JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle® ZFS Storage Appliance Administration Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Using This Documentation

Chapter 1 Oracle ZFS Storage Appliance Overview

Chapter 2 Status

Chapter 3 Initial Configuration

Chapter 4 Network Configuration

Chapter 5 Storage Configuration

Chapter 6 Storage Area Network Configuration

Chapter 7 User Configuration

Chapter 8 Setting ZFSSA Preferences

Chapter 9 Alert Configuration

Chapter 10 Cluster Configuration

Chapter 11 ZFSSA Services

Available Services

Data Services

Directory Services

Service Settings

Remote Access Services

Security Services

Minimum Needed Ports

Configuring Services Using the BUI

Viewing a Specific Service Screen

Viewing a Specific Service Screen

Enabling a Service

Disabling a Service

Defining Properties

Viewing Service Logs

Configuring Services Using the CLI

Selecting a Service

Viewing a Service's State

Enabling a Service

Disabling a Service

Setting Properties

Viewing Service Help

NFS

Properties

Kerberos Realms

Service Logs

NFS Analytics

NFS BUI and CLI Properties

Sharing a Filesystem over NFS

iSCSI Service

iSCSI Service Properties

iSCSI Service Authentication

iSCSI Service Authorization

iSCSI Service Targets and Initiators

iSCSI Troubleshooting

SMB Service

SMB Service Properties

SMB Share Properties

NFS/SMB Interoperability

SMB DFS Namespaces

SMB Microsoft Stand-alone DFS Namespace Management Tools Support Matrix

Example: Manipulating DFS Namespaces

SMB Autohome Service

Adding SMB Autohome Rules

SMB Local Groups

Adding a User to an SMB Local Group

SMB Local Accounts

SMB MMC Integration

SMB Event Viewer

SMB Share Management

SMB Users, Groups, and Connections

Listing SMB Services

Configuring SMB Using the BUI

Initial Configuration

Active Directory Configuration

Project and Share Configuration

SMB Data Service Configuration

FTP Service

FTP Properties

FTP General Settings

FTP Security Settings

FTP Logs

Configuring FTP Using the BUI

Allowing FTP Access to a share

HTTP Service

HTTP Properties

HTTP Authentication and Access Control

HTTP Logs

Configuring HTTP

Allowing HTTP access to a share

NDMP Service

NDMP Local vs. Remote Configurations

NDMP Backup Formats and Types

NDMP Back up with

NDMP Back up with

NDMP Incremental backups

NDMP Properties

NDMP Logs

Remote Replication

Shadow Migration

Shadow Migration Properties

SFTP Service

SFTP Properties

SFTP Port

SFTP Logs

Configuring SFTP

Allowing SFTP access to a share

Configuring SFTP Services for Remote Access

SRP Service

TFTP Service

TFTP Properties

Configuring TFTP

Allowing TFTP access to a share

Virus Scan Service

Virus Scan Properties

Virus Scan File Extensions

Scanning Engines

Virus Scan Logs

Configuring Virus Scan

Configuring virus scanning for a share

NIS Service

NIS Properties

NIS Logs

Configuring NIS

Adding an appliance administrator from NIS

LDAP Service

LDAP Properties

LDAP Custom Mappings

LDAP Logs

Configuring LDAP

Adding an appliance administrator

Active Directory

Active Directory Properties

Active Directory Join Domain

Active Directory Join Workgroup

Active Directory Domains and Workgroups

Active Directory LDAP Signing

Active Directory Windows Server 2012 Support

Active Directory Windows Server 2008 Support

Active Directory Windows Server 2008 Support Section A: Kerberos issue (KB951191)

Active Directory Windows Server 2008 Support Section B: NTLMv2 issue (KB957441)

Active Directory Windows Server 2008 Support Section C: Note on NTLMv2

Configuring Active Directory Using the BUI

Joining a Domain

Joining a Workgroup

Configuring Active Directory Using the CLI

Example - Configuring Active Directory Using the CLI

Identity Mapping Service

Identity Mapping Properties

Identity Mapping Rule-based Mapping

Identity Mapping Directory-based Mapping

Identity Mapping IDMU

Identity Mapping Rules

Deny Mappings

Mapping Rule Directional Symbols

Identity Mapping Mappings

Identity Mapping Logs

Identity Mapping Best Practices

Identity Mapping Concepts

Identity Mapping Case Sensitivity

Mapping Persistence

Identity Mapping Domain-Wide Rules

Ephemeral Mapping

Identity Mapping Examples

Configuring Identity Mapping

Configuring Identity Mapping

Viewing or Flushing Mappings

DNS Service

DNS Properties

Configuring DNS

DNS Logs

Active Directory and DNS

Non-DNS Resolution

DNS-Less Operation

Dynamic Routing Service

RIP and RIPng Dynamic Routing Protocols

Dynamic Routing Logs

IPMP Service

IPMP Properties

IPMP Logs

NTP Service

NTP Properties

NTP Validation

NTP Authentication

NTP BUI Clock

NTP Tips

Configuring NTP Using the BUI

BUI Clock Synchronization

Configuring NTP Using the CLI

Phone Home Service

Oracle Single Sign-On Account

Phone Home Properties

Phone Home Web Proxy

Registering the Appliance

Registering the Appliance Using the BUI

Registering the Appliance Using the CLI

Changing Account Information

Phone Home Status

Phone Home State

Phone Home Logs

REST

RESTful API

Service Tags

Service Tag Properties

SMTP Service

SMTP Properties

SMTP Logs

SNMP Service

SNMP Properties

SNMP MIBs

Sun FM MIB

Sun AK MIB

Confinguring SNMP

Configuring SNMP to Serve Appliance Status

Configuring SNMP to Send Traps

Syslog Service

Syslog Properties

Classic Syslog: RFC 3164

Updated Syslog: RFC 5424

SYSLOG Message Format

SYSLOG Alert Message Format

Receiver Configuration Examples

Configuring a Solaris Receiver

Configuring a Linux Receiver

System Identity

System Identity Properties

System Identity Logs

SSH Service

SSH Properties

SSH Logs

Configuring SSH

Disabling root SSH access

Chapter 12 Shares, Projects, and Schema

Chapter 13 Replication

Chapter 14 Shadow Migration

Chapter 15 CLI Scripting

Chapter 16 Maintenance Workflows

Chapter 17 Integration

Index

Identity Mapping Concepts

The SMB service uses the identity mapping service to associate Windows and Unix identities. When the SMB service authenticates a user, it uses the identity mapping service to map the user's Windows identity to the appropriate Unix identity. If no Unix identity exists for a Windows user, the service generates a temporary identity using an ephemeral UID and GID. These mappings allow a share to be exported and accessed concurrently by SMB and NFS clients. By associating Windows and Unix identities, an NFS and SMB client can share the same identity, thereby allowing access to the same set of files.

In the Windows operating system, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges. Administrators define Windows users and groups in a Workgroup, or in a SAM database, which is managed on an Active Directory domain controller. Each user and group has a SID. An SID uniquely identifies a user or group both within a host and a local domain, and across all possible Windows domains.

Unix creates user credentials based on user authentication and file permissions. Administrators define Unix users and groups in local password and group files or in a name or directory service, such as NIS and LDAP. Each Unix user and group has a UID and a GID. Typically, the UID or GID uniquely identifies a user or group within a single Unix domain. However, these values are not unique across domains.

Identity Mapping Case Sensitivity

Windows names are case-insensitive and Unix names are case-sensitive. The user names JSMITH, JSmith, and jsmith are equivalent names in Windows, but they are three distinct names in Unix. Case sensitivity affects name mappings differently depending on the direction of the mapping.

Mapping Persistence

When the identity mapping service provides a name mapping, it stores the mapping for 10 minutes, at which point the mapping expires. Within its 10-minute life, a mapping is persistent across restarts of the identity mapping service. If the SMB server requests a mapping for the user after the mapping has expired, the service re-evaluates the mappings.

Changes to the mappings or to the name service directories do not affect existing connections within the 10-minute life of a mapping. The service evaluates mappings only when the client tries to connect to a share and there is no unexpired mapping.

Identity Mapping Domain-Wide Rules

A domain-wide mapping rule matches some or all of the names in a Windows domain to Unix names. The user names on both sides must match exactly (except for case sensitivity conflicts, which are subject to the rules discussed earlier). For example, you can create a bidirectional rule to match all Windows users in "myDomain.com" to Unix users with the same name, and vice-versa. For another example you can create a rule that maps all Windows users in "myDomain.com" in group "Engineering" to Unix users of the same name. You cannot create domain-wide mappings that conflict with other mappings.

Ephemeral Mapping

If no name-based mapping rule applies for a particular user, that user will be given temporary credentials through an ephemeral mapping unless they are blocked by a deny mapping. When a Windows user with an ephemeral Unix name creates a file on the system, Windows clients accessing the file using SMB see that the file is owned by that Windows identity. However, NFS clients see that the file is owned by "nobody".