Sun Storage 7000 Series Identity Mapping – Seamlessly Sharing Files Between Windows and Unix Platforms

by Dean Halbeisen

The need to integrate Windows platforms and UNIX platforms is definitely not a new challenge for IT professionals.   More and more it is desired for Windows and UNIX platforms to share data in the same files on centralized storage systems.  There are many solutions available to make this possible from simple volume level solutions to complex single sign-on solutions.   All of these solutions are aimed to address the fact that Windows and UNIX platforms use different security structures for their user and group authentication to control access to files and directories.  With OpenSolaris we (Sun) took a very  intuitive  approach to address this challenge by building the CIFS stack directly into the OpenSolaris kernel.  With the CIFS stack built into the kernel, the new features of NFSv4, the new features ZFS and many other  OS enhancements the door was wide open to deliver a seamless, ubiquitous, cross-protocol file sharing system

Netapp for example controls the authentication at a volume level.   This means that each volume in the storage system has to be configured for an authentication mode, UNIX, NTFS or mixed.  The UNIX and NTFS modes only permit clients to use the authentication mode specific user or group credentials.  In example, if a Windows host attempts to access a file on a volume configured for UNIX authentication, the storage system will map the Windows credentials to the UNIX credential structure if a matching user or group credential exists in the UNIX LDAP or NIS.   The mapping of credentials works in the same fashion for UNIX clients accessing volumes configured for NTFS authentication.  When a volume is configured for a mixed authentication mode the volume can use both NTFS and UNIX credentials on files and directories, but each file or directory can only use one authentication mode at one time.  When you use the mixed authentication mode on a volume you have to maintain documentation as to what files and directories use each authentication mode because if the mode gets changed clients may lose access to the files or directories.  

Solutions that use volume or share level authentication configurations are cumbersome to configure and maintain.  Even when configuration processes can be scripted you would likely have to maintain some sort of documentation to keep track of how each volume or share is configured and maintain special instructions on how to maintain the configuration going forward.  

Many single sign-on solutions will convert UNIX authentication into Windows Active directory authentication by installing host agents on the UNIX platforms that will map the UNIX authentication structures into Windows Active Directory authentication structures.  In single sign-on solutions the storage systems do not use any form of local authentication mapping to control access to files and directories because each client performs it own mapping through host agents.  Some single sign-on solutions centralize the credential mapping by requiring a centralized proprietary name information server that will perform the credential mapping for each host agent on the UNIX clients instead of each host agent querying the UNIX and Windows directory servers independently.  

Single sign-on solutions are very complex, tough to troubleshoot and costly to maintain.  Interoperability is probably the biggest challenge for single sign-on solutions.   In single sign-on solutions you have to make sure that every application, every server, every operating system and every storage device that will use the configuration is compatible with the single sing-on software.

The Identity Mapping feature of the Sun Storage 7000 addresses the challenges of Windows and UNIX file sharing unlike any other solution available.  The Identity Mapping service is configured for the entire appliance from single point in the BUI or can be configured from a single point with the CLI.   The underlying filesystem of the appliance ZFS does not have any restrictions on how authentication structures from Windows or UNIX platforms are used and can both be used seamlessly in any share in the storage system simultaneously.   The Identity Mapping feature stores the user and group mapping in a database on the appliance and only has to be configured one time for each authentication policy or authentication rule.  You can configure the Identity Mapping service to use directory based mapping, user based mapping and ephemeral mapping all simultaneously or independently.  

This solution is likely the highest performing UNIX and Windows file sharing solution available because it has the lowest overhead on the volume/share level and does not require external software.  Interoperability of the Identity Mapping service is a breeze as it communicates with Windows Active Directory, UNIX NIS and UNIX LDAP directly without requiring host agents or proprietary name information servers.  It is cost effective as this feature is included in the initial purchase cost of the appliance and future feature enhancements are included in the freely available appliance software upgrades.  The solution also provides observably like no other solution available.  The Dtrace Analytics feature of the Sun Storage 7000 Series enables you to see inside of your work load and break it down by protocol, share, file, client, latency and transfer size in live or post processed graphs.


Can you do the identity mapping with just a Windows Workgroup instead of Active Directory? I have a loaner 7110 where I am trying to do CIFS/NFS interoperability and having issues with the UNIX side seeing Windows created files while do a "ls" but getting an file IO error when doing a "ls -la" or trying to open the file. The windows side can see the UNIX created files fine.

Any insight would be great.

Posted by Chris Williams on July 08, 2009 at 04:38 AM PDT #

You say "the Identity Mapping service communicates with Windows Active Directory, UNIX NIS and UNIX LDAP directly without requiring host agents or proprietary name information servers"

I have seen similar claims in other Sun documents.

However it is simply not true - the CIFS service is \*only\* usable in an environment that is completely Active Directory. You cannot use the CIFS service in a NIS or LDAP environment as the Identity Mapping service does \*not\* interoperate. I would love to be proved wrong, please contact me!

Posted by andrew on August 20, 2009 at 07:03 PM PDT #

I would also like to see someone from Sun prove andrew's comment to be wrong, or to provide assistance to the matter. I have simlar thoughts about it.

Posted by James on October 13, 2009 at 04:44 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed



« April 2014