Configuring ID mappings in IDMU

To configure ID mappings in Microsoft Identity Management for UNIX (IDMU), do the following the steps. This procedure applies to Windows Server 2012 R2 and preceding versions.

These steps apply to Windows Server up to and including Windows Server 2012 R2 versions, which have IDMU. Because IDMU was removed starting Windows Server 2016, see instructions on editing RFC 2307 attributes in Configuring ID mappings in Active Directory Users and Computers for Windows Server 2016 (and subsequent) versions.

Typically it is a good idea to configure all the required ID mappings before you mount a GPFS file system for the first time. This configuration of ID mappings ensures that IBM Storage Scale stores only properly remapped IDs on the disk. However, you can add or delete ID mappings at any time while a GPFS file system is mounted. IBM Storage Scale checks the mapping changes every 60 seconds and uses updated mappings immediately.

When you configure an IDMU mapping for an ID that is already recorded in file metadata, you must be careful to avoid corrupting IDMU mappings and disrupting access to files. An auto-generated mapping that is already stored in an access control list (ACL) on disk continues to map correctly to a Windows SID. However, the SID is now mapped to a different UNIX ID. When you access a file with an ACL that contains the auto-generated ID, the access appears to IBM Storage Scale to be access by a different user. Depending on the file access permissions, the ID might not be able to access files that were previously accessible.

To restore proper file access for the affected ID, configure a new mapping and then rewrite the affected ACL. Rewriting replaces the auto-generated ID with an IDMU-mapped ID. To determine whether the ACL for a particular file contains auto-generated IDs or IDMU-mapped IDs, examine file ownership and permission information from a UNIX node, for example by issuing the mmgetacl command.

  1. Click Start > Administrative Tools > Active Directory Users and Computers.
  2. To see a list of the users and groups in this domain, select the Users branch in the tree on the left under the branch for your domain.
  3. To open the Properties window for a user or group, double-click the user or group line.
    If IDMU is set up correctly, the window includes a UNIX Attributes tab, as is shown in the following figure:
    Figure 1. Properties window
    This graphic shows the UNIX Attributes panel of the Properties window. From top to bottom, the five fields on this panel are: NIS Domain, UID, Login Shell, Home Directory, and Primary group name/GID. To update the information on this panel, refer to the list that follows this graphic.
  4. To update information on the UNIX Attributes tab, do the following steps:
    1. In the NIS Domain drop-down list, select the name of your Active Directory domain. To remove an existing mapping, click <none>.
      Note: The field is labeled NIS Domain rather than just Domain because the IDMU subsystem was originally designed to support integration with the UNIX Network Information System (NIS). IBM Storage Scale does not use NIS.
    2. In the UID field, enter a user ID. For group objects, enter a GID.
      Entering this information creates a bidirectional mapping between a UNIX ID and the corresponding Windows SID. To ensure that all mappings are unique, IDMU does not allow the same UID or GID for more than one user or group.
      Note: You can create mappings for some built-in accounts in the Builtin branch of the Active Directory Users and Computers window.
    3. Do not enter any information in the Primary group name/GID field. IBM Storage Scale does not use it.
  5. To close the Properties window, click OK.