Tuesday, 25 February 2020

Proving WIN-UNIX (Default) Name Mapping Works

In this following post, I prove WIN-UNIX Name Mapping works via a simple illustration that initially shows it not working. The ONTAP version here is 9.5.

We start off by creating a data SVM, with data LIFs, DNS, cifs server, and NFS server.


vserver create -vserver SVM1 -aggregate cluster1_01_SSD_1 -rootvolume SVM1_root -rootvolume-security-style UNIX

net int create -vserver SVM1 -data-protocol nfs,cifs -lif SVM1_CIFS1 -role data -address 192.168.0.11 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0c
net int create -vserver SVM1 -data-protocol nfs,cifs -lif SVM1_CIFS2 -role data -address 192.168.0.12 -netmask 255.255.255.0 -home-node cluster1-02 -home-port e0c

dns create -vserver SVM1 -domains demo.corp.com -name-servers 192.168.0.253

cifs server create -cifs-server SVM1 -vserver SVM1 -domain demo.corp.com
nfs server create -vserver SVM1


I have a user in my domain DEMO\user1 and I want it to map to the UNIX user user1. Without doing any more than the above, thet’s see what it maps to.


cluster1::> set d
cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user1

'DEMO\user1' maps to 'pcuser'


DEMO\user1 maps to pcuser. Which is to be expected so far and comes from the default-unix-user setting.


cluster1::*> cifs options show -vserver SVM1 -fields default-unix-user
vserver default-unix-user
------- -----------------
SVM1    pcuser


If I create a unix-user called user1, does it map automatically?

cluster1::*> unix-user create -vserver SVM1 -user user1 -id 1001 -primary-gid 1001
cluster1::*> secd cache clear -node cluster1-01 -vserver SVM1 -cache-name name-mapping-windows-to-unix
cluster1::*> secd cache clear -node cluster1-02 -vserver SVM1 -cache-name name-mapping-windows-to-unix
cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user1

'DEMO\user1' maps to 'user1'


Yes it does map!

Image: Proof of successful DEMO\user1 to user1 mapping

You don’t need to specify the default name-mapping - which is below - all we did was create a UNIX user:


vserver name-mapping create -vserver SVM1 -direction win-unix -position 1 -pattern DEMO\\(.+) -replacement \1
vserver name-mapping create -vserver SVM1 -direction unix-win -position 1 -pattern (.+) -replacement DEMO\\\1


Of course, in an enterprise environment you’re unlikely to want to have to create a UNIX user for every user you want mapped. Instead of using files, LDAP is going to be the solution. See the following NetApp KB: KB1030851: How to set up Windows to UNIX user mapping over LDAP

In this lab we were using files:

cluster1::*> ns-switch show -vserver SVM1
                               Source
Vserver         Database       Order
--------------- ------------   ---------
SVM1            hosts          files,
                               dns
SVM1            group          files
SVM1            passwd         files
SVM1            netgroup       files
SVM1            namemap        files
5 entries were displayed.


BONUS Information

You might be thinking, what happens if the default-unix-user is not pcuser. Say we set it to “-“. Here’s what happens:


cluster1::*> cifs options modify -vserver SVM1 -default-unix-user "-"
cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user3

ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.

Vserver: SVM1 (internal ID: 4)

Error: RPC map name request procedure failed
  [0ms] Trying to map 'DEMO\user3' to UNIX user 'user3' using implicit mapping
  [  2] Entry for user-name: user3 not found in the current source: FILES
        Entry for user-name: user3 not found in any of the available sources
  [  3] Trying to map user to the default UNIX name '-'
  [  5] Entry for user-name: - not found in the current source: FILES
        Entry for user-name: - not found in any of the available sources
**[  6] FAILURE: Name mapping for Windows user 'DEMO\user3' failed. Mapped UNIX user '-' does not exist

Error: command failed: Failed to find mapping for the user. Reason: "SecD Error: The mapped user does not exist".


Also see the following post:

No comments:

Post a Comment