Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 20

Windows resolvers, secmap, ntxmap, SID to UID, primary GID mapping

Get Dell PowerStore 1000T PDF manuals and user guides View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 20 highlights

Windows resolvers Windows resolvers are used to do the following for user mapping: • Return the corresponding Windows account name for a particular security identifier (SID) • Return the corresponding SID for a particular Windows account name The Windows resolvers are: • The domain controller (DC) of the domain • The local group database (LGDB) of the SMB server secmap The function of secmap is to store all SID-to-UID and primary GID and UID-to-SID mappings to ensure coherency across all file systems of the NAS server. ntxmap ntxmap is used to associate a Windows account to a UNIX account when the name is different. For example, if there is a user who has an account that is called Gerald on Windows but the account on UNIX is called Gerry, ntxmap is used to make the correlation between the two. SID to UID, primary GID mapping The following sequence is the process used to resolve an SID to a UID, primary GID mapping: 1. secmap is searched for the SID. If the SID is found, the UID and GID mapping is resolved. 2. If the SID is not found in secmap, the Windows name related to the SID must be found. a. The local group databases of the SMB servers of the NAS are searched for the SID. If the SID is found, the related Windows name is the local user name along with the SMB server name. b. If the SID is not found in the local group database, the DC of the domain is searched. If the SID is found, the related Windows name is the user name. If the SID is not resolvable, access is denied. 3. The Windows name is translated into a UNIX name. The ntxmap is used for this purpose. a. If the Windows name is found in ntxmap, the entry is used as the UNIX name. b. If the Windows name is not found in ntxmap, the Windows name is used as the UNIX name. 4. The UDS (NIS server, LDAP server, or local files) is searched using the UNIX name. a. If the UNIX user name is found in the UDS, the UID and GID mapping is resolved. b. If the UNIX name is not found, but the automatic mapping for unmapped Windows accounts feature is enabled, the UID is automatically assigned. c. If the UNIX user name is not found in the UDS but there is a default UNIX account, the UID and GID mapping is resolved to that of the default UNIX account. d. If the SID is not resolvable, access is denied. If the mapping is found, it is added in the persistent secmap database. If the mapping is not found, the failed mapping is added to the persistent secmap database. The following diagram illustrates the process used to resolve an SID to a UID, primary GID mapping: 20 Authentication and access

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
Windows resolvers
Windows resolvers are used to do the following for user mapping:
Return the corresponding Windows account name for a particular security identifier (SID)
Return the corresponding SID for a particular Windows account name
The Windows resolvers are:
The domain controller (DC) of the domain
The local group database (LGDB) of the SMB server
secmap
The function of secmap is to store all SID-to-UID and primary GID and UID-to-SID mappings to ensure coherency across all file systems of
the NAS server.
ntxmap
ntxmap is used to associate a Windows account to a UNIX account when the name is different. For example, if there is a user who has an
account that is called Gerald on Windows but the account on UNIX is called Gerry, ntxmap is used to make the correlation between the
two.
SID to UID, primary GID mapping
The following sequence is the process used to resolve an SID to a UID, primary GID mapping:
1.
secmap is searched for the SID. If the SID is found, the UID and GID mapping is resolved.
2.
If the SID is not found in secmap, the Windows name related to the SID must be found.
a.
The local group databases of the SMB servers of the NAS are searched for the SID. If the SID is found, the related Windows name
is the local user name along with the SMB server name.
b.
If the SID is not found in the local group database, the DC of the domain is searched. If the SID is found, the related Windows
name is the user name. If the SID is not resolvable, access is denied.
3.
The Windows name is translated into a UNIX name. The ntxmap is used for this purpose.
a.
If the Windows name is found in ntxmap, the entry is used as the UNIX name.
b.
If the Windows name is not found in ntxmap, the Windows name is used as the UNIX name.
4.
The UDS (NIS server, LDAP server, or local files) is searched using the UNIX name.
a.
If the UNIX user name is found in the UDS, the UID and GID mapping is resolved.
b.
If the UNIX name is not found, but the automatic mapping for unmapped Windows accounts feature is enabled, the UID is
automatically assigned.
c.
If the UNIX user name is not found in the UDS but there is a default UNIX account, the UID and GID mapping is resolved to that of
the default UNIX account.
d.
If the SID is not resolvable, access is denied.
If the mapping is found, it is added in the persistent secmap database. If the mapping is not found, the failed mapping is added to the
persistent secmap database.
The following diagram illustrates the process used to resolve an SID to a UID, primary GID mapping:
20
Authentication and access