Peter Taps wrote:
Now, from a Windows machine, I create a file from account User1. When I log 
back in as User2, I could not access the file. This behavior is as expected. 
The file had ownership/full control only by User1.

It appears I can have Windows users and groups just the way I want and set up 
access permissions from Windows file properties dialog box just the way I want. 
I don't need to touch the backend OpenSolaris box at all.


So what exactly is "idmap" for? Things seems to work just as expected without 
doing anything with idmap.
idmap is for when you want to have a UNIX user and a Windows user be considered equivalent.

In your experiment above, indeed the files are owned by user1 and have access control entries granting access to user1. From a Windows perspective, everything is easy and simple. However, from a UNIX perspective it is not so simple. Those files are owned by the Windows users, who will present to UNIX as magic very large user IDs. They aren't owned by any normal UNIX user.

Suppose you have a Windows/AD user, and you have a UNIX user ptaps. Since both of those are the same actual human being, you would really like to be able to approach your data from either platform and have the results be the same - the ownership be the same, and access rights be the same. Idmap exists to equate those two users.

The simplest way to use it would be to set up a rule like
   # idmap add unixuser:ptaps

After that, anything you do from Windows is done as the UNIX user ptaps. Files will be owned by ptaps, ACLs will list ptaps in them, and access checks will be done for ptaps. Files owned by ptaps (and ACL entries and so on) will be presented back to Windows as

There are several other ways to set up mappings, both for specialty environments and with the mapping information represented in various ways. You can have wild-card rules, for environments where names are the same in UNIX and Windows. You can store the mapping information in Active Directory, or in your UNIX LDAP service.

Does that help to explain what it's for?

cifs-discuss mailing list

Reply via email to