Skip to main content
NetApp Knowledge Base

What are the important considerations when setting up CIFS and name-mapping in clustered Data ONTAP

Last Updated:

Applies to

  •   ONTAP 9

Special Conditions pertaining to machine account user mappings, please read:



Important considerations when setting up CIFS and name-mapping in ONTAP.

Consideration 1: CIFS access always requires mapping of CIFS users to a UNIX UID
  • A Windows user needs to be mapped to a valid unix user during the setup of the CIFS session
  • Without valid mapping CIFS access will be denied
  • Default unix user is the local user "pcuser", this can be changed with the following command
    • vserver cifs options modify -vserver <vserver name> -default-unix-user <user to map to, e.g. pcuser>
Consideration 2: Data ONTAP (any version) does not map groups or GIDs
  • It is not possible to map windows groups to unix groups
  • Mapping happens on the windows user name
  • Windows groups are received from the DC either in the Kerberos ticket or in the Netlogon response
  • Unix groups are calculated from the configured name services or local files, based on user membership
Consideration 3: Mixed protocol NAS access does not require mixed security style volumes
  • Mixed security style retains, for every file, the last permission change
  • This means that, at any time, a file can have a UNIX style or a NTFS style but not both, this can result in inconsistent access permissions and restrictions
  • In a majority of cases, using the mixed security style volumes, is not advised
  • With the right mapping of users, both CIFS access to a UNIX security volume and mapped NFS access to an NTFS security style volume is feasible
Consideration 4: Under certain conditions User-mapping can work perfectly well without any entries in the vServer name-mapping tables
  • If both Windows and UNIX user names match then mapping will be transparent as default user mapping will be leveraged
  • This happens, for example, if both windows and unix users are stored on the same AD LDAP database

Additional Information


Scan to view the article on your device