Skip Navigation Links | |
Exit Print View | |
Oracle Solaris SMB and Windows Interoperability Administration Guide Oracle Solaris 11 Express 11/10 |
1. Windows Interoperability (Overview)
2. Identity Mapping Administration (Tasks)
Creating Your Identity Mapping Strategy
Mapping Well-Known Account Names
Managing Directory-Based Name Mapping for Users and Groups (Task Map)
How to Extend the Active Directory Schema, and User and Group Entries
How to Extend the Native LDAP Schema, and User and Group Entries
How to Configure Directory-Based Mapping
How to Add a Directory-Based Name Mapping to a User Object
How to Add a Directory-Based Name Mapping to a Group Object
How to Remove a Directory-Based Name Mapping From a User Object
How to Remove a Directory-Based Name Mapping From a Group Object
Managing Directory-Based Identity Mapping by Using Identity Management for UNIX (Task Map)
How to Enable Identity Management for UNIX Support
Managing Rule-Based Identity Mapping for Users and Groups (Task Map)
How to Add a User Mapping Rule
How to Add a Group Mapping Rule
How to Import User Mappings From a Rule-Mapping File
How to Show a Mapping for a Particular Identity
How to Show All Established Mappings
How to Remove a User Mapping Rule
How to Remove a Group Mapping Rule
3. Solaris SMB Server Administration (Tasks)
The Solaris SMB server is designed to reside in a multiprotocol environment and provide an integrated model for sharing data between Windows and Oracle Solaris systems. Although files can be accessed simultaneously from both Windows and Oracle Solaris systems, no industry-standard mechanism is available to define a user in both Windows and Oracle Solaris environments. Objects can be created in either environment, but traditionally the access control semantics for each environment are vastly different. The Oracle Solaris OS is adopting the Windows model of access control lists (ACLs) by introducing ACLs in NFSv4 and the ZFS file system, and by providing the idmap identity mapping service.
The Solaris SMB server uses identity mapping to establish an equivalence relationship between a Oracle Solaris user or group and a Windows user or group in which both the Oracle Solaris and Windows identities are deemed to have equivalent rights on the system.
The Solaris SMB server determines the Windows user's Oracle Solaris credentials by using the idmap service to map the SIDs in the user's Windows access token to UIDs and GIDs, as appropriate. The service checks the mappings and if a match for the Windows domain name and Windows entity name is found, the Oracle Solaris UID or GID is taken from the matching entry. If no match is found, an ephemeral UID or GID is dynamically allocated. An ephemeral ID is a dynamic UID or GID mapping for an SID that is not already mapped by name. An ephemeral ID does not persist across Oracle Solaris system reboots. Ephemeral mappings enable the Solaris SMB server to work in a Windows environment without having to configure any name-based mappings.
The idmap service supports the following types of mappings between Windows security identifiers (SIDs) and Oracle Solaris user IDs and group IDs (UIDs and GIDs):
Directory-based mapping. If configured, idmap first tries to use mapping information that is stored in a directory with other user and group information.
Directory-based name mapping. In this mode, idmap tries to use name mapping information that is stored in user or group objects in the Active Directory (AD), in the native LDAP directory service, or in both. For instance, an AD object for a particular Windows user or group can be augmented to include the corresponding Oracle Solaris user or group name. Similarly, the native LDAP object for a particular Oracle Solaris user or group can be augmented to include the corresponding Windows user or group name.
You can configure idmap to use AD, native LDAP directory-based name mappings, or both, by setting the idmap service properties in SMF. See Service Properties in the idmap(1M) man page.
Identity Management for UNIX (IDMU). In this mode, idmap tries to use UID or GID information that is stored in the AD data for the Windows user or group. IDMU is an optional AD component that was added to Windows Server 2003R2. IDMU adds a UNIX Attributes tab to the Active Directory Users and Computers user interface.
If directory-based name mapping is not configured, or if it is configured but the user or group entry does not include mapping data, idmap will continue to try additional mapping mechanisms.
Rule-based mapping. This mechanism allows the administrator to define rules that associate Windows and Oracle Solaris users and groups by name.
Ephemeral ID mapping. Windows users and groups that have no corresponding Oracle Solaris user or group are assigned temporary UIDs and GIDs. Over two billion identifiers are available for use. This mechanism is largely transparent if you have the ad module configured in the passwd and group lines of the /etc/nsswitch.conf file. For more information, see Chapter 16, Setting Up Oracle Solaris Active Directory Clients, in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
You can use the idmap command to create and manage the rule-based mappings. These rules map the specified Windows name to the specified Oracle Solaris name, and map the specified Oracle Solaris name to the specified Windows name. By default, rule-based mappings that you create are bidirectional.
The following example shows a bidirectional mapping of the Windows user dana@example.com to danas, the Oracle Solaris user. Note that dana@example.com maps to danas, and danas maps to dana@example.com.
dana@example.com == danas
For more information about other mapping types, see the idmap(1M) man page.