1. Listing User
Mappings
7-Mode:
> rdfile
/etc/usermap.cfg
C-Mode:
::> vserver
name-mapping show
2) Syntax of
User Mappings
The syntax for user
mappings is different between flavours of Data ONTAP. A source for information
are the online man pages.
7-Mode:
> man
usermap.cfg
C-Mode:
::>
man vserver name-mapping create
3. Special
Mappings
There are 3 options
in 7-Mode that perform user mapping, 2 of them exist similarly in C-Mode.
7-Mode:
> options
wafl.default_nt_user (NULL is default)
> options wafl.default_unix_user (pcuser is default)
> options wafl.nt_admin_priv_map_to_root (on is default)
> options wafl.default_unix_user (pcuser is default)
> options wafl.nt_admin_priv_map_to_root (on is default)
C-Mode:
::> vserver nfs
modify -default-win-user (NULL is default)
::> vserver cifs options modify -default-unix-user (pcuser is default)
::> vserver cifs options modify -default-unix-user (pcuser is default)
options wafl.nt_admin_priv_map_to_root
in C-Mode:
There is no direct command mapping for this option from 7
to C. Currently in 8.2.1, if you had lots of users in AD domain groups, in the
7-Mode CIFS servers local administrators group, that you wanted mapping to root,
then each user would need to be individually mapped to root. In practice, very
few NT users should be mapped to root for security reasons, so this change is
perhaps not a bad thing. There is a BURT for this 799193.
4. Unix Users
Specified By Exports
Depending on the
NFS user accessing an export, the “effective” UNIX user can be controlled by
the export rule. A source for information are the online man pages.
7-Mode:
> man
exports
C-Mode:
::>
man vserver export-policy create
::>
man vserver export-policy rule create
5. Unix Users
7-Mode:
> rdfile
/etc/passwd
C-Mode:
::>
vserver services unix-user show
6. Unix Groups
7-Mode:
>
rdfile /etc/group
C-Mode:
::>
vserver services unix-group show
7. Local CIFS
Users
7-Mode:
>
useradmin user list
> useradmin
domainuser list
C-Mode:
::> vserver
cifs users-and-groups local-user show
8. Local CIFS
Groups
7-Mode:
>
useradmin group list
or
>
rdfile /etc/lclgroups.cfg
C-Mode:
::> vserver
cifs users-and-groups local-group show
9. Finding
Members of the Local Administrators Group
7-Mode:
Either use a Windows client and the compmgmt.msc MMC
(Microsoft Management Console).
Or the following PowerShell 2.0 from https://communities.netapp.com/thread/23523:
$group = [ADSI]"WinNT://7-MODE-CIFS-SERVER/Administrators"
$members = @($group.psbase.Invoke("Members"))
$members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
$members = @($group.psbase.Invoke("Members"))
$members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
C-Mode:
::> vserver
cifs users-and-groups local-group show-members
Additional Note: Finding
members of an Active Directory Group
Use
the PowerShell from this
technet forum post:
$group
= Read-Host "Enter group name to find"
$as
= [adsisearcher]"(&(objectCategory=group)(name=$group))"
$found
= $as.findall()
$found
Or:
10.
Troubleshooting Name-Mapping
7-Mode:
> wcc
-u UNIX_NAME
> wcc
-s NT_NAME
C-Mode:
::>
set d
::*>
diag secd authentication ?
login-cifs
*To authenticate a CIFS user
ontap-admin-login-cifs
*To authenticate Ontap Admin CIFS user
show-creds
*Show user's creds based on a Unix UID or CIFS SID
show-ontap-admin-unix-creds
*Show Ontap Admin's Unix Credentials based on User Name or User Id
sid-to-uid
*Translates a Windows SID to a Unix ID
sid-to-unix-name
*Translates a Windows SID to a Unix Name
translate
*Translates between various names and their identifiers
uid-to-sid
*Translates a Unix ID to a Windows SID
11. Infinite
Volumes
C-Mode only:
The following commands only apply to SVMs that contain
Infinite Volumes (not those that contain FlexVols):
::> vserver
cifs options modify -default-unix-group (NULL is the default - setting does not
apply to SVMs with FlexVols)
::> vserver group-mapping create
::> vserver group-mapping create
Comments
Post a Comment