Subscribe
Accepted Solution

Clone NFS / CIFS environment

I want to clone an NFS / CIFS environment. Some of the unix qtrees are accessed by windows AD users, I believe the filer is using NIS to map / authenticate the windows accounts into unix accounts.

The NIS environment will also be cloned as will the AD environment. I will be using snapmirror to clone the data volumes onto the new filer, however I am unsure if it is possible to configure the new filer to point at the cloned NIS environment so to allow mapping / authentication to continue as it did in the old environment – If this is possible how is this done?

Also, if using VSM / QSM from the old filer to new will all file system security / permissions also  migrate? Or do I need to make sure that the filer is in the correct AD domain / NIS before I replicate the volumes / qtrees

Lastly, what config files do I need to verify on the exiting filer check if NIS is being used? – Also, anything else I should be aware of?

Clone NFS / CIFS environment

Permissions/security will migrate. Make sure to join the domain (before or after, but before to test sooner)... then also confirm options nis. settings and options ldap. settings are the same ... then confirm/compare /etc/usermap.cfg , /etc/hosts, /etc/hosts.equiv, /etc/passwd between controllers. 

You can use the wcc command to check mapping...it is invaluable.  wcc -s windowsusername-or-sid  and wcc -u unixusername  to see the mapping between users.

Clone NFS / CIFS environment

Thanks for the input scott.

Do you know if NIS is something you join like AD or is it something you point at? Also, if you just point at NIS does this mean that unix applied perms would still work as expected if you did not use NIS in the cloned environment and instead mapped  the relevant windows user > unix user within the local files (on the filers)?

As you can tell I know nothing about NIS etc!

Re: Clone NFS / CIFS environment

No join.. Match all nis settings and check config files.. Nsswitch.conf, passwd, etc and compare and match source controller.

Typos Sent on Blackberry Wireless

Re: Clone NFS / CIFS environment

Great - Last question, although an administrative headache, do you think it is feasible to not use NIS in the new environment and instead map each user within local files?

Re: Clone NFS / CIFS environment

You could.. But need to make passwd and netgroup entries.. Then maintain them locally.. Most don't want to maintain multiple so use ldap or nis for central management.

Typos Sent on Blackberry Wireless

Re: Clone NFS / CIFS environment

Hi Scott

It now seems the filers are members of the windows domain which is good. During this migration the new filers will be given free IPs on the same subnet as the existing filers. Once migration is complete the networks will be separated and the existing IPs of the old filers will be applied to the new. At this point the names of the filers would also be migrated, to do this would I need re run cifs setup and change the filers name? Would this cause an issue with security etc? Can I migrate the names another way with an alias or something? The idea behind the same names is to ensure that shares / exports map without re configuration of the clients etc. 

Re: Clone NFS / CIFS environment

You could setup netbios aliasing in ontap.. But I'd rerun setup if down already which is the case.. Security on files won't change.

Typos Sent on Blackberry Wireless

Re: Clone NFS / CIFS environment

To allow for a testing environment I am thinking of using mulitstore. So I would create a vfiler on the same networks as the existing filers and give them unique names / IPs then configure vfiler0 in an identical fashion to the existing filers, including name , IPs, exports, shares, usermap, hosts etc etc. I would attach the cloned vfiler0 to a segregated network which would also contain a cloned test environment which includes active directory, NIS and relevant hosts etc. Snapmirror would replicate volumes / qtrees to the unique vfiler, to allow for testing I would break off the snapmirror relationship, then move the volume / qtree to vfiler0, re apply shares / exports which will allow a cloned environment to mount / share without having to deal will all the host mappings etc. 

The main reason for this approach is to allow me to clone then segregate the active directory, delete the computer accounts (names) of the real existing filers the rename vfiler0 to that of the real existing filers which will allow all exports / mappings to work in a test environment.  

1, Is this a good approach ?

2, When  volumes / qtrees are moved between vfilers will security (ntfs acls / unix perms) also move? Obviously this is key to the whole approach

Re: Clone NFS / CIFS environment

That is brute force but sometimes a hammer works   You can use the loopback adapter to snapmirror between vFilers (when on the same controller without needing a network) just by local mirror on vfiler0.. you could also use flexclone on the same controller.. clone a volume in a vfiler and move that clone to any vfiler on the same controller.  The permissions will all be intact and match the source whether a mirror or clone.