What are the important considerations when setting up CIFS and name-mapping in clustered Data ONTAP
Applies to
- ONTAP 9
Special Conditions pertaining to machine account user mappings, please read:
|
Answer
Important considerations when setting up CIFS and name-mapping in ONTAP.
Consideration 1: CIFS access always requires mapping of CIFS users to a UNIX UID
- A Windows user needs to be mapped to a valid unix user during the setup of the CIFS session
- Without valid mapping CIFS access will be denied
- Default unix user is the local user "pcuser", this can be changed with the following command
vserver cifs options modify -vserver <vserver name> -default-unix-user <user to map to, e.g. pcuser>
Consideration 2: Data ONTAP (any version) does not map groups or GIDs
- It is not possible to map windows groups to unix groups
- Mapping happens on the windows user name
- Windows groups are received from the DC either in the Kerberos ticket or in the Netlogon response
- Unix groups are calculated from the configured name services or local files, based on user membership
Consideration 3: Mixed protocol NAS access does not require mixed security style volumes
- Mixed security style retains, for every file, the last permission change
- This means that, at any time, a file can have a UNIX style or a NTFS style but not both, this can result in inconsistent access permissions and restrictions
- In a majority of cases, using the mixed security style volumes, is not advised
- With the right mapping of users, both CIFS access to a UNIX security volume and mapped NFS access to an NTFS security style volume is feasible
Consideration 4: Under certain conditions User-mapping can work perfectly well without any entries in the vServer name-mapping tables
- If both Windows and UNIX user names match then mapping will be transparent as default user mapping will be leveraged
- This happens, for example, if both windows and unix users are stored on the same AD LDAP database
Additional Information
- For more information on how name-mapping is executed, see the articles below: