Skip to main content
NetApp Knowledge Base

Understanding name-mapping in a multiprotocol environment

Views:
23,909
Visibility:
Public
Votes:
25
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9 
  • NAS

Answer

How does name-mapping work for NFS clients accessing UNIX security style resources?
  • The client will send the UID and GID(s) in the RPC header of the NFS operation.
  • The filer will grant/deny access based on the UID and GID(s) sent in the RPC header of the NFS operation.

Note: There is no user mapping that takes place during this process. ONTAP does not need to map the incoming user to a Windows user in order for an NFS client to perform operations against a UNIX security style resource.

How does name-mapping work for NFS clients accessing UNIX security style resources?
How does name-mapping work for NFS clients accessing NTFS security style resources?
Name resolution
  • The client will send the UID and GID(s) in the RPC header of the NFS operation.
  • ONTAP will attempt to resolve the UID and GID(s) to their respective names
  • This name resolution is performed via the sources defined in the ns-switch for passwd and group
    • ::> vserver services name-service ns-switch show -vserver SVM

Note: 

  • Name services are: files, ldap, nis
  • If 'files' is set, a unix-user must be created for each user on the SVM
    • ::> vserver services unix-user create -user tsmith -id 4219 -primary-gid 100 -full-name "Tom Smith" -vserver SVM01
Name mapping
  • After resolving names, ONTAP attempts to map the resulting name to a valid Windows user in the following order:
  1. Explicit name-mapping: ONTAP attempts to match the resolved UNIX user utilizing string comparison as per the explicit name-mapping 'unix-win' rules defined

::> vserver name-mapping show -vserver SVM01 -direction unix-win

  • If a rule is matched successfully, ONTAP attempts to lookup the mapped Windows user in Active Directory to retrieve the credentials for that user.

Note: It is an error if the Windows name is a group, but it will be silently ignored if a default user is configured.

  1. Implicit name-mapping: if no explicit rules are matched, ONTAP attempts mapping the UNIX user to a Windows user implicitly to retrieve the credentials by checking local CIFS users. If no match is found, Active Directory will be tried next.

Example: Filer will attempt to map UNIX user 'User01' to Windows user 'User01'.

  1. Default Windows User - if both methods above fail for any reason, ONTAP will map the UNIX user to the "Default Windows User", if set in the NFS server settings.

::> vserver nfs show -vserver SVM01 -fields default-win-user

Note: This option is blank by default

  • Access is granted or denied on the Windows credentials, because the volume is an NTFS security style.
How does name-mapping work when NFS clients are accessing an NTFS security style resource?
How does name-mapping work for CIFS clients accessing UNIX security style resources?
  • As the user has already been authenticated in the domain, ONTAP needs to build credentials for the user for each newly created CIFS session.
  • To build credentials, ONTAP needs to map the Windows user to a UNIX user to be able to lookup the mapped UID and GID(s) via the sources defined in ns-switch

::> vserver services name-service ns-switch show
                                                 Source
               Vserver         Database            Order
               --------------- ------------        ---------
               vs0             hosts               files,
                                                   dns
               vs1             passwd              files,
                                                   ldap, nis
               2 entries were displayed.

  • ONTAP will attempt to map the Windows user to a UNIX user in the following order to attempt to lookup the UNIX user's UID and GID(s) via the sources defined in ns-switch.:
  1. Explicit name-mapping: ONTAP attempts to match the Windows user utilizing string comparison as per the explicit name-mapping 'win-unix' rules defined

::> vserver name-mapping show -vserver SVM01 -direction win-unix

Example:

Vserver:   SVM01
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1        test.com         -                  Pattern: EXAMPLE\\administrator
                                         Replacement: nobody
2        -                10.238.2.34/32     Pattern: EXAMPLE\\(.+)
                                         Replacement: \_1

Note: How to create and understand vserver name-mapping rules 

  1. Implicit name-mapping: if no explicit rules are matched, ONTAP attempts to map Windows user against a unix user with the same user name

Example: Windows User 'DOMAIN\USER01' to UNIX user 'User01'

  1. Default UNIX user: if both methods above fail (e.g. filer cannot pull the UID and GID(s) for the mapped UNIX user), for any reason, the filer will map the Windows user to the "Default UNIX User" which is defined in the CIFS server options.

::> vserver cifs options show -vserver SVM01 -fields default-unix-user

Note: The default unix user is set to 'pcuser' (UID 65534) by default.

  • Access is granted or denied based on the UID and GID(s) of the UNIX credentials because the volume is set to UNIX security style.
  • To confirm name-mapping:

Example:

::> set -privilege advanced
::*> vserver services access-check name-mapping show -node cluster1-node01 -vserver SVM01 -direction win-unix -name EXAMPLE\Administrator 

EXAMPLE\Administrator maps to root

 

How does name-mapping work when CIFS clients access UNIX security style resources?
How does name-mapping work for CIFS clients accessing NTFS security style resources?
  • Machine accounts are mapped to the specified default UNIX user by default. If no default UNIX user is specified, machine account mappings fail.

Note: In ONTAP 9.5+ machine accounts can be mapped to users other than the default UNIX user.

  • As the user has already authenticated to the domain, ONTAP needs to build credentials for the user for each newly created CIFS session.

  • To build credentials, ONTAP needs to map the Windows user to a UNIX user to be able to lookup the mapped UID and GID(s) via the sources defined in ns-switch

::> vserver services name-service ns-switch show -vserver SVM

  • ONTAP will attempt to map the Windows user to a UNIX user in the following order:

  1. Explicit name-mapping: ONTAP attempts to match the Windows user utilizing string comparison as per the explicit name-mapping 'win-unix' rules defined

::> vserver name-mapping show -vserver SVM01 -direction win-unix

  1. Implicit name-mapping: if no explicit rules are matched, the filer will attempt to map the UNIX user to a Windows user implicitly.

Example: Windows user 'DOMAIN\USER01' to UNIX user 'User01'

  1. Default UNIX User: if both methods above fail (For example, filer cannot pull the UID and GID(s) for the mapped UNIX user), for any reason, the filer will map the Windows user to the "Default UNIX User" which is defined in the CIFS server options.

::> vserver cifs options show -vserver SVM01 -fields default-unix-user

Note:  The default unix user is set to 'pcuser' (UID 65534) by default.

  • Access is granted or denied based on the Windows credentials  because the volume is set to NTFS security style.
How does name-mapping work when CIFS clients access NTFS security style resources?

Additional Information

  • How to create and understand vserver name-mapping rules
  • The following is an example scenario:
    • UID 1057 is sent to ONTAP by a client.
    • ONTAP resolves UID 1057 to Unix user “bob”
    • ONTAP checks the name mapping entries.
      • If ONTAP finds a Unix to Windows name mapping entry for the pattern “bob” (say that it found “bob==DOMAIN\robert”) then the UID and the AD account are linked during the connection, so when the NFS connection is used by the UID 1057, File level access to NTFS security locations is determined based on the AD account that the that is linked.
      • If ONTAP doesn’t find an entry in the name mapping table for pattern “bob” then it will assume that “bob==DOMAIN\bob” and check AD for an account named bob.
      • If the account is found, then UID 1057 would be granted access based on the AD account “DOMAIN\bob”
      • If there is no explicit name mapping found, and implicit name mapping fails as well, there is an option in the NFS Server settings for “default windows user” which would be a final attempt to link the UID that was resolved as bob to a fallback AD account, like “DOMAIN\guest”, however this setting is normally left blank since it is not required by ONTAP for NFS access.
    • This process also happens when a CIFS/SMB connection is made, and access is attempted to a Unix security style location.
      • The only difference is that there is a requirement for the CIFS Server option for “default unix user” be populated to a Unix account that ONTAP can lookup, either locally or in NIS/LDAP.
      • This requirement is related to the fact that ONTAP runs on Unix and requires that all connections be based/tracked via a Unix UID, even if we don’t use the name mapped unix account to determine file level access.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.