Sun Storage 7000 Unified Storage System: Identity mapping policies and requirements

Asset ID:	1-71-1402483.1
Update Date:	2012-06-28
Keywords:

Solution Type Technical Instruction Sure

Solution 1402483.1 : Sun Storage 7000 Unified Storage System: Identity mapping policies and requirements

Applies to:

Sun ZFS Storage 7120 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7410 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7320 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7420 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7310 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
7000 Appliance OS (Fishworks)

Goal

This document describes the available identity mapping policies and explains the requirements and applications for each.

To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - 7000 Series ZFS Appliances

Fix

Identity mapping creates an equivalence between a Windows account and a UNIX account. This allows file/directory permissions and ownership defined on one platform/protocol to be applied to the other. There are three identity mapping policies, as follows:

IDMU

IDMU stands for Identity mapping for UNIX, an installable Windows service and set of applications that facilitates the association of Windows and UNIX accounts. This service extends the user configuration properties, allowing you to add a uid and primary gid to each Windows user, and a gid to each group. It also includes a NIS server. To configure the ZFSSA for this environment, set up Active Directory as usual, then enable the NIS service and define the Domain Controller as the named NIS server. The mappings are all handled within the Users and Computers application on the Domain Controller.

Directory-based mapping

Directory-based mapping is essentially the same as IDMU, but the schema is manually extended on either Active Directory or the LDAP server..NIS is not supported in this mode. The LDAP or AD schema is extended to add fields for either Windows SIDs/user names or uid/gid. The attributes containing these values must be manually defined in the configuration screen.

Rule-based mapping

Rule-based mapping takes a more active role in the mapping process. You must have a connection to Active Directory and to a NIS or LDAP naming service. This means that it is not possible to use Windows workgroup mode with identity mapping, and that it is not possible to use the legacy passwd and group flat files.

For customers still using flat files, we recommend a simple NIS server. This can be run on virtually any UNIX or even Windows system, setup time is minimal, and if desired, the clients can continue to use their passwd and group files. Simply move that same passwd and group file to the NIS server, and configure only the ZFSSA to use NIS.

Rule-based mapping is indicated where IDMU is not available, but there's a requirement to map UNIX users to Windows users and maintain consistent file ownership cross-platform.

Ephemeral mapping (a.k.a. "none")

For an all-Windows environment, or an environment where permissions are distinct between UNIX users and Windows users, no mapping configuration is required. The ZFSSA assigns internal temporary uids, gids or sids internally and everything is handled automatically. If Windows and UNIX users need access to the same resources, they're assigned as separate entities.

Back to <Document 1428753.1> Sun Storage 7000 Unified Storage System: How to Troubleshoot Identity Mapping and cross-platform file sharing issues.

References

<NOTE:1428753.1> - Sun Storage 7000 Unified Storage System: How to Troubleshoot Identity Mapping and cross-platform file sharing issues

Attachments

This solution has no attachment