Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

What are the important considerations when setting up CIFS and name-mapping in clustered Data ONTAP

Views:
3,452
Visibility:
Public
Votes:
2
Category:
clustered-data-ontap-8
Specialty:
cifs
Last Updated:

Applies to

  •   ONTAP 9

Special Conditions pertaining to machine account user mappings, please read:

 

Answer

Important considerations when setting up CIFS and name-mapping in clustered Data ONTAP.

Consideration 1: CIFS access always requires mapping of CIFS users to a UNIX UID
  • A Windows user needs to be mapped to a valid unix user during the setup of the CIFS session
  • Without valid mapping CIFS access will be denied
  • Default unix user is the local user "pcuser", this can be changed with the following command

vserver cifs options modify -vserver <vserver name> -default-unix-user <user to map to, e.g. pcuser>

 
Consideration 2: Data ONTAP (any version) does not map groups or GIDs
  • It is not possible to map windows groups to unix groups
  • Mapping happens on the windows user name
  • Windows groups are received from the DC either in the Kerberos ticket or in the Netlogon response
  • unix groups are calculated from the configured name services or local files, based on user membership
 
Consideration 3: Mixed protocol NAS access does not require mixed security style volumes
  • Mixed security style retains, for every file, the last permission change
  • This means that, at any time, a file can have a UNIX style or a NTFS style but not both, this can result in inconsistent access permissions and restrictions
  • In  a majority of cases, using the mixed security style volumes, is not advised
  • With the right mapping of users, both CIFS access to a UNIX security volume and mapped NFS access to an NTFS security style volume is feasible
Consideration 4: Under certain conditions User-mapping can work perfectly well without any entries in the vServer name-mapping tables
  • If both Windows and UNIX user names match then mapping will be transparent as default user mapping will be leveraged
  • This happens, for example, if both windows and unix users are stored on the same AD LDAP database

Additional Information

For more information on how name-mapping is executed, see the articles below:

Understanding name-mapping in a multiprotocol environment

How to create and understand vserver name-mapping rules in clustered Data ONTAP

 

Scan to view the article on your device