Wednesday, 11 June 2014

Name Mapping Comparison for NetApp Data ONTAP (Operating in 7-Mode) and Clustered Data ONTAP

1. Listing User Mappings

7-Mode:

> rdfile /etc/usermap.cfg

C-Mode:

::> vserver name-mapping show

2) Syntax of User Mappings

The syntax for user mappings is different between flavours of Data ONTAP. A source for information are the online man pages.

7-Mode:

> man usermap.cfg

C-Mode:

::> man vserver name-mapping create

3. Special Mappings

There are 3 options in 7-Mode that perform user mapping, 2 of them exist similarly in C-Mode.

7-Mode:

> options wafl.default_nt_user (NULL is default)
> options wafl.default_unix_user (pcuser is default)
> options wafl.nt_admin_priv_map_to_root (on is default)

C-Mode:

::> vserver nfs modify -default-win-user (NULL is default)
::> vserver cifs options modify -default-unix-user (pcuser is default)


options wafl.nt_admin_priv_map_to_root in C-Mode:

There is no direct command mapping for this option from 7 to C. Currently in 8.2.1, if you had lots of users in AD domain groups, in the 7-Mode CIFS servers local administrators group, that you wanted mapping to root, then each user would need to be individually mapped to root. In practice, very few NT users should be mapped to root for security reasons, so this change is perhaps not a bad thing. There is a BURT for this 799193.

4. Unix Users Specified By Exports

Depending on the NFS user accessing an export, the “effective” UNIX user can be controlled by the export rule. A source for information are the online man pages.

7-Mode:

> man exports

C-Mode:

::> man vserver export-policy create
::> man vserver export-policy rule create

5. Unix Users

7-Mode:

> rdfile /etc/passwd

C-Mode:

::> vserver services unix-user show

6. Unix Groups

7-Mode:

> rdfile /etc/group

C-Mode:

::> vserver services unix-group show

7. Local CIFS Users

7-Mode:

> useradmin user list
> useradmin domainuser list

C-Mode:

::> vserver cifs users-and-groups local-user show

8. Local CIFS Groups

7-Mode:

> useradmin group list

or

> rdfile /etc/lclgroups.cfg

C-Mode:

::> vserver cifs users-and-groups local-group show

9. Finding Members of the Local Administrators Group

7-Mode:

Either use a Windows client and the compmgmt.msc MMC (Microsoft Management Console).
Or the following PowerShell 2.0 from https://communities.netapp.com/thread/23523:

$group = [ADSI]"WinNT://7-MODE-CIFS-SERVER/Administrators"
$members = @($group.psbase.Invoke("Members"))
$members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}

C-Mode:

::> vserver cifs users-and-groups local-group show-members

Additional Note: Finding members of an Active Directory Group

Use the PowerShell from this technet forum post:

$group = Read-Host "Enter group name to find"
$as = [adsisearcher]"(&(objectCategory=group)(name=$group))"
$found = $as.findall()
$found

Or:


10. Troubleshooting Name-Mapping

7-Mode:

> wcc -u UNIX_NAME
> wcc -s NT_NAME

C-Mode:

::> set d
::*> diag secd authentication ?
login-cifs  *To authenticate a CIFS user
ontap-admin-login-cifs *To authenticate Ontap Admin CIFS user
show-creds *Show user's creds based on a Unix UID or CIFS SID
show-ontap-admin-unix-creds *Show Ontap Admin's Unix Credentials based on User Name or User Id
sid-to-uid *Translates a Windows SID to a Unix ID
sid-to-unix-name *Translates a Windows SID to a Unix Name
translate *Translates between various names and their identifiers
uid-to-sid *Translates a Unix ID to a Windows SID

11. Infinite Volumes

C-Mode only:

The following commands only apply to SVMs that contain Infinite Volumes (not those that contain FlexVols):

::> vserver cifs options modify -default-unix-group (NULL is the default - setting does not apply to SVMs with FlexVols)
::> vserver group-mapping create

No comments:

Post a Comment