Configuring ID mappings in IDMU

To configure ID mappings in Microsoft Identity Management for UNIX (IDMU), follow the steps in this topic.

Typically it is a good idea to configure all the required ID mappings before you mount a GPFS™ file system for the first time. Doing so ensures that IBM Spectrum Scale™ stores only properly remapped IDs on the disk. However, you can add or delete ID mappings at any time while a GPFS file system is mounted. IBM Spectrum Scale checks for mapping changes every 60 seconds and uses updated mappings immediately.

When you configure an IDMU mapping for an ID that is already recorded in file metadata, you must be careful to avoid corrupting IDMU mappings and disrupting access to files. An auto-generated mapping that is already stored in an access control list (ACL) on disk continues to map correctly to a Windows SID. However, the SID is now mapped to a different UNIX ID. When you access a file with an ACL that contains the auto-generated ID, the access appears to IBM Spectrum Scale to be an access by a different user. Depending on the file access permissions, the ID might not be able to access files that were previously accessible.

To restore proper file access for the affected ID, configure a new mapping and then rewrite the affected ACL. Rewriting replaces the auto-generated ID with an IDMU-mapped ID. To determine whether the ACL for a particular file contains auto-generated IDs or IDMU-mapped IDs, examine file ownership and permission information from a UNIX node, for example by issuing the mmgetacl command.

  1. Click Start > Administrative Tools > Active Directory Users and Computers.
  2. To see a list of the users and groups in this domain, select the Users branch in the tree on the left under the branch for your domain.
  3. To open the Properties window for a user or group, double-click the user or group line. If IDMU is set up correctly, the window includes a UNIX Attributes tab, as is shown in the following figure:
    Figure 1. Properties window
    This graphic shows the UNIX Attributes panel of the Properties window. From top to bottom, the five fields on this panel are: NIS Domain, UID, Login Shell, Home Directory, and Primary group name/GID. To update the information on this panel, refer to the list that follows this graphic.
  4. To update information on the UNIX Attributes tab, do the following steps:
    1. In the NIS Domain drop-down list, select the name of your Active Directory domain. To remove an existing mapping, click <none>.
      Note: The field is labeled NIS Domain rather than just Domain because the IDMU subsystem was originally designed to support integration with the UNIX Network Information System (NIS). IBM Spectrum Scale does not use NIS.
    2. In the UID field, enter a user ID. For group objects, enter a GID. Entering this information creates a bidirectional mapping between a UNIX ID and the corresponding Windows SID. To ensure that all mappings are unique, IDMU does not allow you to use the same UID or GID for more than one user or group.
      Note: You can create mappings for some built-in accounts in the Builtin branch of the Active Directory Users and Computers window.
    3. You do not need to enter any information in the Primary group name/GID field. IBM Spectrum Scale does not use it.
  5. To close the Properties window, click OK.
Parent topic: Identity management on Windows
Related concepts:
Auto-generated ID mappings
Related tasks:
Installing Windows IDMU