JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris SMB and Windows Interoperability Administration Guide     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information

Preface

1.  Windows Interoperability (Overview)

2.  Identity Mapping Administration (Tasks)

Mapping User and Group Identities

Creating Your Identity Mapping Strategy

Mapping Well-Known Account Names

Managing Directory-Based Name Mapping for Users and Groups (Task Map)

How to Extend the Active Directory Schema, and User and Group Entries

How to Extend the Native LDAP Schema, and User and Group Entries

How to Configure Directory-Based Mapping

How to Add a Directory-Based Name Mapping to a User Object

How to Add a Directory-Based Name Mapping to a Group Object

How to Remove a Directory-Based Name Mapping From a User Object

How to Remove a Directory-Based Name Mapping From a Group Object

Managing Directory-Based Identity Mapping by Using Identity Management for UNIX (Task Map)

How to Enable Identity Management for UNIX Support

Managing Rule-Based Identity Mapping for Users and Groups (Task Map)

How to Add a User Mapping Rule

How to Add a Group Mapping Rule

How to Import User Mappings From a Rule-Mapping File

How to Show Mappings

How to Show a Mapping for a Particular Identity

How to Show All Established Mappings

How to Remove a User Mapping Rule

How to Remove a Group Mapping Rule

3.  Solaris SMB Server Administration (Tasks)

4.  Solaris SMB Client Administration (Tasks)

Glossary

Index

Mapping User and Group Identities

The Solaris SMB server is designed to reside in a multiprotocol environment and provide an integrated model for sharing data between Windows and Oracle Solaris systems. Although files can be accessed simultaneously from both Windows and Oracle Solaris systems, no industry-standard mechanism is available to define a user in both Windows and Oracle Solaris environments. Objects can be created in either environment, but traditionally the access control semantics for each environment are vastly different. The Oracle Solaris OS is adopting the Windows model of access control lists (ACLs) by introducing ACLs in NFSv4 and the ZFS file system, and by providing the idmap identity mapping service.

The Solaris SMB server uses identity mapping to establish an equivalence relationship between a Oracle Solaris user or group and a Windows user or group in which both the Oracle Solaris and Windows identities are deemed to have equivalent rights on the system.

The Solaris SMB server determines the Windows user's Oracle Solaris credentials by using the idmap service to map the SIDs in the user's Windows access token to UIDs and GIDs, as appropriate. The service checks the mappings and if a match for the Windows domain name and Windows entity name is found, the Oracle Solaris UID or GID is taken from the matching entry. If no match is found, an ephemeral UID or GID is dynamically allocated. An ephemeral ID is a dynamic UID or GID mapping for an SID that is not already mapped by name. An ephemeral ID does not persist across Oracle Solaris system reboots. Ephemeral mappings enable the Solaris SMB server to work in a Windows environment without having to configure any name-based mappings.

The idmap service supports the following types of mappings between Windows security identifiers (SIDs) and Oracle Solaris user IDs and group IDs (UIDs and GIDs):

You can use the idmap command to create and manage the rule-based mappings. These rules map the specified Windows name to the specified Oracle Solaris name, and map the specified Oracle Solaris name to the specified Windows name. By default, rule-based mappings that you create are bidirectional.

The following example shows a bidirectional mapping of the Windows user dana@example.com to danas, the Oracle Solaris user. Note that dana@example.com maps to danas, and danas maps to dana@example.com.

dana@example.com == danas

For more information about other mapping types, see the idmap(1M) man page.