Unix-to-Windows usermapping with LDAP to Active Directory

upgkeller — Thu, 05 Jun 2025 06:22:03 GMT

Hi everybody

I try to map Unix useraccounts to Windows useraccounts, both in the same Active Directory.

Filer: Ontap 8.1P2

Active Directory: Windows 2008 R2

/etc/usermap.cfg

MY-DOMAIN\testuser == testuser

MY-DOMAIN\* == *

/etc/nsswitch.conf

hosts: files dns nis

passwd: files ldap nis

netgroup: files ldap nis

group: files ldap nis

shadow: files nis

options ldap:

ldap.ADdomain
ldap.base dc=my-domain,dc=local
ldap.base.group dc=my-domain,dc=local
ldap.base.netgroup
ldap.base.passwd dc=my-domain,dc=local
ldap.enable on
ldap.minimum_bind_level simple
ldap.name CN=Administrator,CN=Users,DC=my-domain,DC=local
ldap.nssmap.attribute.gecos name
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup gidNumber
ldap.nssmap.attribute.memberUid uid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple uid
ldap.nssmap.attribute.uid msSFU30Name
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount User
ldap.nssmap.objectClass.posixGroup Group
ldap.passwd ******
ldap.port 389
ldap.rfc2307bis.enable on
ldap.servers 192.168.246.67
ldap.servers.preferred
ldap.skip_cn_unescape.enable on
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base dc=my-domain,dc=local
ldap.usermap.enable on
ldap.usermap.windows-to-unix.objectClass user

options wafl:

wafl.default_nt_user
wafl.default_unix_user pcuser
wafl.nt_admin_priv_map_to_root on
wafl.root_only_chown on

wcc -s testuser

(NT - UNIX) account name(s): (MY-DOMAIN\testuser - pcuser)

***************

UNIX uid = 65534

NT membership

MY-DOMAIN\testuser

MY-DOMAIN\Domain Users

BUILTIN\Users

User is also a member of Everyone, Network Users,

Authenticated Users

***************

wcc -u testuser

no passwd entry for testuser

getXXbyYY getpwbyname_r testuser

Could not get passwd entry for name = testuser

Has anyone an idea what could be wrong?

Re: Unix-to-Windows usermapping with LDAP to Active Directory

upgkeller — Tue, 31 Jul 2012 08:19:58 GMT

I could solve the problem.

After installing the Unix Services role on one of the domain controllers, there is a new tab "UNIX Attributes" in the "Active Directory Users and Computers" tool. There I had to fill out all fields like NIS Domain, UID, Login Shell, Home Directory and GID. It's not enough to set the corresponding fields in the "Attribute Editor".

Re: Unix-to-Windows usermapping with LDAP to Active Directory

jeremypage — Thu, 02 Aug 2012 15:08:34 GMT

Be aware that installing SFU also extends your schema. The RFC2307 objects and attributes are already in Windows 2003R2 or later, the only thing SFU gives you is an easy way to edit those attributes.

In addition you probably want to change the following

ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.attribute.homeDirectory unixHomeDirectory
ldap.nssmap.attribute.userPassword unixUserPassword

Finally if you have multiple domains you want to connect on the Global Catalog port (3268 or 3269 with SSL) and to make sure the attributes in your NSS maps are replicated to GCs.

topic Re: Unix-to-Windows usermapping with LDAP to Active Directory in ONTAP Discussions

Unix-to-Windows usermapping with LDAP to Active Directory

Re: Unix-to-Windows usermapping with LDAP to Active Directory

Re: Unix-to-Windows usermapping with LDAP to Active Directory