Skip to main content
NetApp Knowledge Base

What are the important considerations when setting up CIFS and name-mapping in clustered Data ONTAP

Views:
6,595
Visibility:
Public
Votes:
3
Category:
clustered-data-ontap-8
Specialty:
nas
Last Updated:

Applies to

  •   ONTAP 9

Special Conditions pertaining to machine account user mappings, please read:

 

Answer

Important considerations when setting up CIFS and name-mapping in ONTAP.

Consideration 1: CIFS access always requires mapping of CIFS users to a UNIX UID
  • A Windows user needs to be mapped to a valid unix user during the setup of the CIFS session
  • Without valid mapping CIFS access will be denied
  • Default unix user is the local user "pcuser", this can be changed with the following command
    • vserver cifs options modify -vserver <vserver name> -default-unix-user <user to map to, e.g. pcuser>
 
Consideration 2: Data ONTAP (any version) does not map groups or GIDs
  • It is not possible to map windows groups to unix groups
  • Mapping happens on the windows user name
  • Windows groups are received from the DC either in the Kerberos ticket or in the Netlogon response
  • Unix groups are calculated from the configured name services or local files, based on user membership
 
Consideration 3: Mixed protocol NAS access does not require mixed security style volumes
  • Mixed security style retains, for every file, the last permission change
  • This means that, at any time, a file can have a UNIX style or a NTFS style but not both, this can result in inconsistent access permissions and restrictions
  • In a majority of cases, using the mixed security style volumes, is not advised
  • With the right mapping of users, both CIFS access to a UNIX security volume and mapped NFS access to an NTFS security style volume is feasible
Consideration 4: Under certain conditions User-mapping can work perfectly well without any entries in the vServer name-mapping tables
  • If both Windows and UNIX user names match then mapping will be transparent as default user mapping will be leveraged
  • This happens, for example, if both windows and unix users are stored on the same AD LDAP database

Additional Information

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.