Configuring ID mappings in IMU

To configure ID mappings in Microsoft Identity Management for UNIX (IMU), follow the steps in this procedure.

Open Active Directory Users and Computers (accessible under Administrative Tools).
Select the Users branch in the tree on the left under the branch for your domain to see the list of users and groups in this domain.
Double-click on any user or group line to bring up the Properties window. If IMU is set up correctly, there will be a UNIX Attributes tab as shown in Figure 1:

Figure 1. Properties window

This graphic shows the UNIX Attributes panel of the Properties window. From top to bottom, the five fields on this panel are: NIS Domain, UID, Login Shell, Home Directory, and Primary group name/GID. To update the information on this panel, refer to the list that follows this graphic.

Note: Because the IMU subsystem was originally designed to support integration with the UNIX Network Information Service (NIS), there is an NIS Domain field in the Properties window. You do not need to have NIS set up on the UNIX side. For GPFS™, the NIS language does not matter.

Update information on the UNIX Attributes panel as follows:

Under the NIS Domain drop-down list, select the name of your Active Directory domain. Selecting <none> will remove an existing mapping.
Specify a UID in the UID field, and for Group objects, specify a GID. This will create a bidirectional mapping between the corresponding SID and a UNIX ID. IMU will disallow the use of the same UID or GID for more than one user or group to ensure that all mappings are unique. In addition to creating mappings for domain users and groups, you can create mappings for certain built-in accounts by going to the Builtin branch in the Active Directory Users and Computers panel.
Disregard the Primary group name/GID field because GPFS does not use it.

It is generally better to configure all ID mappings before mounting a GPFS file system for the first time. Doing that ensures that GPFS only stores properly remapped IDs on disk. However, it is possible to add or delete mappings at any time while GPFS file systems are mounted. GPFS picks up mapping changes dynamically (the code currently checks for mapping changes every 60 seconds), and will start using them at that time.

If an IMU mapping is configured for an ID that is already recorded in some file metadata, you must proceed with caution to avoid user confusion and access disruption. Auto-generated mappings already stored in access control lists (ACLs) on disk will continue to map correctly to Windows SIDs. However, because the SID is now mapped to a different UNIX ID, when you access a file with an ACL containing its auto-generated ID, this access will effectively appear to GPFS as an access by a different user. Depending on the file access permissions, you might not be able to access files that were previously accessible. Rewriting affected ACLs after setting up a new mapping will help replace auto-generated IDs with IMU-mapped IDs, and will restore proper file access for the affected ID (this operation might need to be performed by the system administrator). Examining file ownership and permission information from a UNIX node (for example, using the mmgetacl command) is the easiest way to determine whether the ACL for a specified file contains auto-generated or IMU-mapped IDs.