Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI
This information is Copyright 2007 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Winchester idmap(1M) update
1.2. Name of Document Author/Supplier:
Author: Dave Maxera
1.3 Date of This Document:
09 August, 2007
4. Technical Description
I'm sponsoring this case for Dave Maxera and the Winchester project team.
It updates the idmap(1M) commend introduced in PSARC/2006/315
"Winchester: Schema Mapping and ID Mapping for AD Interoperability"
The project has not yet delivered into Solaris. The release binding
remains unchanged as Patch. Likewise, the interfact taxonomy remains
unchanged as Uncommitted.
During implementation the project team found a number of ambiguities
and inconsistencies that this update corrects. An updated man page
is in the case directory along with a diff file of the old man page
against the updated man page.
The timer is set for 20 Aug, 2007 as I'll be on holiday till then.
Gary..
+++++++++++++++++++++++++++++++++
Background:
===========
idmap(1M) is the management interface for mapping Windows identities to native
Solaris (POSIX) identities. It allows the administrator to specify
mappings between various Windows and Solaris user and group identities.
Problem:
========
In the present Winchester scheme, the type of user (Windows or UNIX) and the
form (string or integer) are determined by a prefix to the argument, which
are "uid", "gid", "sid", "unixname", and "winname".
For example, "uid:1234" represents a user ID with a value of 1234,
"unixname:foo" represents a UNIX name (either user or group) foo, and
"sid:S-1-2-3" represents a Windows Security IDentifier with a value of S-1-2-3.
Displaying what a particular mapping represents such as
"idmap show unixname:foo" is ambiguous. foo could be either a user or group.
The identity type prefix is optional when it can be determined from context.
Unfortunately that leads to the possibility for ambiguities and inconsistencies
in use. -u and -g subcommand options are used to imply the type prefix in
some commands but not others. In both Unix and Windows names and sids can
represent either a group or a user.
The proposals in this case are intended to satisfy a potential future
consideration.
Windows files sometimes have a "group" as the file owner. Mapping Windows
groups to Solaris users is not presently part of Winchester, but may be
needed in the future. The proposed changes are intended to be sufficient
to allow such mappings in the future.
Solution:
=========
* disambiguate the unix user/group name "unixname" by explicitly specifying
"unixuser" and "unixgroup" in all places where "unixname" was used.
* disambiguate the Windows identity names "winname" and "sid" by explicitly
specifying "winuser", "wingroup" and "usid", "gsid" as needed.
* remove the -u and -g options as they are not needed since the identity
types are now disambiguated. This does lead to a functional change
in the dump and list subcommands. With this change, to get only
users or groups greping for "uid:", "gid:", "user:", "group:", ...
is now needed. See identity and example 2 in idmap(1M).
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
