Skip to main content

NetApp Stage KB

Understanding name-mapping in a multiprotocol environment

  1. Last updated
  2. Save as PDF

Views:
2
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9 
  • NAS

Answer

How does name-mapping work for NFS clients accessing UNIX security style resources?
  • The client will send the UID and GID(s) in the RPC header of the NFS operation.
  • The filer will grant/deny access based on the UID and GID(s) sent in the RPC header of the NFS operation.

Note: There is no user mapping that takes place during this process. ONTAP does not need to map the incoming user to a Windows user in order for an NFS client to perform operations against a UNIX security style resource.

How does name-mapping work for NFS clients accessing UNIX security style resources?
How does name-mapping work for NFS clients accessing NTFS security style resources?
Name resolution
  • The client will send the UID and GID(s) in the RPC header of the NFS operation.
  • ONTAP will attempt to resolve the UID and GID(s) to their respective names
  • This name resolution is performed via the sources defined in the ns-switch for passwd and group
    • ::> vserver services name-service ns-switch show -vserver SVM

Note: 

  • Name services are: files, ldap, nis
  • If 'files' is set, a unix-user must be created for each user on the SVM
    • ::> vserver services unix-user create -user tsmith -id 4219 -primary-gid 100 -full-name "Tom Smith" -vserver SVM01
Name mapping
  • After resolving names, ONTAP attempts to map the resulting name to a valid Windows user in the following order:
  1. Explicit name-mapping: ONTAP attempts to match the resolved UNIX user utilizing string comparison as per the explicit name-mapping 'unix-win' rules defined

::> vserver name-mapping show -vserver SVM01 -direction unix-win

  • If a rule is matched successfully, ONTAP attempts to lookup the mapped Windows user in Active Directory to retrieve the credentials for that user.

Note: It is an error if the Windows name is a group, but it will be silently ignored if a default user is configured.

  1. Implicit name-mapping: if no explicit rules are matched, ONTAP attempts mapping the UNIX user to a Windows user implicitly to retrieve the credentials by checking local CIFS users. If no match is found, Active Directory will be tried next.

Example: Filer will attempt to map UNIX user 'user01' to Windows user 'User01'.

  1. Default Windows User - if both methods above fail for any reason, ONTAP will map the UNIX user to the "Default Windows User", if set in the NFS server settings.

::> vserver nfs show -vserver SVM01 -fields default-win-user

Note: This option is blank by default

  • Access is granted or denied on the Windows credentials, because the volume is an NTFS security style.
How does name-mapping work when NFS clients are accessing an NTFS security style resource?
How does name-mapping work for CIFS clients accessing UNIX security style resources?
How does name-mapping work when CIFS clients access UNIX security style resources?
How does name-mapping work for CIFS clients accessing NTFS security style resources?
How does name-mapping work when CIFS clients access NTFS security style resources?

Additional Information

  • How to create and understand vserver name-mapping rules
  • The following is an example scenario:
    • UID 1057 is sent to ONTAP by a client.
    • ONTAP resolves UID 1057 to Unix user “bob”
    • ONTAP checks the name mapping entries.
      • If ONTAP finds a Unix to Windows name mapping entry for the pattern “bob” (say that it found “bob==DOMAIN\robert”) then the UID and the AD account are linked during the connection, so when the NFS connection is used by the UID 1057, File level access to NTFS security locations is determined based on the AD account that the that is linked.
      • If ONTAP doesn’t find an entry in the name mapping table for pattern “bob” then it will assume that “bob==DOMAIN\bob” and check AD for an account named bob.
      • If the account is found, then UID 1057 would be granted access based on the AD account “DOMAIN\bob”
      • If there is no explicit name mapping found, and implicit name mapping fails as well, there is an option in the NFS Server settings for “default windows user” which would be a final attempt to link the UID that was resolved as bob to a fallback AD account, like “DOMAIN\guest”, however this setting is normally left blank since it is not required by ONTAP for NFS access.
    • This process also happens when a CIFS/SMB connection is made, and access is attempted to a Unix security style location.
      • The only difference is that there is a requirement for the CIFS Server option for “default unix user” be populated to a Unix account that ONTAP can lookup, either locally or in NIS/LDAP.
      • This requirement is related to the fact that ONTAP runs on Unix and requires that all connections be based/tracked via a Unix UID, even if we don’t use the name mapped unix account to determine file level access.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.