The Solaris CIFS Service
The Solaris Operating System (Solaris OS) has reached a new level of
Windows interoperability with the introduction of an integrated CIFS service. A Solaris server
can now be an active participant in a Windows active directory domain
and provide ubiquitous, cross-protocol file sharing through CIFS and NFS to clients
in their native dialect.
The Solaris CIFS service allows a native Solaris system to serve files,
by means of CIFS shares, to CIFS/SMB enabled clients, such as Windows
and Mac OS systems. By virtue of the Solaris CIFS service, a
Windows client (or other CIFS client) can interoperate with the Solaris CIFS
service as it would with a Windows server.
The Solaris CIFS service can operate in either workgroup mode or in
domain mode. In workgroup mode, the Solaris CIFS service is responsible for
authenticating users locally when access is requested to shared resources. This authentication
process is referred to as local login. In domain mode, the Solaris
CIFS service uses pass-through authentication, in which user authentication is delegated to
a domain controller.
When a user is successfully authenticated, the Solaris CIFS service generates an
access token using the security identifiers (SIDs) that represent the user's identity
and the groups of which the user is a member. When the
user requests access to files or resources from the service, the access
token is used to determine access to files by cross-checking the token
with the access control list (ACL) or permissions on files and resources.
Solaris OS credentials have been enhanced to fully support Windows-style SIDs. In
addition, file systems, such as ZFS, support Windows-style ACLs and access checking.
The Solaris OS is unique in that it can manage user identities
simultaneously by using both traditional UIDs (and GIDs) and SIDs. When a
user is authenticated through the CIFS service, the user's CIFS identity is
mapped to the appropriate UNIX®
or Network Information Service (NIS) identity by using the idmap
identity mapping service. If an existing UNIX or NIS identity exists, that
identity is used. Otherwise, a temporary identity is generated using ephemeral UIDs
and GIDs, as required. Ephemeral IDs are valid only within each Solaris
OS instance and only until the system is rebooted. These IDs are
never stored on disk or transmitted over the network. When an ACL
is stored on disk through the CIFS service, the SIDs are used
to generate the access control entries. Solaris utilities, such as ls and
chmod, support ACL management.
For more information about how the Solaris OS manages user identities, see
Chapter 2, Identity Mapping Administration (Tasks).
The following diagram shows how a Solaris file server can operate simultaneously
with both NIS and Windows domains. The Windows domain controller provides CIFS
authentication and naming services for CIFS clients and servers, while the NIS
servers provide naming services for NFS clients and servers.
Figure 1-1 Solaris CIFS Environment
The Solaris services described in this book include the following components:
Solaris CIFS Service
Note - The Samba and CIFS services cannot be used simultaneously on a single
Solaris system. The Samba service must be disabled in order to run
the Solaris CIFS service. For more information, see How to Disable the Samba Service.
For a high-level overview of configuring the Solaris CIFS service, see Configuring the Solaris CIFS Service - Process Overview.
For information about configuring the service, see Chapter 3, Solaris CIFS Service Administration (Tasks). For more information about
the Solaris CIFS service, see the smbadm(1M), smbd(1M), smbstat(1M), smb(4), smbautohome(4),
and pam_smb_passwd(5) man pages.
The CIFS features offered by the Solaris service depend on the file
system being shared. To fully support the Solaris CIFS service, a file
system should support the following features:
If the file system supports the archive, hidden, read-only, and system attributes, these attributes are made available as the DOS attributes available on Windows systems. ZFS supports these attributes.
If the file system supports Solaris extended attributes, they are made available as NTFS alternate data streams.
The case-sensitivity capabilities of the file system are made available to CIFS clients. To support both Windows-style access and POSIX access, a file system should support mixed-mode, which is simultaneous support for case-sensitive and case-insensitive name operations.
The Solaris OS supports both the NFS and CIFS protocols, which have different expectations regarding case behavior. For instance, Windows clients typically expect case-insensitive behavior while local applications and NFS clients typically expect case-sensitive behavior. The ZFS file system supports three case modes: case-sensitive, case-insensitive, and mixed. The ZFS file system can indicate case conflicts when in mixed mode. Mixed mode is recommended for maximum multi-protocol compatibility.
To provide full Windows access control list (ACL) support, file systems should be able to store SIDs and they should at least support NFSv4 ACLs.
For information about the supported features of the UFS and ZFS file
systems, see the ufs(7FS) man page and the Solaris ZFS Administration Guide, respectively.
For information about how to access CIFS shares from your client, refer
to the client documentation.
Solaris CIFS Client
The SMB protocol is the natural file-sharing protocol used by Windows and
Mac OS systems. Samba implements the SMB protocol for UNIX and Linux
systems. The Solaris CIFS client is a Solaris virtual file system that
provides access to files and directories from the CIFS service.
By using the Solaris CIFS client, a user can mount remote CIFS
shares (directories) on his Solaris system to get read-write access to previously
inaccessible files. The Solaris CIFS client does not include the ability to
print by means of CIFS or the ability to access CIFS resources
other than files and directories. The Solaris CIFS client enables an unprivileged
user to mount and unmount shares on directories he owns.
For more information about how to use the Solaris CIFS client to
access shares, see Chapter 4, Solaris CIFS Client Administration (Tasks), and the smbutil(1), mount_smbfs(1M), nsmbrc(4), and pam_smbfs_login(5) man
Identity Mapping Service
The Solaris OS includes an identity mapping service that enables you to
map identities between Solaris systems and Windows systems.
This identity mapping service supports the following types of mappings between Windows
security identities (SIDs) and Solaris user IDs and group IDs (UIDs and
Name-based mapping. Maps Windows and Solaris users and groups by name in the following ways:
Directory-based mapping. Uses name mapping information that is stored in user or group objects in the Active Directory (AD) and/or the native LDAP directory service to map users and groups.
Rule-based mapping. An administrator uses rules to map Windows and Solaris users and groups by name.
Ephemeral ID mapping. A UID or GID is dynamically allocated as needed for every SID that is not already mapped by name. Ephemeral ID mapping is used by default.
Local SID mapping. A non-ephemeral UID or GID is mapped to an algorithmically generated local SID.
The idmap utility can be used to create and manage the name-based
mappings and to monitor the mappings in effect.
For more information about mapping user and group identities, see Mapping User and Group Identities. For
information about how to determine your identity mapping strategy, see Creating Your Identity Mapping Strategy. For
instructions on how to use the idmap command, see Managing Directory-Based Identity Mapping for Users and Groups (Task Map), Managing Rule-Based Identity Mapping for Users and Groups (Task Map), and
the idmap(1M) man page.
Managing Solaris CIFS Configuration Properties
The Solaris CIFS service and the Solaris CIFS client use the sharectl
command to manage configuration properties. For descriptions of the Solaris CIFS service
properties, see the sharectl(1M) and smb(4) man pages. For descriptions of the
Solaris CIFS client properties, see the nsmbrc(4) man page.
The Solaris CIFS properties and their values are stored in the Service
Management Facility (SMF). For more information about SMF, see Chapter 15, Managing Services (Overview), in System Administration Guide: Basic Administration.
The sharectl command is used throughout the configuration process to set and
view properties. This command and examples of its use are described in
Chapter 3, Solaris CIFS Service Administration (Tasks). The sharectl command is also used by the Solaris CIFS client
to configure the global environment. For more information, see Chapter 4, Solaris CIFS Client Administration (Tasks).