Solaris CIFS Windows SID Mapping - A First Look
By Tim Thomas on Apr 10, 2008
This follows directly on from where I set up an OpenSolaris CIFS server in Domain Mode. When I mapped the share I was not asked for a user ID and password as I had been in Workgroup mode..so, how are file and folder ownership and permissions handled ?
The Solaris CIFS implementation includes ID Mapping Services. These services let you explicitly map Windows Security IDentifiers to Solaris User IDs and Group IDs if you wish, but if you don't set up explicit mappings then the ID Mapping Service will generate Ephemeral Solaris User IDs and Group IDs for Windows Users. The Solaris CIFS Administrators Guide discusses Identity Mapping strategies.
Permissions on the files and directories created at the end of the previous exersize, when listed from Solaris, look like this...
root@isv-x4500b # pwd
root@isv-x4500b # ls -l
d---------+ 2 2147483649 2147483650 2 Apr 8 05:49 user1
----------+ 1 2147483649 2147483650 0 Apr 8 05:57 user1.txt
d---------+ 2 2147483650 2147483650 3 Apr 8 05:50 user2
----------+ 1 2147483650 2147483650 0 Apr 8 05:51 user2.txt
looks a bit odd because the OpenSolaris CIFS service uses ZFS ACLs, and
they don't show up in the above listing. We can dump the current ID
Mappings, as below...
root@isv-x4500b # idmap dump
usid:S-1-5-21-500772251-2770406677-2360070262-1125 == uid:2147483650
usid:S-1-5-21-500772251-2770406677-2360070262-1113 == uid:2147483649
gsid:S-1-5-21-500772251-2770406677-2360070262-513 == gid:2147483650
gsid:S-1-5-21-500772251-2770406677-2360070262-512 == gid:2147483651
gsid:S-1-5-11 == gid:2147483652
gsid:S-1-5-2 == gid:2147483653
gsid:S-1-5-32-544 == gid:2147483654
We can see that Windows SIDs have been mapped to Solaris User and Group IDs. The mappings for the users have been created on the fly (Ephemeral ID Mapping); the Windows Group SID mappings are generated by system level interactions, you can decode those using the list here. We can see that:
Windows Group SID xxxxxx-513 = Domain Users = Solaris GID 2147483650
Windows Group SID xxxxxx-512 = Domain Admins = Solaris GID 2147483651
Windows Group SID xxxxxx-11 = Authenticated Users = Solaris GID 2147483653
Windows Group SID xxxxxx-2 = Network (Users logged in via the Network) = Solaris GID 2147483651
Windows Group SID xxxxxx-544= Administrators = Solaris GID 2147483654
We now know that the files and directories we created are in the Domain Users group as it was mapped to the Solaris GID of 2147483650.
Sometime soon I am going to dig deeper on all this, this was just a first look.
For More Information
Also, consider joining the Open Solaris Storage Discuss Forum