cifs.idmap

cifs.idmap set [options] <domain> <user> [<uid>]
cifs.idmap dump [options]

-h, --help
    Show help message and exit

-V, --version
    Show program's version number and exit

-f, --force (set only)
    Force overwrite of existing mappings

-r REALM, --realm=REALM (set only)
    Specify realm name if different from domain

-k, --keys (dump only)
    Dump key serial numbers as well

-u UID, --uid=UID (dump only)
    Dump mappings for specified UID only

The cifs.idmap command is a userspace helper for the Linux CIFS/SMB kernel client, managing user and group ID mappings via the kernel keyring. It enables dynamic resolution of Windows SIDs (Security Identifiers) to local Unix UIDs/GIDs, essential for correct file permissions on SMB shares.

When mounting CIFS filesystems with sec=krb5i or similar, the kernel requests idmap lookups. cifs.idmap populates the session keyring with mappings, avoiding reliance on external daemons like Winbind. It supports two main operations: set to manually add mappings (domain\user to UID) and dump to display current keyring contents.

This utility is part of the cifs-utils package and runs setuid root for keyring access. It improves performance and security by keeping mappings in-kernel, supporting Active Directory environments without full Samba integration.

Requires setuid root privileges; mappings are session-specific and lost on reboot or keyring clear. Not for production without proper AD integration.

cifs.idmap set -r MYREALM MYDOM\\myuser 1000 (set mapping)
cifs.idmap dump -u 1000 (dump UID 1000 mappings)

Typically /sbin/cifs.idmap or /usr/libexec/cifs-utils/cifs.idmap (setuid root)

Introduced in cifs-utils 6.4 (2013) with Linux kernel 3.11 support for keyring-based idmapping, replacing slower userspace lookups.

mount.cifs(8), cifs.upcall(8), keyctl(1)