Solaris CIFS Windows SID Mapping - A First Look

This follows directly on from where I set up an OpenSolaris CIFS server in Domain Mode. When I mapped the share I was not asked for a user ID and password as I had been in Workgroup mode..so, how are file and folder ownership and permissions handled ?

The Solaris CIFS implementation includes ID Mapping Services. These services let you explicitly map Windows Security IDentifiers to Solaris User IDs and Group IDs if you wish, but if you don't set up explicit mappings then the ID Mapping Service will generate Ephemeral Solaris User IDs and Group IDs for Windows Users. The Solaris CIFS Administrators Guide discusses Identity Mapping strategies.

Permissions on the files and directories created at the end of the previous exersize, when listed from Solaris, look like this...

root@isv-x4500b # pwd
/tank/cifs1
root@isv-x4500b # ls -l
total 10
d---------+  2 2147483649 2147483650       2 Apr  8 05:49 user1
----------+  1 2147483649 2147483650       0 Apr  8 05:57 user1.txt
d---------+  2 2147483650 2147483650       3 Apr  8 05:50 user2
----------+  1 2147483650 2147483650       0 Apr  8 05:51 user2.txt

This looks a bit odd because the OpenSolaris CIFS service uses ZFS ACLs, and they don't show up in the above listing. We can dump the current ID Mappings, as below...

root@isv-x4500b # idmap dump
usid:S-1-5-21-500772251-2770406677-2360070262-1125      ==      uid:2147483650
usid:S-1-5-21-500772251-2770406677-2360070262-1113      ==      uid:2147483649
gsid:S-1-5-21-500772251-2770406677-2360070262-513       ==      gid:2147483650
gsid:S-1-5-21-500772251-2770406677-2360070262-512       ==      gid:2147483651
gsid:S-1-5-11   ==      gid:2147483652
gsid:S-1-5-2    ==      gid:2147483653
gsid:S-1-5-32-544   ==      gid:2147483654

We can see that Windows SIDs have been mapped to Solaris User and Group IDs.  The mappings for the users have been created on the fly (Ephemeral ID Mapping); the Windows Group SID mappings are generated by system level interactions, you can decode those using the list here. We can see that:

Windows Group SID xxxxxx-513 = Domain Users = Solaris GID 2147483650

Windows Group SID xxxxxx-512 = Domain Admins = Solaris GID 2147483651

Windows Group SID xxxxxx-11 = Authenticated Users = Solaris GID 2147483653

Windows Group SID xxxxxx-2 = Network (Users logged in via the Network) = Solaris GID 2147483651

Windows Group SID xxxxxx-544= Administrators  = Solaris GID 2147483654

We now know that the files and directories we created are in the Domain Users group as it was mapped to the Solaris GID of 2147483650.

Sometime soon I am going to dig deeper on all this, this was just a first look. 

For More Information

OpenSolaris Project: CIFS Server Home Page

Open Solaris CIFS Documentation including the Solaris CIFS Administrators Guide & Troubleshooting Information

Also, consider joining the Open Solaris Storage Discuss Forum

Comments:

Post a Comment:
Comments are closed for this entry.
About

Tim Thomas

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today