Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.2

Exit Print View

 
Updated: July 2014
 
 

Formatting Group and User Names

By default, the SMB server uses ephemeral identity mapping. Shell special characters, such as the double quote character ("), the asterisk character (*), and the backslash character (\), must be quoted when used as user names and domain names.

You define the names of Oracle Solaris and Windows users and groups by using specific formats.

    For Windows groups, use one of the following formats:

  • wingroup:group-name@domain-name

  • wingroup:'domain-name\group-name'

    For Windows users, use one of the following formats:

  • winuser:username@domain-name

  • winuser:'domain-name\username'

For Oracle Solaris groups, use the format unixgroup:group-name.

For Oracle Solaris users, use the format unixuser:username.

Note -  Because only directional mappings can have an empty string ("") as their target identity, if you assign an empty string as a user name or group name, the identity service does not create a mapping and the nobody ID is used for access control. Therefore, to preclude logins by unmapped Windows users, do not assign an empty string as a user name or group name.

Using the wildcard character (*) matches all user names that are not matched by other mappings. Similarly, using the wildcard Windows name (*@*) matches all user names in all domains that are not matched by other mappings.

Using the wildcard on both sides of the mapping makes the user or group name the same for both Windows and Oracle Solaris users. For example, the '*@example.com' == '*' rule ensures that the jp@example.com Windows user name maps to the jp Oracle Solaris user name.

Note that the case of Windows names that appear in idmap name rules and in idmap show commands is ignored. However, because Windows names are not case sensitive but Oracle Solaris names are case sensitive, be careful when creating rule-based mappings that use wildcards for the user or group names.

Caution

Caution  -  Although Oracle Solaris environments typically use lowercase characters for user names, uppercase characters are permitted. Therefore, using a wildcard to map Windows names to Oracle Solaris user names might not produce the expected results. Rule-based mapping rules that use the unixuser:* or unixgroup:* target map to the Oracle Solaris name as follows:

  • Map the canonical Windows name, which uses the name found in the directory entry, to the matching Oracle Solaris name.
  • If no such Oracle Solaris name exists, make the case of the canonical Windows name lowercase and use it as the SMB name.
As a result of this differing treatment of case, names that appear to be alike might not be recognized as matches so you must create rules to handle such pairings. For example, to map Oracle Solaris user Kerry to Windows user kerry@example.com, you must create the following rule: 
# idmap add winuser:'*@example.com' unixuser:'*'
# idmap add winuser:kerry@example.com unixuser:Kerry
For example, to map Oracle Solaris group Sales to Windows group sales@example.com, you must create the following rule: 
# idmap add wingroup:'*@example.com' unixgroup:'*'
# idmap add wingroup:sales@example.com unixgroup:Sales

Copyright © 2007, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next