Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 21

UID to SID mapping, Process for resolving an SID to a UID, primary GID mapping

Get Dell PowerStore 1000T PDF manuals and user guides View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 21 highlights

SID sseeccmImnaapp? Yes UID and Primary GID No In Local Files Yes or UDS? No UID and Primary GID In Local Group Yes Database? No Windows Name used for SMB-only access Automatic Yes Mapping? No UID and Primary GID In Domain Controller? Windows Yes Name In ntxmap? Yes UNIX Name No Unknown SID Access Denied No Windows Name = UNIX Name Figure 1. Process for resolving an SID to a UID, primary GID mapping Default UNIX Yes Account? No Failed Mapping Access Denied UID and Primary GID UID to SID mapping The following sequence is the process used to resolve a UID to an SID mapping: 1. secmap is searched for the UID. If the UID is found, the SID mapping is resolved. 2. If the UID is not found in secmap, the UNIX name related to the UID must be found. a. The UDS (NIS server, LDAP server, or local files) is searched using the UID. If the UID is found, the related UNIX name is the user name. b. If the UID is not found in the UDS but there is a default Windows account, the UID is mapped to the SID of the default Windows account. 3. If the default Windows account information is not used, the UNIX name is translated into a Windows name. The ntxmap is used for this purpose. a. If the UNIX name is found in ntxmap, the entry is used as the Windows name. b. If the UNIX name is not found in ntxmap, the UNIX name is used as the Windows name. 4. The Windows DC or the local group database is searched using the Windows name. a. If the Windows name is found, the SID mapping is resolved. b. If the Windows name contains a period, and the part of the name following the last period (.) matches an SMB server name, the local group database of that SMB server is searched to resolve the SID mapping. c. If the Windows name is not found but there is a default Windows account, the SID is mapped to that of the default Windows account. d. If the SID is not resolvable, access is denied. If the mapping is found, it is added in the persistent secmap database. If the mapping is not found, the failed mapping is added to the persistent secmap database. The following diagram illustrates the process used to resolve a UID to an SID mapping: Authentication and access 21

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
SID
secmap
UID and
Primary
GID
In
secmap?
Yes
In Local
Group
Database?
In
Domain
Controller?
Windows Name
used for SMB-only
access
Windows
Name
Unknown SID
Access Denied
In
ntxmap?
No
Windows Name =
UNIX Name
In Local Files
or UDS?
Yes
Yes
Yes
UNIX Name
UID and
Primary
GID
Yes
No
No
No
No
Automatic
Mapping?
UID and
Primary
GID
Yes
No
Default UNIX
Account?
UID and
Primary
GID
No
Yes
Failed Mapping
Access Denied
Figure 1. Process for resolving an SID to a UID, primary GID mapping
UID to SID mapping
The following sequence is the process used to resolve a UID to an SID mapping:
1.
secmap is searched for the UID. If the UID is found, the SID mapping is resolved.
2.
If the UID is not found in secmap, the UNIX name related to the UID must be found.
a.
The UDS (NIS server, LDAP server, or local files) is searched using the UID. If the UID is found, the related UNIX name is the user
name.
b.
If the UID is not found in the UDS but there is a default Windows account, the UID is mapped to the SID of the default Windows
account.
3.
If the default Windows account information is not used, the UNIX name is translated into a Windows name. The ntxmap is used for this
purpose.
a.
If the UNIX name is found in ntxmap, the entry is used as the Windows name.
b.
If the UNIX name is not found in ntxmap, the UNIX name is used as the Windows name.
4.
The Windows DC or the local group database is searched using the Windows name.
a.
If the Windows name is found, the SID mapping is resolved.
b.
If the Windows name contains a period, and the part of the name following the last period (.) matches an SMB server name, the
local group database of that SMB server is searched to resolve the SID mapping.
c.
If the Windows name is not found but there is a default Windows account, the SID is mapped to that of the default Windows
account.
d.
If the SID is not resolvable, access is denied.
If the mapping is found, it is added in the persistent secmap database. If the mapping is not found, the failed mapping is added to the
persistent secmap database.
The following diagram illustrates the process used to resolve a UID to an SID mapping:
Authentication and access
21