[cifs-discuss] CIFS/idmap Implementation Questions

Rob Terhaar robbyt at robbyt.net
Tue May 20 08:51:51 PDT 2008 

First of all, thank you for the response. Still trying to sort out our
opensolaris/samba/AD implementation. (more on that later)

On Mon, May 19, 2008 at 6:06 PM, Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
>>I was able to get UID/GID mapping working correctly in opensolaris 2008.5,
>>my UID/GIDs are being pulled down from my AD correctly.  (getent passwd
>><myusername> works, and returns the correct uid/gid)
>>
>>So is there anyway to have the built in cifs server use the system's
>>uid/gid for users instead of the ephemeral ID?
>
> What exactly do you mean?
>
> What is "the system's uid/gid"?

Sorry, when i do getend passwd <myuser> I get my win2k3 R2 SFU/AD UID.


> I'm guessing you want the system to use non-ephemeral UIDs and GIDs.
>
> Currently the only ways to do that involve having a Unix name service
> where accounts/groups equivalent to Windows ones exist, plus either
> name-based mapping rules, or directory-based name mappings.
>
> Name-based mapping rules are maintained with the idmap(1M) command and
> are local to each system.
>

Not extremely intuitive for the uninitiated, but i was able to figure it out:
idmap add winuser:'*@example.com' unixuser:'*'
idmap add wingroup:'*@example.com' unixgroup:'*'


> Recently we have begun to see requests for additional options which
> don't involve ephemeral IDs and don't involve any form of name mapping.
> E.g., something to match Windows' own algorithmic ID mapping, or Samba's
> algorithmic and dynamic ID mapping options.
>
> Perhaps you'd like to second such requests?

While I could see that this feature could be useful. Although we had
stability issues in redhat when using idmap backend = idmap_rid: which
urged us to use the idmap backend = ad rfc2307/ldap.



>
> Once that's done, and if one uses ZFS and SMB/NFSv4, why should one care
> if a given UID or GID is ephemeral or not?  (I know there are reasons,
> but I'd like to hear yours.)

We run 50% os x, %50 winxp desktops- and 90% linux servers. Our AD is
only for DNS/DHCP/Authentication. We need to keep UID/GID uniform
across the environment so that we can keep security under control
useing any combination of protocols: NFSv3/SCP/SMB.

More information about the cifs-discuss mailing list