Accepted Solution

CDot GIDs empty


I'm currently trying to migrate from 7Mode to CDot using 7MTT. After a few problems with 7MTT I'm now finally able to successfully initiate a cut over. After the cut over accessing files / folders with Unix security is not working as expected. If a user is not the owner of a file / folder he is not able to access it from windows using CIFS. I assume the problem is related to the filer not being able to pull the GIDs of a User from AD:

secd authentication show-creds -node GEDASAN-02 -vserver Corporate -win-name tuser

UNIX UID: tuser <> Windows User: A\tuser (Domain User)

GID: Domain Users

Supplementary GIDs: <None>

Windows Membership:

  A\Up ATEST De_Dt Da Lg (Alias)

  A\Up ATEST De_Dt Da Ug (Domain group)

User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x80):

I guess the 7MTT should have transferred my options.ldap but something seems to be missing for the GIDs...

Re: CDot GIDs empty

Did you happen to ever get/discover an answer to this?

I'm seeing the same.

I'm using the AD-IDMU ldap client schema template (as I didn't make a copy and use it as "customiz-able")

I seem to have other attributes and such mapping a-ok with AD user accounts.  Just not getting the gids.

Re: CDot GIDs empty

Yes we got a very unsatisfying answer from NetApp saying that this is not implemented (yet???) in CDot. We had so many trobule moving from Cluster Mode to CDOT that we will consider to move away from NetApp.

Re: CDot GIDs empty

I have just discovered how to make this happen for you if you're interested.  At least it appears to have worked for me.

Assuming you have a similar setup to ours with leveraging AD, you need to take a look at the ldap client schema applied to your SVM 'Corporate'

We are just using the AD-IDMU as-is.

> vserver services ldap client show -vserver Corporate -fields schema     ## This will show you the LDAP schema applied to your SVM

> vserver services ldap client schema show -instance -vserver Corporate -schema AD-IDMU   ## prints out all of the fields showing you which AD attributes the schema is mapping to.

The line to note from the second command is "RFC 2307 memberUid Attribute: memberUid"

The memberUid attribute was not populated for any of our groups and CDOT had no idea what auxiliary groups any of my domain users were a member of as a least according to the 'secd authentication show-creds' command

We have experienced most of our pain in permissions between unix and windows in our transition to CDOT and I will say that documentation on the matter is VERY scattered or lacking for a great portion of it.

Re: CDot GIDs empty

bsnyder is correct.

memberUid is the way to do this presently.

Future releases will introduce RFC-2307bis schema support, which will allow extraction of GIDs in AD based on the "member" attributes, without needing memberUid.

oweinmann, please message me directly with any issues you have lingering and I will attempt to assist you the best I can. bsnyder27 can vouch for me.

Re: CDot GIDs empty

For reference, TR-4073 covers LDAP with cDOT in depth:

Re: CDot GIDs empty


this is what I get on our filer:

GEDASAN:Smiley Embarassed vserver services ldap client show -vserver Corporate -fields schema  vserver   client-config             schema

--------- ----------------------------- ------------------------

Corporate LDAP_vfiler0_Corporate_conf_0 LDAP_vfiler0_Corporate_5

GEDASAN:Smiley Embarassed vserver services ldap client schema show -instance -vserver Corporate -schema AD-IDMU

                                    Vserver: Corporate

                            Schema Template: AD-IDMU

                                    Comment: Schema based on Active Directory Identity Management for UNIX (read-only)

         RFC 2307 posixAccount Object Class: User

           RFC 2307 posixGroup Object Class: Group

          RFC 2307 nisNetgroup Object Class: nisNetgroup

                     RFC 2307 uid Attribute: uid

               RFC 2307 uidNumber Attribute: uidNumber

               RFC 2307 gidNumber Attribute: gidNumber

         RFC 2307 cn (for Groups) Attribute: cn

      RFC 2307 cn (for Netgroups) Attribute: name

            RFC 2307 userPassword Attribute: unixUserPassword

                   RFC 2307 gecos Attribute: name

           RFC 2307 homeDirectory Attribute: unixHomeDirectory

              RFC 2307 loginShell Attribute: loginShell

               RFC 2307 memberUid Attribute: memberUid

       RFC 2307 memberNisNetgroup Attribute: memberNisNetgroup

       RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple

ONTAP Name Mapping windowsAccount Attribute: windowsAccount

                        Vserver Owns Schema: false

And yes, memberUid is not set by default on Windows 2008 R2 Unix Identity Management. So how do you fix it? You write a script that populates the LDAP Attribute memberUid?

Re: CDot GIDs empty

That would be the best approach.  Should be easy to do with Powershell.

I'd provide you with a script if I had one, but we've just manually edited a small number of AD groups that needed this type of access for now which appears sufficient for us for now. 

Easy to test the outcome first by populating the memberUid attribute of one of you AD groups that tuser is a member of and rerunning your command:

secd authentication show-creds -node GEDASAN-02 -vserver Corporate -win-name tuser

Re: CDot GIDs empty

Yes, maybe that would be the best approach. I thought about that too, but to be honest I really think that NetApp should start implementing this as a feature. If it was working on 7Mode I would expect it to work on CDot too. Worst part was having support looking into the issue and they really had no clue what wasn't working. So since we have the new Netapp, only thing we can use it for is NFS datastores for VMware.

Re: CDot GIDs empty

In TR-4073, I cover how to add "aux groups" to Windows LDAP. Basically, you double click the group and go to UNIX attributes. Then click "add" to add LDAP users. This populates the memberUid field in the schema. page 83ish

As I mentioned previously "Future releases will introduce RFC-2307bis schema support." I cannot reveal which release on this forum, so you'd want to discuss with your sales rep under NDA.