Peter Taps wrote:
Now, from a Windows machine, I create a file from account User1. When I log
back in as User2, I could not access the file. This behavior is as expected.
The file had ownership/full control only by User1.
It appears I can have Windows users and groups just the way I want and set up
access permissions from Windows file properties dialog box just the way I want.
I don't need to touch the backend OpenSolaris box at all.
Yes.
So what exactly is "idmap" for? Things seems to work just as expected without
doing anything with idmap.
idmap is for when you want to have a UNIX user and a Windows user be
considered equivalent.
In your experiment above, indeed the files are owned by user1 and have
access control entries granting access to user1. From a Windows
perspective, everything is easy and simple. However, from a UNIX
perspective it is not so simple. Those files are owned by the Windows
users, who will present to UNIX as magic very large user IDs. They
aren't owned by any normal UNIX user.
Suppose you have a Windows/AD user petert...@example.com, and you have a
UNIX user ptaps. Since both of those are the same actual human being,
you would really like to be able to approach your data from either
platform and have the results be the same - the ownership be the same,
and access rights be the same. Idmap exists to equate those two users.
The simplest way to use it would be to set up a rule like
# idmap add winname:petert...@example.com unixuser:ptaps
After that, anything you do from Windows is done as the UNIX user
ptaps. Files will be owned by ptaps, ACLs will list ptaps in them, and
access checks will be done for ptaps. Files owned by ptaps (and ACL
entries and so on) will be presented back to Windows as
petert...@example.com.
There are several other ways to set up mappings, both for specialty
environments and with the mapping information represented in various
ways. You can have wild-card rules, for environments where names are
the same in UNIX and Windows. You can store the mapping information in
Active Directory, or in your UNIX LDAP service.
Does that help to explain what it's for?
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss