使用以下过程可通过身份映射服务授予或拒绝特定用户的凭证。"allow"(允许)映射规则向 Windows 身份授予 UNIX 身份中的凭证,反之亦然。"deny"(拒绝)映射规则阻止 Windows 身份接收 UNIX 身份的凭证,反之亦然。
开始之前
配置基于规则的映射,如配置身份映射 (CLI)中所述。
hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)>
可以使用 list 命令查看可用属性。
hostname:configuration services idmap (uncommitted)> list Properties: windomain = (unset) winname = (unset) direction = (unset) unixname = (unset) unixtype = (unset)
输入 * 可指示指定域中的所有用户。
win2unix-Windows 到 UNIX 的映射
unix2win-UNIX 到 Windows 的映射
bi-双向映射
hostname:configuration services idmap (uncommitted)> set windomain=demo.domain.com hostname:configuration services idmap (uncommitted)> set winname=* hostname:configuration services idmap (uncommitted)> set direction=win2unix hostname:configuration services idmap (uncommitted)> set unixname= hostname:configuration services idmap (uncommitted)> set unixtype=user
hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap>
可以使用 list 命令查看规则列表中的新规则。
hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Alice@demo.domain.com (U) == wdp (U) idmap-001 *@demo.domain.com (U) => "" (U)
在此示例中,创建了一个 Windows 用户与 Unix 用户之间的基于名称的双向映射。
hostname:> configuration services idmap hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)> set windomain=eng.fishworks.com hostname:configuration services idmap (uncommitted)> set winname=Bill hostname:configuration services idmap (uncommitted)> set direction=bi hostname:configuration services idmap (uncommitted)> set unixname=wdp hostname:configuration services idmap (uncommitted)> set unixtype=user hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Bill@eng.fishworks.com (U) == wdp (U)示例 14 创建拒绝映射 (CLI)
在此示例中,创建了一个拒绝映射以阻止某域中的所有 Windows 用户获取凭证。
hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)> list Properties: windomain = (unset) winname = (unset) direction = (unset) unixname = (unset) unixtype = (unset) hostname:configuration services idmap (uncommitted)> set windomain=guest.fishworks.com hostname:configuration services idmap (uncommitted)> set winname=* hostname:configuration services idmap (uncommitted)> set direction=win2unix hostname:configuration services idmap (uncommitted)> set unixname= hostname:configuration services idmap (uncommitted)> set unixtype=user hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Bill@eng.fishworks.com (U) == wdp (U) idmap-001 *@guest.fishworks.com (U) => "" (U)