Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
idmap
idmap -f command-file
idmap add [-d] name1 name2
idmap dump [-n] [-v]
idmap export [-f file] format
idmap get-namemap name
idmap help
idmap import [-F] [-f file] format
idmap list
idmap remove [-t|-f] name
idmap remove -a
idmap remove [-d] name1 name2
idmap set-namemap [-a authenticationMethod] [-D bindDN] [-j passwdfile] name1 name2
idmap show [-c] [-v] identity [target-type]
idmap unset-namemap [-a authenticationMethod] [-D bindDN] [-j passwdfile] name [target-type]
The idmap utility is used to configure and manage the Native Identity Mapping service.
The Native Identity Mapping service supports the following types of mappings between Windows security identities (SIDs) and POSIX user IDs and group IDs (UIDs and GIDs):
Name-based mapping. An administrator maps Windows and UNIX users and groups by name.
Ephemeral ID mapping. A UID or GID is dynamically allocated for every SID that is not already mapped by name.
Local-SID mapping. A non-ephemeral UID or GID is mapped to an algorithmically generated local SID.
The idmap utility can be used to create and manage the name-based mappings and to monitor the mappings in effect.
If the idmap utility is invoked without a subcommand or option, it reads the subcommands from standard input. When standard input is a TTY, the idmap command prints the usage message and exits.
The idmapd(1M) daemon maps Windows user and group SIDs to UNIX UIDs and GIDs as follows:
1. SIDs are mapped by name. This mapping uses the name-based mappings that are manually set up by the system administrator.
2. If no name-based mapping is found, the SID is mapped to a dynamically allocated ephemeral ID. This allocation uses the next available UID or GID from 2^31 to 2^32 - 2.
Local SID mappings are used to map from UNIX to Windows.
To prevent aliasing problems, all file systems, archive and backup formats, and protocols must store SIDs or map all UIDs and GIDs in the 2^31 to 2^32 - 2 range to the nobody user and group.
It is possible to create also diagonal mappings. They are the mappings between Windows groups and Solaris users and between Solaris groups and Windows users. They are needed when Windows uses a group identity as a file owner or vice versa.
Name-based mappings establish name equivalence between Windows users and groups and their counterparts in the UNIX name service. These mappings persist across reboots. For example, the following command maps Windows users to UNIX users with the same name:
# idmap add "winuser:*@mywindomain.com" "unixuser:*"
If configured to use a directory service, idmapd(1M) will first try to use the mapping information that is stored in user or group objects in the Active Directory (AD) and/or the native LDAP directory service. For example, an AD object for a given Windows user or group can be augmented to include the corresponding Solaris user or group name or numeric id. Similarly, the native LDAP object for a given Solaris user or group can be augmented to include the corresponding Windows user or group name.
idmapd(1M) can be configured to use AD and/or native LDAP directory-based name mappings by setting the appropriate service management facility (SMF) properties of the idmap service. See "Service Properties," below, for more details.
If directory-based name mapping is not configured or if configured but not found, then idmapd(1M) will process locally stored name-based mapping rules.
idmap supports the mapping of Windows well-known names. A few of these are listed below:
Administrator Guest KRBTGT Domain Admins Domain Users Domain Guest Domain Computers Domain Controllers
When idmap rules are added, these well-known names will be expanded to canonical form. That is, either the default domain name will be added (for names that are not well-known) or an appropriate built-in domain name will be added. Depending on the particular well-known name, this domain name might be null, BUILTIN, or the local host name.
The following sequence of idmap commands illustrate the treatment of the non-well-known name fred and the well-known names administrator and guest.
# idmap add winname:fred unixuser:fredf add winname:fred unixuser:fredf # idmap add winname:administrator unixuser:root add winname:administrator unixuser:root # idmap add winname:guest unixuser:nobody add winname:guest unixuser:nobody # idmap add wingroup:administrators sysadmin add wingroup:administrators unixgroup:sysadmin # idmap list add winname:Administrator@examplehost unixuser:root add winname:Guest@examplehost unixuser:nobody add wingroup:Administrators@BUILTIN unixgroup:sysadmin add winname:fred@example.com unixuser:fredf
The idmapd daemon attempts to preserve ephemeral ID mappings across daemon restarts. However, when IDs cannot be preserved, the daemon maps each previously mapped SID to a new ephemeral UID or GID value. The daemon will never re-use ephemeral UIDs or GIDs. If the idmapd daemon runs out of ephemeral UIDs and GIDs, it returns an error as well as a default UID or GID for SIDs that cannot be mapped by name.
The dynamic ID mappings are not retained across reboots. So, any SIDs that are dynamically mapped to UNIX UIDs or GIDs are most likely mapped to different IDs after rebooting the system.
If no name-based mapping is found, a non-ephemeral UID or GID is mapped to an algorithmically generated local SID. The mapping is generated as follows:
local SID for UID = <machine SID> - <1000 + UID> local SID for GID = <machine SID> - <2^31 + GID>
<machine SID> is a unique SID generated by the idmap service for the host on which it runs.
When mapping a Windows name to a UNIX name, lookup for name-based mapping rules is performed in the following order:
1. windows-name@domain to ""
2. windows-name@domain to unix-name
3. windows-name@* to ""
4. windows-name@* to unix-name
5. *@domain to *
6. *@domain to ""
7. *@domain to unix-name
8. *@* to *
9. *@* to ""
10. *@* to unix-name
When mapping a UNIX name to a Windows name, lookup for name-based mapping rules is performed in the following order:
1. unix-name to ""
2. unix-name to windows-name@domain
3. * to *@domain
4. * to ""
5. * to windows-name@domain
The service properties determine the behavior of the idmapd(1M) daemon. These properties are stored in the SMF repository (see smf(5)) under property group config. They can be accessed and modified using svccfg(1M), which requires solaris.smf.value.idmap authorization. The service properties for the idmap service are: config/ad_unixuser_attr
Specify the name of the AD attribute that contains the UNIX user name. There is no default.
Specify the name of the AD attribute that contains the UNIX group name. There is no default.
Specify the name of the Native LDAP attribute that contains the Windows user/group name. There is no default.
Controls support for identity mapping using data stored in a directory service. none disables directory-based mapping. name enables name-based mapping using the properties described above. idmu enables mapping using Microsoft's Identity Management for UNIX (IDMU). This Windows component allows the administrator to specify a UNIX user ID for each Windows user, mapping the Windows identity to the corresponding UNIX identity. Only IDMU data from the domain the Solaris system is a member of is used.
Changes to service properties do not affect a running idmap service. The service must be refreshed (with svcadm(1M)) for the changes to take effect.
The idmap command uses the following operands: format
Specifies the format in which user name mappings are described for the export and import subcommands. The Netapp usermap.cfg and Samba smbusers external formats are supported. These external formats are only for users, not groups.
The usermap.cfg rule-mapping format is as follows:
windows-username [direction] unix-usernamewindows-username is a Windows user name in either the domain\eusername or username@domain format. unix-username is a UNIX user name.
direction is one of the following:
== means a bidirectional mapping, which is the default.
=> or <= means a unidirectional mapping.
The smbusers rule-mapping format is as follows:
unixname = winname1 winname2 ...If winname includes whitespace, escape the whitespace by enclosing the value in double quotes. For example, the following file shows how to specify whitespace in a valid format for the idmap command:
$ cat myusermap
terry="Terry Maddox"
pat="Pat Flynn"
cal=cbrown
The mappings are imported as unidirectional mappings from Windows names to UNIX
names.
The format is based on the "username map" entry of the smb.conf man page,
which is available on the samba.org web site. The use of an asterisk
(*) for windows-name is supported. However, the @group
directive and the chaining of mappings are not supported.
By default, if no mapping entries are in the smbusers file, Samba maps a
windows-name to the equivalent unix-name, if any. If you want to
set up the same mapping as Samba does, use the following idmap command:
idmap add -d "winuser:*@*" "unixuser:*"
Specifies a user name, user ID, group name, or group ID. identity is specified as type:value. type is one of the following: usid
Windows user SID in text format
Windows group SID in text format
Windows group SID in text format that can belong either to a user or to a group
Numeric POSIX UID
Numeric POSIX GID
UNIX user name
UNIX group name
Windows user name
Windows group name
Windows user or group name
Specifies a UNIX name (unixuser, unixgroup) or a Windows name (winuser, wingroup) that can be used for name-based mapping rules.
A Windows security entity name can be specified in one of these ways:
domain\ename
name@domain
name, which uses the default mapping domain
Used with the show and unset-namemap subcommands. For show, specifies the mapping type that should be shown. For example, if target-type is sid, idmap show returns the SID mapped to the identity specified on the command line. For unset-namemap, identifies an attribute within the object specified by the name operand.
The idmap command supports one option and a set of subcommands. The subcommands also have options.
Reads and executes idmap subcommands from command-file. The idmap -f - command reads from standard input. This option is not used by any subcommands.
The following subcommands are supported: add [-d] name1 name2
Adds a name-based mapping rule. By default, the name mapping is bidirectional. If the -d option is used, a unidirectional mapping is created from name1 to name2. Either name1 or name2 must be a Windows name, and the other must be a UNIX name. For the Windows name, the winname identity type must not be used. Instead, specify one of the winuser or wingroup types. See "Operands" for information about the name operand. Note that two unidirectional mappings between the same two names in two opposite directions are equivalent to one bidirectional mapping. This subcommand requires the solaris.admin.idmap.rules authorization.
Dumps all the mappings cached since the last system boot. The -n option shows the names, as well. By default, only sids, uids, and gids are shown. The -v option shows how the mappings were generated.
Exports name-based mapping rules to standard output in the specified format. The -f file option writes the rules to the specified output file.
Get the directory-based name mapping information from the AD or native LDAP user or group object represented by the specified name.
Displays the usage message.
Imports name-based mapping rules from standard input by using the specified format. The -f file option reads the rules from the specified file. The -F option flushes existing name-based mapping rules before adding new ones. Regardless of the external format used, the imported rules are processed by using the semantics and order described in the section "Rule Lookup Order," above. This subcommand requires the solaris.admin.idmap.rules authorization.
Lists all name-based mapping rules. Each rule appears in its idmap add form.
Removes any name-based mapping rule that involves the specified name. name can be either a UNIX or Windows user name or group name. The -f option removes rules that use name as the source. The -t option removes rules that use name as the destination. These options are mutually exclusive. This subcommand requires the solaris.admin.idmap.rules authorization.
Removes all name-based mapping rules. This subcommand requires the solaris.admin.idmap.rules authorization.
Removes name-based mapping rules between name1 and name2. If the -d option is specified, rules from name1 to name2 are removed. Either name1 or name2 must be a Windows name, and the other must be a UNIX name. This subcommand requires the solaris.admin.idmap.rules authorization.
Sets name mapping information in the AD or native LDAP user or group object. Either name1 or name2 must be a Windows name, and the other must be a UNIX name. If name1 is a Windows name, then the UNIX name name2 is added to the AD object represented by name1. Similarly, if name1 is a UNIX name then the Windows name name2 is added to the native LDAP entry represented by name1. The following options are supported: -a authenticationMethod
Specify authentication method when modifying native LDAP entry. See ldapaddent(1M) for details. Default value is sasl/GSSAPI.
Uses the distinguished name bindDN to bind to the directory.
Specify a file containing the password for authentication to the directory.
Shows the identity of type, target-type, that the specified name maps to. If the optional target-type is omitted, the non-diagonal mapping is shown. By default, this subcommand shows only mappings that have been established already. The -c option forces the evaluation of name-based mapping configurations or the dynamic allocation of IDs. The -v option shows how the mapping was generated and also whether the mapping was just generated or was retrieved from the cache.
Unsets directory-based name mapping information from the AD or native LDAP user or group object represented by the specified name and optional target type. See the set-namemap subcommand for options.
Example 1 Using a Wildcard on Both Sides of a Name-Based Mapping Rule
The following command maps all Windows user names in the xyz.com domain to the UNIX users with the same names provided that one exists and is not otherwise mapped. If such a rule is matched but the UNIX user name does not exist, an ephemeral ID mapping is used.
# idmap add "winuser:*@xyz.com" "unixuser:*"
Example 2 Using a Wildcard on One Side of a Name-Based Mapping Rule
The following command maps all unmapped Windows users in the xyz.com domain to the guest UNIX user. The -d option specifies a unidirectional mapping from *@xyz.com users to the guest user.
# idmap add -d "winuser:*@xyz.com" unixuser:guest
Example 3 Adding a Bidirectional Name-Based Mapping Rule
The following command maps Windows user, foobar@example.com, to UNIX user, foo, and conversely:
# idmap add winuser:foobar@example.com unixuser:foo
This command shows how to remove the mapping added by the previous command:
# idmap remove winuser:foobar@example.com unixuser:foo
Example 4 Showing a UID-to-SID Mapping
The following command shows the SID that the specified UID, uid:50000, maps to:
# idmap show uid:50000 sid
uid:50000 -> usid:S-1-5-21-3223191800-2000
The following command shows the UNIX user name that the specified Windows user name, joe@example.com, maps to:
# idmap show joe@example.com unixuser
winuser:joe@example.com -> unixuser:joes
Example 5 Listing the Cached SID-to-UID Mappings
The following command shows all of the SID-to-UID mappings that are in the cache:
# idmap dump | grep "uid:"
usid:S-1-5-21-3223191800-2000 == uid:50000
usid:S-1-5-21-3223191800-2001 == uid:50001
usid:S-1-5-21-3223191800-2006 == uid:50010
usid:S-1-5-21-3223191900-3000 == uid:2147491840
usid:S-1-5-21-3223191700-4000 => uid:60001
Example 6 Batching idmap Requests
The following commands show how to batch idmap requests. This particular command sequence does the following:
Removes any previous rules for foobar@example.com.
Maps Windows user foobar@example.com to UNIX user bar and vice-versa.
Maps Windows group members to UNIX group staff and vice-versa.
# idmap <<EOF remove winuser:foobar@example.com add winuser:foobar@example.com unixuser:bar add wingroup:members unixgroup:staff EOF
Example 7 Listing Name-Based Mapping Rules
The following command shows how to list the name-based mapping rules:
# idmap list
add winuser:foobar@example.com unixuser:bar
add wingroup:members unixgroup:staff
Example 8 Importing Name-Based Mapping Rules From the usermap.cfg File
The usermap.cfg file can be used to configure name-based mapping rules. The following usermap.cfg file shows mapping rules that map Windows user foo@example.com to UNIX user foo, and that map foobar@example.com to the UNIX user foo.
# cat usermap.cfg
foo@example.com == foo
foobar@example.com => foo
The following idmap command imports usermap.cfg information to the idmapd database:
# cat usermap.cfg | idmap import usermap.cfg
This command does the same as the previous command:
# idmap import -f usermap.cfg usermap.cfg
The following commands are equivalent to the previous idmap import commands:
# idmap <<EOF add winuser:foo@example.com unixuser:foo add -d winuser:foobar@example.com unixuser:foo EOF
Example 9 Using Name-Based and Ephemeral ID Mapping With Identity Function Mapping and Exceptions
The following commands map all users in the example.com Windows domain to UNIX user accounts of the same name. The command also specifies mappings for the following Windows users: joe@example.com, jane.doe@example.com, administrator@example.com. The administrator from all domains is mapped to nobody. Any Windows users without corresponding UNIX accounts are mapped dynamically to available ephemeral UIDs.
# idmap import usermap.cfg <<EOF joe@example.com == joes jane.doe@example.com == janed administrator@* => nobody *@example.com == * *@example.com => nobody EOF
Example 10 Adding Directory-based Name Mapping to AD User Object
The following command maps Windows user joe@example.com to UNIX user joe by adding the UNIX name to AD object for joe@example.com.
# idmap set-namemap winuser:joe@example.com joes
Example 11 Adding Directory-based Name Mapping to Native LDAP User Object
The following command maps UNIX user foo to Windows user foobar@example.com by adding the Windows name to native LDAP object for foo.
# idmap set-namemap unixuser:foo foobar@example.com
Example 12 Removing Directory-based Name Mapping from AD User Object
The following command removes the UNIX username unixuser from the AD object representing joe@example.com.
# idmap unset-namemap winuser:joe@example.com unixuser
Successful completion.
An error occurred. A diagnostic message is written to standard error.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE ATTRIBUTE VALUE |
Interface Stability Uncommitted |
svcs(1), idmapd(1M), ldapaddent(1M), svcadm(1M), svccfg(1M), attributes(5), smf(5)
The idmapd service is managed by the service management facility, smf(5). The service identifier for the idmapd service is svc:/system/idmap.
Use the svcadm command to perform administrative actions on this service, such as enabling, disabling, or restarting the service. These actions require the solaris.smf.manage.idmap authorization. Use the svcs command to query the service's status.
Windows user names are case-insensitive, while UNIX user names are case-sensitive. The case of Windows names as they appear in idmap name-rules and idmap show command lines is irrelevant.
Because common practice in UNIX environments is to use all-lowercase user names, wildcard name-rules map Windows names to UNIX user/group names as follows: first, the canonical Windows name (that is, in the case as it appears in the directory) is used as a UNIX user or group name. If there is no such UNIX entity, then the Windows name's case is folded to lowercase and the result is used as the UNIX user or group name.
As a result of this differing treatment of case, user names that appear to be alike might not be recognized as matches. You must create rules to handle such pairings of strings that differ only in case. For example, to map the Windows user sam@example to the Solaris user Sam, you must create the following rules:
# idmap add "winuser:*@example" "unixuser:*" # idmap add winuser:sam@example unixuser:Sam
For guidance on modifying an Active Directory schema, consult the Microsoft document, Step-by-Step Guide to Using Active Directory Schema and Display Specifiers, which you can find at their technet web site, http://technet.microsoft.com/.