Subscribe
Accepted Solution

Active Directory users integration

I have joined a netapp filer to a domain. The authentication works, also the NTFS ACLs are set properly and users can access the shares. But I need to provision every user twice: first for the domain and secondly in /etc/passwd from the netapp. Is there a way to avoid that? The authentication and authorization is done using Active Directory but the user needs to appear in /etc/passwd for some reason...

Re: Active Directory users integration

I don't think so - is this a multiprotocol filer or an NTFS filer?

Check out /etc/usermap.cfg and its related man pages

Re: Active Directory users integration

It is multiprotocol. I am serving both NFS and CIFs. But this qtree in particular is NTFS only. It only works if I add the user to the passwd file. It doesn't matter the password since it uses the one in AD.

Re: Active Directory users integration

That does not seem right. It appears that the filer is configured to do local user authentication.

Can you turn on cifs.trace_login and see what the error is? AFAIK, if you do Windows AD authentication, you do not need any /etc/passwd entries.

http://media.netapp.com/documents/wp_3014.pdf

Re: Active Directory users integration

What exactly do you mean under "user needs to appear in /etc/passwd"? What does not work if user is not entered there?

Re: Active Directory users integration

If I dont add the entry in /etc/passwd users cannot connect at all. Authentication fails. If I add them authentication works with the AD password and everything seems to be fine.

Re: Active Directory users integration

Does it happen for this particular qtree only or for any qtree with NTFS security?

NetApp always performs NT-to-Unix user mapping, even for access to NTFS qtree from Windows client. If mapping fails, access is denied. Check, that

- usermap.cfg does not deny access by listing empty Unix user name, like

\ => ""

Any NT user which maps to empty Unix user in this way will be denied access

- you have non empty wafl.default_unix_user. Default is pcuser that is normally available in /etc/passwd

Re: Active Directory users integration

how you are supplying the username to filer?

did you try "AD domain\AD username" format?

Re: Active Directory users integration

Finally I made it work. It was wafl.default_unix_user which was empty so users with no mapping just mapped to anything and it didn't work. Now I can use new users without problems and they follow the access rules in the NTFS domain!!!

I will let you also know that you solved an issue NetApp support wasn't able to solve and want to say that the support from netapp in this matter has been worse than awfull.

Thanks a lot.