris group name is mapped to the Windows group name. If you want the mapping to be unidirectional, specify the -d option.

If group-name uses the wildcard on both sides of the mapping, the group name is the same for both Windows groups and Solaris groups. For example, if the rule is "*@example.com" == "*", the staff@example.com Windows group name would match this rule and map to the staff Solaris group name.

Caution –
Be careful when creating rule-based mappings that use wildcards for the group names. Windows group names are case insensitive, while Solaris group names are case sensitive. Note that the case of Windows names that appear in idmap name rules and in idmap show commands is irrelevant.

Solaris environments typically use lowercase characters for group names, but uppercase characters are permitted. Therefore, using a wildcard to map Windows names to Solaris group names might not produce the expected results. Rule-based mapping rules that use the unixgroup:* target map to the Solaris group name as follows:
- Map the canonical Windows name, which uses the found in the directory entry, to the matching Solaris group name.
- If no such Solaris group name exists, fold the case of the canonical Windows name to lower case and use it as the Solaris CIFS group name.
As a result of this differing treatment of case, group names that appear to be alike might not be recognized as matches. You must create rules to handle such pairings of strings that differ only in case. For example, to map Solaris group Sales to Windows group sales@example.com, you must create the following rule:
# idmap add wingroup:'*@example.com' unixgroup:'*' # idmap add wingroup:sales@example.com unixgroup:Sales
- Create a bidirectional mapping between a Windows group name and a Solaris group name.
  # idmap add wingroup:group-name@domain-name unixgroup:group-name
- Create a unidirectional mapping between a Windows group name and a Solaris group name.
  # idmap add -d wingroup:group-name@domain-name unixgroup:group-name
- Create a unidirectional mapping between a Solaris group name and a Windows group name.
  # idmap add -d unixgroup:group-name wingroup:group-name@domain-name
- Create a diagonal mapping between a Windows group name and a Solaris user name.
  # idmap add -d wingroup:group-name@domain-name unixuser:username
- Create a diagonal mapping between a Solaris group name and a Windows user name.
  # idmap add -d unixgroup:group-name winuser:username@domain-name