I’ve borrowed the examples from this article here
(also see Appendix A), to see how 7MTT 3.2 converts name mappings from the 7-Mode
usermap.cfg to (Clustered) ONTAP vserver name-mapping. In my lab I’m going from
7-Mode 8.2.3 to ONTAP 9.1.
Testing
For more
information on the testing method, see Appendix C.
7-Mode: "Bob
Garj" == bobg
ONTAP
9.1::> vserver name-mapping show -instance
Vserver: SVM1
Direction: win-unix
Position: 1
Pattern: Bob Garj
Replacement: bobg
IP
Address with Subnet Mask: -
Hostname: -
Vserver: SVM1
Direction: unix-win
Position: 1
Pattern: bobg
Replacement: Bob Garj
IP
Address with Subnet Mask: -
Hostname: -
7-Mode: mktg\Roy
=> nobody
ONTAP
9.1::> vserver name-mapping show -instance
Vserver: SVM1
Direction: win-unix
Position: 1
Pattern: mktg\\Roy
Replacement: nobody
IP
Address with Subnet Mask: -
Hostname: -
7-Mode: engr\Tom
=> ""
7MTT Warning 20273: Failed to
create the following CIFS name-mapping entries...
Error code 13115: Invalid value
specified for "replacement" element within
"name-mapping-create": "".
7-Mode: uguest
<= *
ONTAP
9.1::> vserver name-mapping show -instance
Vserver: SVM1
Direction: unix-win
Position: 1
Pattern: *
Replacement: uguest
IP
Address with Subnet Mask: -
Hostname: -
7-Mode: *\root
=> ""
7MTT 20273 Warning: Failed to
create the following CIFS name-mapping entries...
Error code 13115: Invalid value
specified for "replacement" element within
"name-mapping-create": "".
7-Mode: corporate\*
== pcuser
ONTAP
9.1::> vserver name-mapping show -instance
Vserver: SVM1
Direction: win-unix
Position: 1
Pattern: corporate\\*
Replacement: pcuser
IP
Address with Subnet Mask: -
Hostname: -
Vserver: SVM1
Direction: unix-win
Position: 1
Pattern: pcuser
Replacement: corporate\\*
IP
Address with Subnet Mask: -
Hostname: -
7-Mode: Engineer
== *
ONTAP
9.1::> vserver name-mapping show -instance
Vserver: SVM1
Direction: win-unix
Position: 1
Pattern: Engineer
Replacement: *
IP
Address with Subnet Mask: -
Hostname: -
Vserver: SVM1
Direction: unix-win
Position: 1
Pattern: *
Replacement: Engineer
IP
Address with Subnet Mask: -
Hostname: -
7-Mode: homeusers\*
*
7MTT didn’t translate this, nor
did it error (on the ‘Apply Configuration’ stage).
7-Mode:
homeusers\* == *
ONTAP
9.1::*> vserver name-mapping show -instance
Vserver: SVM1
Direction: win-unix
Position: 1
Pattern: homeusers\\*
Replacement: *
IP
Address with Subnet Mask: -
Hostname: -
Vserver: SVM1
Direction: unix-win
Position: 1
Pattern: *
Replacement: homeusers\\*
IP
Address with Subnet Mask: -
Hostname: -
7-Mode: Engineering\*
<= sunbox2:*
7MTT 20103 Warning: The following
usermap entries in the '/etc/usermap.cfg' file have IP addresses, host names,
network names, or network names with subnet specified in dotted notation. 7-Mode Transition Tool does
not support the transition of such usermap entries and these usermap
entries must be transitioned manually. You must manually configure these
entries on the target SVM by using the following commands::>
vserver name-mapping create -vserver {SVM_NAME} -direction {krb-unix|win-unix|unix-win}
-position {INTEGER} -pattern {TEXT} -replacement {TEXT} -address {IP-Address/Mask}
vserver name-mapping create -vserver {SVM_NAME} -direction
{krb-unix|win-unix|unix-win} -position {INTEGER} -pattern {TEXT} -replacement {TEXT}
-hostname {host-name}
We stop here since the other examples use IP/HOSTNAME
qualifiers which are not supported with 7MTT (these are supported in ONTAP 9.1,
just need to be applied manually.)
Appendix A: Examples of usermap.cfg entries
From: https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-83730CE4-A3FC-46B5-918D-2790D205A22B.html
The following gives meanings for some simple
/etc/usermap.cfg entries:
Entry: "Bob
Garj" == bobg
Win ->
UNIX: The Windows name Bob Garj maps to the UNIX name bobg.
UNIX ->
Win: The UNIX name bobg maps to the Windows name Bob Garg.
Entry: mktg\Roy
=> nobody
Win ->
UNIX: The Windows name Roy in the mktg domain maps to the UNIX name nobody.
Entry: engr\Tom
=> ""
Win ->
UNIX: Disallow login by the user named Tom in the engr domain.
The following provides some examples with asterisks in
the Windows names:
Entry: uguest
<= *
UNIX ->
Win: All UNIX names not yet matched map to Windows user uguest.
Entry: *\root
=> ""
Win ->
UNIX: Disallow logins using the Windows name root from all domains.
Entry: corporate\*
== pcuser
Win ->
UNIX: Any user in the corporate domain maps to the UNIX name pcuser.
UNIX ->
Win: No mapping is done for the UNIX name pcuser because an asterisk is used in
the Windows user name.
Entry: Engineer == *
Win ->
UNIX: No mapping is done for the Windows name Engineer because an asterisk is
used in the UNIX user name.
UNIX ->
Win: Any UNIX name maps to the Windows name Engineer in the storage system’s
domain.
Entry: homeusers\*
*
Entry: homeusers\*
== *
Win ->
UNIX: All Windows users from the homeusers domain map to their corresponding
UNIX names. For example, a Windows user named john in the homeusers domain maps
to the UNIX name john.
UNIX ->
Win: All UNIX users map to the corresponding names in the homeusers domain. For
example, a UNIX user named bob maps to homeusers\bob.
The following provides some examples with IP qualifiers.
Entry: Engineering\*
<= sunbox2:*
UNIX ->
Win: UNIX names from the host named sunbox2 map to the same names in the
Engineering domain.
Entry: Engineering\*
<= 192.9.200.70:*
UNIX ->
Win: UNIX names from the IP address 192.9.200.70 map to the same names in the
Engineering domain.
Entry: ""<= 192.9.200.0/24:*
UNIX ->
Win: All NFS requests from the 192.9.200.0 subnet are denied because UNIX names
from this subnet map to a null string.
Entry: 192.9.200.0/24:test-dom\*
=> ""
Win ->
UNIX: All users in the test-dom domain are denied access from the 192.9.200.0
subnet.
Appendix B: Original Contents of Usermap.cfg File
#
These are some sample "defensive" entries you may wish to use.
#
They can be uncommented and placed as needed. See the System
#
Administrator's Guide for a full description of this file.
#
#
*\root => nobody # Map all NT
users named "root" to have no
# # UNIX perms. They can
still log in though.
#
#
guest <= administrator # Map UNIX
user "administrator" to NT guest.
#
guest <= root # Map UNIX
root user to guest. This should be
# # placed after any
real "root" mappings.
#
#
The next two mappings can be used to defeat the default mapping of
#
the user names. That way only entries that are mapped previously in
#
this file will be allowed.
#
#
*\* => "" #
Map all other NT requests to fail.
#
"" <= * #
Map all other UNIX requests to fail.
#
#
The pound sign "#" is used as a comment character in map entries. The
#
next three mappings show how to handle an NT user name which includes
#
a pound sign. The name must be quoted. If the user account contains
#
both domain and name, the username must be quoted separately.
#
#
"#jdoe" => joed
# Map NT user #jdoe to UNIX user joed.
#
NTDOM\"#jdoe" <= joed
# Map UNIX user joed to NT user NTDOM\#jdoe.
#
"nt-domain\#jdoe" <= joed
# BAD, won't work.
Appendix C: Testing Method
The testing method consisted of the following 7-Mode
commands>
rdfile
/etc/usermap.cfg
wrfile
/etc/usermap.cfg
{Enter
Name Map}
Ctrl+C
Then clicking ‘Apply Configuration’ in 7MTT. And in
ONTAP::>
vserver
name-mapping show -instance
vserver
name-mapping delete *
And repeat!
Image: Testing
Comments
Post a Comment