How does name-mapping work when NFS clients are accessing an NTFS security style resource?
Applies to
- ONTAP 9
- NTFS
- NFS
Answer
Name resolution
- The client will send the UID and GID(s) in the RPC header of the NFS operation.
- ONTAP will attempt to resolve the UID and GID(s) to their respective names
- This name resolution is performed via the sources defined in the ns-switch for passwd and group
::> vserver services name-service ns-switch show -vserver SVM
Note:
- Name services are: files, ldap, nis
- If 'files' is set, a unix-user must be created for each user on the SVM
::> vserver services unix-user create -user tsmith -id 4219 -primary-gid 100 -full-name "Tom Smith" -vserver SVM01
Name mapping
- After resolving names, ONTAP attempts to map the resulting name to a valid Windows user in the following order:
- Explicit name-mapping: ONTAP attempts to match the resolved UNIX user utilizing string comparison as per the explicit name-mapping 'unix-win' rules defined
::> vserver name-mapping show -vserver SVM01 -direction unix-win
- If a rule is matched successfully, ONTAP attempts to lookup the mapped Windows user in Active Directory to retrieve the credentials for that user.
Note: It is an error if the Windows name is a group, but it will be silently ignored if a default user is configured.
- Implicit name-mapping: if no explicit rules are matched, ONTAP attempts mapping the UNIX user to a Windows user implicitly to retrieve the credentials by checking local CIFS users. If no match is found, Active Directory will be tried next.
Example: Filer will attempt to map UNIX user 'User01' to Windows user 'User01'.
- Default Windows User - if both methods above fail for any reason, ONTAP will map the UNIX user to the "Default Windows User", if set in the NFS server settings.
::> vserver nfs show -vserver SVM01 -fields default-win-user
Note: This option is blank by default
- Access is granted or denied on the Windows credentials, because the volume is an NTFS security style.