Skip to main content
We are redesigning the NetApp Knowledge Base site to make it easier to use and navigate. The new and improved site will be available the first week of October. Check out our video or read this KB article to know more about changes you’ll see on the site.
NetApp Knowledge Base

Important considerations when setting up CIFS and name-mapping in clustered Data ONTAP

Views:
2,447
Visibility:
Public
Votes:
1
Category:
clustered-data-ontap-8
Specialty:
cifs
Last Updated:

Applies to

  •   ONTAP 9

Special Conditions pertaining to machine account user mappings, please read:

 

Answer

Important considerations when setting up CIFS and name-mapping in clustered Data ONTAP.

Consideration 1: CIFS access always requires mapping of CIFS users to a UNIX UID
  • A Windows user needs to be mapped to a valid unix user during the setup of the CIFS session
  • Without valid mapping CIFS access will be denied
  • Default unix user is the local user "pcuser", this can be changed with the following command

vserver cifs options modify -vserver <vserver name> -default-unix-user <user to map to, e.g. pcuser>

 
Consideration 2: Data ONTAP (any version) does not map groups or GIDs
  • It is not possible to map windows groups to unix groups
  • Mapping happens on the windows user name
  • Windows groups are received from the DC either in the Kerberos ticket or in the Netlogon response
  • unix groups are calculated from the configured name services or local files, based on user membership
 
Consideration 3: Mixed protocol NAS access does not require mixed security style volumes
  • Mixed security style retains, for every file, the last permission change
  • This means that, at any time, a file can have a UNIX style or a NTFS style but not both, this can result in inconsistent access permissions and restrictions
  • In  a majority of cases, using the mixed security style volumes, is not advised
  • With the right mapping of users, both CIFS access to a UNIX security volume and mapped NFS access to an NTFS security style volume is feasible
Consideration 4: Under certain conditions User-mapping can work perfectly well without any entries in the vServer name-mapping tables
  • If both Windows and UNIX user names match then mapping will be transparent as default user mapping will be leveraged
  • This happens, for example, if both windows and unix users are stored on the same AD LDAP database

Additional Information

For more information on how name-mapping is executed, see the articles below:

Understanding name-mapping in a multiprotocol environment

How to create and understand vserver name-mapping rules in clustered Data ONTAP

 

 

******************************************************* *******************************************************