The SMB service uses the identity mapping service to associate Windows and UNIX identities. When the SMB service authenticates a user, it uses the identity mapping service to map the user's Windows identity to the appropriate UNIX identity. If no UNIX identity exists for a Windows user, the service generates a temporary identity using an ephemeral UID and GID. These mappings allow a share to be exported and accessed concurrently by SMB and NFS clients. By associating Windows and UNIX identities, NFS and SMB clients can share the same identity, thereby allowing access to the same set of files.
In the Windows operating system, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges. Administrators define Windows users and groups in a Workgroup, or in a SAM database, which is managed on an Active Directory domain controller. Each user and group has a SID, which uniquely identifies the user or group, both within a host and a local domain, and across all possible Windows domains.
UNIX creates user credentials based on user authentication and file permissions. Administrators define UNIX users and groups in local password and group files or in a name or directory service, such as NIS or LDAP. Each UNIX user and group has a UID and GID. Typically, the UID or GID uniquely identifies a user or group within a single UNIX domain. However, these values are not unique across domains.
The following options are available when selecting a mapping mode:
Rule-based Mapping - Use for creating various rules that map identities by name, thus establishing equivalences between Windows and UNIX identities. Mapping rules are useful when you want a user to access the same set of files through both SMB and NFS clients.
Directory-based Mapping - Use for annotating an LDAP or Active Directory object with information about how the identity maps to an equivalent identity on the opposite platform.
IDMU-based Mapping - Identity Management for UNIX (IDMU) is a feature that Microsoft offers for Windows Server 2003, and is bundled with Windows Server 2003 R2 and later. IDMU supports Windows as a NIS/NFS server by adding a "UNIX Attributes" panel to the Active Directory Users and Computers user interface. This allows administrators to specify a number of UNIX-related parameters, including UID, GID, login shell, and home directory. These parameters are made available through Active Directory using a schema similar to, but not the same as, RFC 2307, and through the NIS service. When the IDMU mapping mode is selected, the identity mapping service consumes these UNIX attributes to establish mappings between Windows and UNIX identities. This approach is very similar to directory-based mapping, except that the identity mapping service queries the property schema established by the IDMU software instead of allowing a custom schema. When this approach is used, no other directory-based mapping may occur.