Sunday, 9 April 2017

Examples of 7MTT 3.2 Translating 7-Mode Name Mappings to ONTAP

I’ve borrowed the examples from this article here (also see Appendix A), to see how 7MTT 3.2 converts name mappings from the 7-Mode usermap.cfg to (Clustered) ONTAP vserver name-mapping. In my lab I’m going from 7-Mode 8.2.3 to ONTAP 9.1.

Testing
For more information on the testing method, see Appendix C.

7-Mode: "Bob Garj" == bobg
ONTAP 9.1::> vserver name-mapping show -instance

                    Vserver: SVM1
                  Direction: win-unix
                   Position: 1
                    Pattern: Bob Garj
                Replacement: bobg
IP Address with Subnet Mask: -
                   Hostname: -

                    Vserver: SVM1
                  Direction: unix-win
                   Position: 1
                    Pattern: bobg
                Replacement: Bob Garj
IP Address with Subnet Mask: -
                   Hostname: -

7-Mode: mktg\Roy => nobody
ONTAP 9.1::> vserver name-mapping show -instance

                    Vserver: SVM1
                  Direction: win-unix
                   Position: 1
                    Pattern: mktg\\Roy
                Replacement: nobody
IP Address with Subnet Mask: -
                   Hostname: -

7-Mode: engr\Tom => ""
7MTT Warning 20273: Failed to create the following CIFS name-mapping entries...
Error code 13115: Invalid value specified for "replacement" element within "name-mapping-create": "".

7-Mode: uguest <= *
ONTAP 9.1::> vserver name-mapping show -instance

                    Vserver: SVM1
                  Direction: unix-win
                   Position: 1
                    Pattern: *
                Replacement: uguest
IP Address with Subnet Mask: -
                   Hostname: -

7-Mode: *\root => ""
7MTT 20273 Warning: Failed to create the following CIFS name-mapping entries...
Error code 13115: Invalid value specified for "replacement" element within "name-mapping-create": "".

7-Mode: corporate\* == pcuser
ONTAP 9.1::> vserver name-mapping show -instance

                    Vserver: SVM1
                  Direction: win-unix
                   Position: 1
                    Pattern: corporate\\*
                Replacement: pcuser
IP Address with Subnet Mask: -
                   Hostname: -

                    Vserver: SVM1
                  Direction: unix-win
                   Position: 1
                    Pattern: pcuser
                Replacement: corporate\\*
IP Address with Subnet Mask: -
                   Hostname: -

7-Mode: Engineer == *
ONTAP 9.1::> vserver name-mapping show -instance

                    Vserver: SVM1
                  Direction: win-unix
                   Position: 1
                    Pattern: Engineer
                Replacement: *
IP Address with Subnet Mask: -
                   Hostname: -

                    Vserver: SVM1
                  Direction: unix-win
                   Position: 1
                    Pattern: *
                Replacement: Engineer
IP Address with Subnet Mask: -
                   Hostname: -

7-Mode: homeusers\* *
7MTT didn’t translate this, nor did it error (on the ‘Apply Configuration’ stage).

7-Mode: homeusers\* == *
ONTAP 9.1::*> vserver name-mapping show -instance

                    Vserver: SVM1
                  Direction: win-unix
                   Position: 1
                    Pattern: homeusers\\*
                Replacement: *
IP Address with Subnet Mask: -
                   Hostname: -

                    Vserver: SVM1
                  Direction: unix-win
                   Position: 1
                    Pattern: *
                Replacement: homeusers\\*
IP Address with Subnet Mask: -
                   Hostname: -

7-Mode: Engineering\* <= sunbox2:*
7MTT 20103 Warning: The following usermap entries in the '/etc/usermap.cfg' file have IP addresses, host names, network names, or network names with subnet specified in dotted notation. 7-Mode Transition Tool does not support the transition of such usermap entries and these usermap entries must be transitioned manually. You must manually configure these entries on the target SVM by using the following commands::>
vserver name-mapping create -vserver {SVM_NAME} -direction {krb-unix|win-unix|unix-win} -position {INTEGER} -pattern {TEXT} -replacement {TEXT} -address {IP-Address/Mask}
vserver name-mapping create -vserver {SVM_NAME} -direction {krb-unix|win-unix|unix-win} -position {INTEGER} -pattern {TEXT} -replacement {TEXT} -hostname {host-name}

We stop here since the other examples use IP/HOSTNAME qualifiers which are not supported with 7MTT (these are supported in ONTAP 9.1, just need to be applied manually.)

Appendix A: Examples of usermap.cfg entries

The following gives meanings for some simple /etc/usermap.cfg entries:

Entry: "Bob Garj" == bobg
Win -> UNIX: The Windows name Bob Garj maps to the UNIX name bobg.
UNIX -> Win: The UNIX name bobg maps to the Windows name Bob Garg.

Entry: mktg\Roy => nobody
Win -> UNIX: The Windows name Roy in the mktg domain maps to the UNIX name nobody.

Entry: engr\Tom => ""
Win -> UNIX: Disallow login by the user named Tom in the engr domain.


The following provides some examples with asterisks in the Windows names:

Entry: uguest <= *
UNIX -> Win: All UNIX names not yet matched map to Windows user uguest.

Entry: *\root => ""
Win -> UNIX: Disallow logins using the Windows name root from all domains.

Entry: corporate\* == pcuser
Win -> UNIX: Any user in the corporate domain maps to the UNIX name pcuser.
UNIX -> Win: No mapping is done for the UNIX name pcuser because an asterisk is used in the Windows user name.

Win -> UNIX: No mapping is done for the Windows name Engineer because an asterisk is used in the UNIX user name.
UNIX -> Win: Any UNIX name maps to the Windows name Engineer in the storage system’s domain.

Entry: homeusers\* *
Entry: homeusers\* == *
Win -> UNIX: All Windows users from the homeusers domain map to their corresponding UNIX names. For example, a Windows user named john in the homeusers domain maps to the UNIX name john.
UNIX -> Win: All UNIX users map to the corresponding names in the homeusers domain. For example, a UNIX user named bob maps to homeusers\bob.


The following provides some examples with IP qualifiers.
Entry: Engineering\* <= sunbox2:*
UNIX -> Win: UNIX names from the host named sunbox2 map to the same names in the Engineering domain.

Entry: Engineering\* <= 192.9.200.70:*
UNIX -> Win: UNIX names from the IP address 192.9.200.70 map to the same names in the Engineering domain.

Entry: ""<= 192.9.200.0/24:*
UNIX -> Win: All NFS requests from the 192.9.200.0 subnet are denied because UNIX names from this subnet map to a null string.

Entry: 192.9.200.0/24:test-dom\* => ""
Win -> UNIX: All users in the test-dom domain are denied access from the 192.9.200.0 subnet.


Appendix B: Original Contents of Usermap.cfg File

# These are some sample "defensive" entries you may wish to use.
# They can be uncommented and placed as needed. See the System
# Administrator's Guide for a full description of this file.
#
# *\root => nobody        # Map all NT users named "root" to have no
#                         # UNIX perms. They can still log in though.
#
# guest <= administrator  # Map UNIX user "administrator" to NT guest.
# guest <= root           # Map UNIX root user to guest. This should be
#                         # placed after any real "root" mappings.
#
# The next two mappings can be used to defeat the default mapping of
# the user names. That way only entries that are mapped previously in
# this file will be allowed.
#
# *\* => ""               # Map all other NT requests to fail.
# "" <= *                 # Map all other UNIX requests to fail.
#
# The pound sign "#" is used as a comment character in map entries. The
# next three mappings show how to handle an NT user name which includes
# a pound sign. The name must be quoted. If the user account contains
# both domain and name, the username must be quoted separately.
#
# "#jdoe" => joed             # Map NT user #jdoe to UNIX user joed.
# NTDOM\"#jdoe" <= joed       # Map UNIX user joed to NT user NTDOM\#jdoe.
# "nt-domain\#jdoe" <= joed   # BAD, won't work.


Appendix C: Testing Method
The testing method consisted of the following 7-Mode commands>
rdfile /etc/usermap.cfg
wrfile /etc/usermap.cfg
{Enter Name Map}
Ctrl+C


Then clicking ‘Apply Configuration’ in 7MTT. And in ONTAP::>
vserver name-mapping show -instance
vserver name-mapping delete *


And repeat!

Image: Testing

No comments:

Post a Comment