Oracle ZFS Storage Appliance Administration Manual page 308

Flushing Mappings from the Cache (CLI)
You can only have one bidirectional mapping for each Windows domain that maps all users
■
in the Windows domain to all UNIX identities. If you want to create multiple domain-wide
rules, be sure to specify that those rules map only from Windows to UNIX.
Use the IDMU mapping mode instead of directory-based mapping whenever possible.
■
Identity Mapping Concepts
The SMB service uses the identity mapping service to associate Windows and UNIX identities.
When the SMB service authenticates a user, it uses the identity mapping service to map the
user's Windows identity to the appropriate UNIX identity. If no UNIX identity exists for a
Windows user, the service generates a temporary identity using an ephemeral UID and GID.
These mappings allow a share to be exported and accessed concurrently by SMB and NFS
clients. By associating Windows and UNIX identities, NFS and SMB clients can share the same
identity, thereby allowing access to the same set of files.
In the Windows operating system, an access token contains the security information for a login
session and identifies the user, the user's groups, and the user's privileges. Administrators define
Windows users and groups in a Workgroup, or in a SAM database, which is managed on an
Active Directory domain controller. Each user and group has a SID, which uniquely identifies
the user or group, both within a host and a local domain, and across all possible Windows
domains.
UNIX creates user credentials based on user authentication and file permissions. Administrators
define UNIX users and groups in local password and group files or in a name or directory
service, such as NIS or LDAP. Each UNIX user and group has a UID and GID. Typically, the
UID or GID uniquely identifies a user or group within a single UNIX domain. However, these
values are not unique across domains.
The following options are available when selecting a mapping mode:
Rule-based Mapping - Use for creating various rules that map identities by name, thus
■
establishing equivalences between Windows and UNIX identities. Mapping rules are useful
when you want a user to access the same set of files through both SMB and NFS clients.
Directory-based Mapping - Use for annotating an LDAP or Active Directory object with
■
information about how the identity maps to an equivalent identity on the opposite platform.
IDMU-based Mapping - Identity Management for UNIX (IDMU) is a feature that
■
Microsoft offers for Windows Server 2003, and is bundled with Windows Server
2003 R2 and later. IDMU supports Windows as a NIS/NFS server by adding a "UNIX
Attributes" panel to the Active Directory Users and Computers user interface. This allows
administrators to specify a number of UNIX-related parameters, including UID, GID,
login shell, and home directory. These parameters are made available through Active
Directory using a schema similar to, but not the same as, RFC 2307, and through the NIS
308 Oracle ZFS Storage Appliance Administration Guide, Release OS8.6.x • September 2016