SMB File Sharing Environment
An SMB server can operate in either workgroup mode or in domain mode. In workgroup mode, the SMB server is responsible for authenticating users locally when access is requested to shared resources. This authentication process is referred to as local login. In domain mode, user authentication is delegated to a domain controller.
When a user requests access to a file or other resource, the server compares the user's identity and group memberships to the access control list (ACL) on the resource. Oracle Solaris and the ZFS file system have been enhanced to support Windows users and Windows-style access checking.
The Oracle Solaris OS is unique in that it can manage user identities simultaneously by using
both traditional UIDs (and GIDs) and Windows identities. When a user logs in to the
SMB server, the user's SMB identity is mapped to the appropriate UNIX® identity. This mapping is performed by using the
idmap
identity mapping service. If the Windows identity can be
mapped to a UNIX identity, that identity is used. Otherwise, a temporary identity is
generated by using ephemeral UIDs and GIDs, as required. Ephemeral IDs are valid
only within each Oracle Solaris OS instance and only until the system is
rebooted. These IDs are never stored on disk or transmitted over the network. When a
temporary ID needs to be stored on disk, the Windows identity is stored.
For more information about how the Oracle Solaris OS manages user identities, see Setting Up Identity Mapping Between Windows and Oracle Solaris Systems.
The following diagram shows how an Oracle Solaris file server can operate simultaneously with both Lightweight Directory Access Protocol (LDAP) and Windows domains. The Windows domain controller provides SMB authentication and naming services for SMB clients and servers, while the LDAP servers provide naming services for NFS clients and servers.
SMB Environment
The figure has the following components:
-
ZFS file system – The ZFS file system is shared over the network by using the SMB and NFS protocols.
-
NFS – The NFS server uses the NFS protocol to enable network clients to access the shared files.
-
SMB – The SMB server uses the SMB protocol to enable network clients to access the shared files.
-
Windows client – The Windows client accesses the shared resources over the network by using the SMB protocol.
-
Windows domain controller – The Windows domain controller authenticates the Windows user
pat
when accessing shared resources on the SMB Server. -
Identity mapping service – The identity mapping service maps the Windows identities to Oracle Solaris UIDs and GIDs.
-
LDAP server – The LDAP server uses LDAP to look up and authenticate NFS and Oracle Solaris users.