How does name-mapping work when CIFS clients access NTFS security style resources?

Applies to

• ONTAP 9
• NTFS
• CIFS

Answer

• Machine accounts are mapped to the specified default UNIX user by default. If no default UNIX user is specified, machine account mappings fail.

Note: In ONTAP 9.5+ machine accounts can be mapped to users other than the default UNIX user.

• As the user has already authenticated to the domain, ONTAP needs to build credentials for the user for each newly created CIFS session.

• To build credentials, ONTAP needs to map the Windows user to a UNIX user to be able to lookup the mapped UID and GID(s) via the sources defined in ns-switch

::> vserver services name-service ns-switch show -vserver SVM

• ONTAP will attempt to map the Windows user to a UNIX user in the following order:

1. Explicit name-mapping: ONTAP attempts to match the Windows user utilizing string comparison as per the explicit name-mapping 'win-unix' rules defined

::> vserver name-mapping show -vserver SVM01 -direction win-unix

2. Implicit name-mapping: if no explicit rules are matched, the filer will attempt to map the UNIX user to a Windows user implicitly.

Example: Windows user 'DOMAIN\USER01' to UNIX user 'User01'

3. Default UNIX User: if both methods above fail (For example, filer cannot pull the UID and GID(s) for the mapped UNIX user), for any reason, the filer will map the Windows user to the "Default UNIX User" which is defined in the CIFS server options.

::> vserver cifs options show -vserver SVM01 -fields default-unix-user

Note:  The default unix user is set to 'pcuser' (UID 65534) by default.

• Access is granted or denied based on the Windows credentials  because the volume is set to NTFS security style.

Additional Information

• How to create and understand vserver name-mapping rules
• What are the important considerations when setting up CIFS and name-mapping in clustered Data ONTAP
• How name mapping works (netapp.com)
• Understanding name-mapping in a multiprotocol environment