Skip to main content
NetApp Knowledge Base

Important considerations when setting up CIFS and name-mapping in clustered Data ONTAP

Views:
2,018
Visibility:
Public
Votes:
1
Category:
clustered-data-ontap-8
Specialty:
cifs
Last Updated:

Applies to

  •   ONTAP 9

Special Conditions pertaining to machine account user mappings, please read:

 

Answer

Important considerations when setting up CIFS and name-mapping in clustered Data ONTAP.

Consideration 1: CIFS access always requires mapping of CIFS users to a UNIX UID
  • A Windows user needs to be mapped to a valid unix user during the setup of the CIFS session
  • Without valid mapping CIFS access will be denied
  • Default unix user is the local user "pcuser", this can be changed with the following command

vserver cifs options modify -vserver <vserver name> -default-unix-user <user to map to, e.g. pcuser>

 
Consideration 2: Data ONTAP (any version) does not map groups or GIDs
  • It is not possible to map windows groups to unix groups
  • Mapping happens on the windows user name
  • Windows groups are received from the DC either in the Kerberos ticket or in the Netlogon response
  • unix groups are calculated from the configured name services or local files, based on user membership
 
Consideration 3: Mixed protocol NAS access does not require mixed security style volumes
  • Mixed security style retains, for every file, the last permission change
  • This means that, at any time, a file can have a UNIX style or a NTFS style but not both, this can result in inconsistent access permissions and restrictions
  • In  a majority of cases, using the mixed security style volumes, is not advised
  • With the right mapping of users, both CIFS access to a UNIX security volume and mapped NFS access to an NTFS security style volume is feasible
Consideration 4: Under certain conditions User-mapping can work perfectly well without any entries in the vServer name-mapping tables
  • If both Windows and UNIX user names match then mapping will be transparent as default user mapping will be leveraged
  • This happens, for example, if both windows and unix users are stored on the same AD LDAP database

Additional Information

For more information on how name-mapping is executed, see the articles below:

Understanding name-mapping in a multiprotocol environment

How to create and understand vserver name-mapping rules in clustered Data ONTAP