Oracle ZFS Storage Appliance Administration Manual page 309

service. When the IDMU mapping mode is selected, the identity mapping service consumes
these UNIX attributes to establish mappings between Windows and UNIX identities. This
approach is very similar to directory-based mapping, except that the identity mapping
service queries the property schema established by the IDMU software instead of allowing a
custom schema. When this approach is used, no other directory-based mapping may occur.
Cached and Ephemeral Mappings
When the identity mapping service provides a name mapping, it stores the mapping in the
cache for 10 minutes, at which point the mapping expires. Within its 10-minute life, a mapping
is persistent across restarts of the identity mapping service. Changes to the mappings or to
the name service directories do not affect existing connections within the 10-minute life of a
mapping. The service evaluates mappings only when the client tries to connect to a share and
there is no unexpired mapping. For example, if the SMB server requests a mapping for the user
after the mapping has expired, the service re-evaluates the mapping.
If no name-based mapping rule applies for a particular user, that user will be given temporary
credentials through an ephemeral mapping unless the user is blocked by another mapping.
When a Windows user with an ephemeral UNIX name creates a file on the system, Windows
clients accessing the file using SMB see that the file is owned by that Windows identity.
However, NFS clients see that the file is owned by "nobody".
Identity Mapping Case Sensitivity
Windows names are not case sensitive, but UNIX names are case sensitive. The user names
JSMITH, JSmith, and jsmith are equivalent names in Windows, but they are three distinct
names in UNIX. Case sensitivity affects name mappings differently depending on the direction
of the mapping.
For a Windows-to-UNIX mapping to produce a match, the case of the Windows user
■
name must match the case of the UNIX user name. For example, only Windows user name
"jsmith" matches UNIX user name "jsmith". Windows user name "Jsmith" does not match.
An exception to the case matching requirement for Windows-to-UNIX mappings occurs
■
when the mapping uses the wildcard character "*" to map multiple user names.
If the identity mapping service encounters a mapping that maps Windows user *@some.
domain to UNIX user "*", it first searches for a UNIX name that matches the Windows
name exactly. If it does not find a match, the service converts the entire Windows name to
lower case and searches again for a matching UNIX name. For example, the Windows user
name "JSmith@some.domain" maps to UNIX user name "jsmith". If the service does not
find a match after using lowercase for the Windows user name, the user does not obtain a
mapping.
Flushing Mappings from the Cache (CLI)
Appliance Services 309