Skip to main content
NetApp Knowledge Base

How does name-mapping work when CIFS clients access UNIX security style resources?

  1. Last updated
  2. Save as PDF
Views:
960
Visibility:
Public
Votes:
0
Category:
not set
Specialty:
not set
Last Updated:

Applies to

  • ONTAP 9
  • UNIX
  • CIFS

Answer

  • As the user has already been authenticated in the domain, ONTAP needs to build credentials for the user for each newly created CIFS session.
  • To build credentials, ONTAP needs to map the Windows user to a UNIX user to be able to lookup the mapped UID and GID(s) via the sources defined in ns-switch

::> vserver services name-service ns-switch show
                                                 Source
               Vserver         Database            Order
               --------------- ------------        ---------
               vs0             hosts               files,
                                                   dns
               vs1             passwd              files,
                                                   ldap, nis
               2 entries were displayed.

  • ONTAP will attempt to map the Windows user to a UNIX user in the following order to attempt to lookup the UNIX user's UID and GID(s) via the sources defined in ns-switch.:
  1. Explicit name-mapping: ONTAP attempts to match the Windows user utilizing string comparison as per the explicit name-mapping 'win-unix' rules defined

::> vserver name-mapping show -vserver SVM01 -direction win-unix

Example:

Vserver:   SVM01
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1        test.com         -                  Pattern: EXAMPLE\\administrator
                                         Replacement: nobody
2        -                10.238.2.34/32     Pattern: EXAMPLE\\(.+)
                                         Replacement: \_1

Note: How to create and understand vserver name-mapping rules 

  1. Implicit name-mapping: if no explicit rules are matched, ONTAP attempts to map Windows user against a unix user with the same user name

Example: Windows User 'DOMAIN\USER01' to UNIX user 'User01'

  1. Default UNIX user: if both methods above fail (e.g. filer cannot pull the UID and GID(s) for the mapped UNIX user), for any reason, the filer will map the Windows user to the "Default UNIX User" which is defined in the CIFS server options.

::> vserver cifs options show -vserver SVM01 -fields default-unix-user

Note: The default unix user is set to 'pcuser' (UID 65534) by default.

  • Access is granted or denied based on the UID and GID(s) of the UNIX credentials because the volume is set to UNIX security style.
  • To confirm name-mapping:

Example:

::> set -privilege advanced
::*> vserver services access-check name-mapping show -node cluster1-node01 -vserver SVM01 -direction win-unix -name EXAMPLE\Administrator 

EXAMPLE\Administrator maps to root

 

Additional Information

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.