In this following post, I prove WIN-UNIX Name Mapping
works via a simple illustration that initially shows it not working. The ONTAP
version here is 9.5.
We start off by creating a data SVM, with data LIFs, DNS,
cifs server, and NFS server.
vserver create -vserver SVM1 -aggregate
cluster1_01_SSD_1 -rootvolume SVM1_root -rootvolume-security-style UNIX
net int create -vserver SVM1
-data-protocol nfs,cifs -lif SVM1_CIFS1 -role data -address 192.168.0.11
-netmask 255.255.255.0 -home-node cluster1-01 -home-port e0c
net int create -vserver SVM1
-data-protocol nfs,cifs -lif SVM1_CIFS2 -role data -address 192.168.0.12
-netmask 255.255.255.0 -home-node cluster1-02 -home-port e0c
dns create -vserver SVM1 -domains demo.corp.com
-name-servers 192.168.0.253
cifs server create -cifs-server SVM1
-vserver SVM1 -domain demo.corp.com
nfs server create -vserver SVM1
I have a user in my domain DEMO\user1 and I want
it to map to the UNIX user user1. Without doing any more than the above,
thet’s see what it maps to.
cluster1::> set d
cluster1::*> secd name-mapping show
-node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user1
'DEMO\user1' maps to 'pcuser'
DEMO\user1 maps to pcuser. Which is to be expected so far
and comes from the default-unix-user setting.
cluster1::*> cifs options show
-vserver SVM1 -fields default-unix-user
vserver default-unix-user
------- -----------------
SVM1
pcuser
If I create a unix-user called user1, does it map
automatically?
cluster1::*> unix-user
create -vserver SVM1 -user user1 -id 1001 -primary-gid 1001
cluster1::*> secd cache clear -node cluster1-01 -vserver SVM1 -cache-name name-mapping-windows-to-unix
cluster1::*> secd cache clear -node cluster1-01 -vserver SVM1 -cache-name name-mapping-windows-to-unix
cluster1::*> secd cache clear -node
cluster1-02 -vserver SVM1 -cache-name name-mapping-windows-to-unix
cluster1::*> secd
name-mapping show -node cluster1-01 -vserver SVM1 -direction win-unix -name
DEMO\user1
'DEMO\user1' maps to 'user1'
Yes it does map!
Image: Proof of successful DEMO\user1 to user1 mapping
You don’t need to specify the default name-mapping - which
is below - all we did was create a UNIX user:
vserver name-mapping create -vserver SVM1
-direction win-unix -position 1 -pattern DEMO\\(.+) -replacement \1
vserver name-mapping create -vserver SVM1
-direction unix-win -position 1 -pattern (.+) -replacement DEMO\\\1
Of course, in an enterprise environment you’re unlikely
to want to have to create a UNIX user for every user you want mapped. Instead
of using files, LDAP is going to be the solution. See the following NetApp KB: KB1030851:
How to set up Windows to UNIX user mapping over LDAP
In this lab we were using files:
cluster1::*> ns-switch show -vserver
SVM1
Source
Vserver Database Order
--------------- ------------ ---------
SVM1 hosts files,
dns
SVM1 group files
SVM1 passwd files
SVM1 netgroup files
SVM1 namemap files
5 entries were displayed.
BONUS Information
You might be thinking, what happens if the
default-unix-user is not pcuser. Say we set it to “-“. Here’s what happens:
cluster1::*> cifs
options modify -vserver SVM1 -default-unix-user "-"
cluster1::*> secd name-mapping show
-node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user3
ATTENTION: Mapping of Data ONTAP
"admin" users to UNIX user "root" is enabled, but the
following information does not reflect this mapping.
Vserver: SVM1 (internal ID: 4)
Error: RPC map name request procedure
failed
[0ms]
Trying to map 'DEMO\user3' to UNIX user 'user3' using implicit mapping
[ 2] Entry for user-name: user3 not found in
the current source: FILES
Entry for user-name: user3 not found in any
of the available sources
[ 3] Trying to map user to the default UNIX
name '-'
[ 5] Entry for user-name: - not found in the
current source: FILES
Entry for user-name: - not found in any of
the available sources
**[
6] FAILURE: Name mapping for Windows user 'DEMO\user3' failed. Mapped
UNIX user '-' does not exist
Error: command failed: Failed to find mapping for the user. Reason:
"SecD Error: The mapped user does not exist".
Comments
Post a Comment