About Rule-Based Identity Mapping for Users and Groups
Windows systems and Oracle Solaris systems use different identity schemes to determine who is permitted to access systems and system objects. When the Oracle Solaris SMB server is integrated into an existing Windows domain, the Oracle Solaris user IDs and group IDs must have equivalent Windows identities to use for authorization and file access. The SMB server uses identity mapping software to perform these tasks.
By default, no rule-based mappings are configured. In this case, non-ephemeral Oracle Solaris UIDs and GIDs are mapped to local SIDs. Local SIDs are composed of the server's SID and an RID that is derived algorithmically from the UID or GID. Similarly, domain user and group SIDs are mapped to ephemerally, dynamically allocated UIDs and GIDs. A system administrator can also create a set of rule-based mappings to map users and groups by name. Such rule-based mapping requires that Windows uses Active Directory and that the specified users and groups must already exist.
Formatting Group and User Names
By default, the SMB server uses ephemeral identity mapping. Shell special characters, such as the double quote character ("), the asterisk character (*), and the backslash character (\), must be quoted when used as user names and domain names.
You define the names of Oracle Solaris and Windows users and groups by using specific formats.
-
wingroup:group-name@domain-name
-
wingroup:'domain-name\group-name'
For Windows groups, use one of the following formats:
-
winuser:username@domain-name
-
winuser:'domain-name\username'
For Windows users, use one of the following formats:
For Oracle Solaris groups, use the format unixgroup:group-name.
For Oracle Solaris users, use the format unixuser:username.
Note - Because only directional mappings can have an empty string ("") as their target identity, if you assign an empty string as a user name or group name, the identity service does not create a mapping and the nobody ID is used for access control. Therefore, to preclude logins by unmapped Windows users, do not assign an empty string as a user name or group name.
Using the wildcard character (*) matches all user names that are not matched by other mappings. Similarly, using the wildcard Windows name (*@*) matches all user names in all domains that are not matched by other mappings.
Using the wildcard on both sides of the mapping makes the user or group name the same for both Windows and Oracle Solaris users. For example, the '*@example.com' == '*' rule ensures that the jp@example.com Windows user name maps to the jp Oracle Solaris user name.
Note that the case of Windows names that appear in idmap name rules and in idmap show commands is ignored. However, because Windows names are not case sensitive but Oracle Solaris names are case sensitive, be careful when creating rule-based mappings that use wildcards for the user or group names.
 | Caution - Although Oracle Solaris environments typically use lowercase characters for user names, uppercase characters are permitted. Therefore, using a wildcard to map Windows names to Oracle Solaris user names might not produce the expected results. Rule-based mapping rules that use the unixuser:* or unixgroup:* target map to the Oracle Solaris name as follows:
# idmap add winuser:'*@example.com' unixuser:'*' # idmap add winuser:kerry@example.com unixuser:KerryFor example, to map Oracle Solaris group Sales to Windows group sales@example.com, you must create the following rule: # idmap add wingroup:'*@example.com' unixgroup:'*' # idmap add wingroup:sales@example.com unixgroup:Sales |