SMB File Sharing Environment

An SMB server can operate in either workgroup mode or in domain mode. In workgroup mode, the SMB server is responsible for authenticating users locally when access is requested to shared resources. This authentication process is referred to as local login. In domain mode, user authentication is delegated to a domain controller.

When a user requests access to a file or other resource, the server compares the user's identity and group memberships to the access control list (ACL) on the resource. Oracle Solaris and the ZFS file system have been enhanced to support Windows users and Windows-style access checking.

The Oracle Solaris OS is unique in that it can manage user identities simultaneously by using both traditional UIDs (and GIDs) and Windows identities. When a user logs in to the SMB server, the user's SMB identity is mapped to the appropriate UNIX® identity. This mapping is performed by using the idmap identity mapping service. If the Windows identity can be mapped to a UNIX identity, that identity is used. Otherwise, a temporary identity is generated by using ephemeral UIDs and GIDs, as required. Ephemeral IDs are valid only within each Oracle Solaris OS instance and only until the system is rebooted. These IDs are never stored on disk or transmitted over the network. When a temporary ID needs to be stored on disk, the Windows identity is stored.

For more information about how the Oracle Solaris OS manages user identities, see Setting Up Identity Mapping Between Windows and Oracle Solaris Systems.

The following diagram shows how an Oracle Solaris file server can operate simultaneously with both Lightweight Directory Access Protocol (LDAP) and Windows domains. The Windows domain controller provides SMB authentication and naming services for SMB clients and servers, while the LDAP servers provide naming services for NFS clients and servers.

SMB Environment

This figure shows the components and interactions in an SMB environment.

The figure has the following components:

  • ZFS file system – The ZFS file system is shared over the network by using the SMB and NFS protocols.

  • NFS – The NFS server uses the NFS protocol to enable network clients to access the shared files.

  • SMB – The SMB server uses the SMB protocol to enable network clients to access the shared files.

  • Windows client – The Windows client accesses the shared resources over the network by using the SMB protocol.

  • Windows domain controller – The Windows domain controller authenticates the Windows user pat when accessing shared resources on the SMB Server.

  • Identity mapping service – The identity mapping service maps the Windows identities to Oracle Solaris UIDs and GIDs.

  • LDAP server – The LDAP server uses LDAP to look up and authenticate NFS and Oracle Solaris users.