Clients can access file resources on the Oracle ZFS Storage Appliance using SMB or NFS, and each has a unique user identifier. SMB/Windows users have Security Descriptors (SIDs) and UNIX/Linux users have User IDs (UIDs). Users can also be members of groups that are identified by Group SIDs for Windows users or Group IDs (GIDs) for UNIX/Linux users.
In environments where file resources are accessed using both protocols, it is often desirable to establish identity equivalences where, for example, a UNIX user is equivalent to an Active Directory user. This is important for determining access rights to file resources on the appliance.
There are different types of identity mapping that involve Directory Services, such as Active Directory, LDAP, and NIS. Care should be taken to follow the security best practices for the directory service being used.
Microsoft offers a feature called Identity Management for UNIX (IDMU). This software is available for Windows Server 2003 and is bundled with Windows Server 2003 R2 and later. This feature is part of what was formerly called Services for UNIX, in its unbundled form.
The primary use of IDMU is to support Windows as a NIS/NFS server. IDMU lets the administrator specify a number of UNIX-related parameters: UID, GID, login shell, home directory, and similar for groups. These parameters are made available using AD through a schema similar to but not the same as RFC 2307, and through the NIS service.
When the IDMU mapping mode is used, the identity mapping service uses these UNIX attributes to establish mappings between Windows and UNIX identities. This approach is very similar to directory-based mapping, except the identity mapping service queries the property schema established by the IDMU software instead of allowing a custom schema. When this approach is used, no other directory-based mapping can be used.
Directory-based mapping involves annotating an LDAP or Active Directory object with information about how the identity maps to an equivalent identity on the opposite platform. These extra attributes associated with the object must be configured.
Name-based mapping involves creating various rules that map identities by name. These rules establish equivalences between Windows identities and UNIX identities.
If a name-based mapping rule does not apply for a particular user, that user is given temporary credentials through an ephemeral mapping unless they are blocked by a deny mapping. When a Windows user with an ephemeral UNIX name creates a file on the system, Windows clients accessing the file using SMB see that the file is owned by that Windows identity. However, NFS clients see that the file is owned by “nobody”.