Go to main content

Managing SMB File Sharing and Windows Interoperability in Oracle® Solaris 11.3

Exit Print View

Updated: December 2017
 
 

About Rule-Based Identity Mapping for Users and Groups

Windows systems and Oracle Solaris systems use different identity schemes to determine who is permitted to access systems and system objects. When the Oracle Solaris SMB server is integrated into an existing Windows domain, the Oracle Solaris user IDs and group IDs must have equivalent Windows identities to use for authorization and file access. The SMB server uses identity mapping software to perform these tasks.

By default, no rule-based mappings are configured. In this case, non-ephemeral Oracle Solaris UIDs and GIDs are mapped to local SIDs. Local SIDs are composed of the server's SID and an RID that is derived algorithmically from the UID or GID. Similarly, domain user and group SIDs are mapped to ephemerally, dynamically allocated UIDs and GIDs. A system administrator can also create a set of rule-based mappings to map users and groups by name. Such rule-based mapping requires that Windows uses Active Directory and that the specified users and groups must already exist.

Formatting Group and User Names

By default, the SMB server uses ephemeral identity mapping. Shell special characters, such as the double quote character ("), the asterisk character (*), and the backslash character (\), must be quoted when used as user names and domain names.

You define the names of Oracle Solaris and Windows users and groups by using specific formats.

    For Windows groups, use one of the following formats:

  • wingroup:group-name@domain-name

  • wingroup:'domain-name\group-name'

    For Windows users, use one of the following formats:

  • winuser:username@domain-name

  • winuser:'domain-name\username'

For Oracle Solaris groups, use the format unixgroup:group-name.

For Oracle Solaris users, use the format unixuser:username.


Note -  Because only directional mappings can have an empty string ("") as their target identity, if you assign an empty string as a user name or group name, the identity service does not create a mapping and the nobody ID is used for access control. Therefore, to preclude logins by unmapped Windows users, do not assign an empty string as a user name or group name.

Using the wildcard character (*) matches all user names that are not matched by other mappings. Similarly, using the wildcard Windows name (*@*) matches all user names in all domains that are not matched by other mappings.

Using the wildcard on both sides of the mapping makes the user or group name the same for both Windows and Oracle Solaris users. For example, the '*@example.com' == '*' rule ensures that the jp@example.com Windows user name maps to the jp Oracle Solaris user name.

Note that the case of Windows names that appear in idmap name rules and in idmap show commands is ignored. However, because Windows names are not case sensitive but Oracle Solaris names are case sensitive, be careful when creating rule-based mappings that use wildcards for the user or group names.


Caution

Caution  -  Although Oracle Solaris environments typically use lowercase characters for user names, uppercase characters are permitted. Therefore, using a wildcard to map Windows names to Oracle Solaris user names might not produce the expected results. Rule-based mapping rules that use the unixuser:* or unixgroup:* target map to the Oracle Solaris name as follows:

  • Map the canonical Windows name, which uses the name found in the directory entry, to the matching Oracle Solaris name.
  • If no such Oracle Solaris name exists, make the case of the canonical Windows name lowercase and use it as the SMB name.
As a result of this differing treatment of case, names that appear to be alike might not be recognized as matches so you must create rules to handle such pairings. For example, to map Oracle Solaris user Kerry to Windows user kerry@example.com, you must create the following rule:
# idmap add winuser:'*@example.com' unixuser:'*'
# idmap add winuser:kerry@example.com unixuser:Kerry
For example, to map Oracle Solaris group Sales to Windows group sales@example.com, you must create the following rule:
# idmap add wingroup:'*@example.com' unixgroup:'*'
# idmap add wingroup:sales@example.com unixgroup:Sales