Subscribe
Accepted Solution

vserver name-mapping (win-unix) not working (unix security style)

I've been searching for this online and have not come across any issues from other users I'm afraid.

So basically I want to do a name mapping between win to unix. security style of the volume is unix and I want 2 windows users (win-user1 and win-user2) to be mapped to unix user unix-user. Reading this KB: https://kb.netapp.com/app/answers/answer_view/a_id/1030441 and other explanations I expect my name mapping to look something like this:

 

vserver name-mapping modify -direction win-unix -position 1 -pattern win-usr1 -replacement unix-user

vserver name-mapping modify -direction win-unix -position 1 -pattern win-usr2 -replacement unix-user

 

II now access from my windows system over CIFS to this volume and create a file.

Now I'm going to the linux machine which has it mounted over NFS and check the permission and what I can see is that it's 'nfsnobody'. I've been googling about it online and found this article of Justion (Thank you Justin as always!) : https://whyistheinternetbroken.wordpress.com/2017/01/24/mixed-perceptions-multiprotocol-nas/ and in this article it's perfectly explained that the default unix user which is set for CIFS is if you don't touch it set to 'pcuser'. pcuser in this case will write down the file with uid=65534. 65534 in unix is usually either 'nobody' or 'nfsnobody' so this is proof that the name mapping is not working at all.

 

So I think there's 2 possibilities here:

1. Name-mapping expression is wrong?

 

> I believe this is the case, since the user is coming from a workgroup and I'm not sure how it's going to try to authenticate

 

2. everything is running through default user and default user would need to be changed?

 

> I guess if you have a name-mapping in place this will be overwritten.

 

3. win/unix user is missing on netapp and/or win/linux side

 

> user is in place on netapp for ntfs:
cifs users-and-groups local-user show -vserver svmaxt
Vserver      User Name                   Full Name            Description
------------ --------------------------- -------------------- -------------
svmx       SVMX\Administrator                             Built-in administrator account
svmx       SVMX\win-usr1             -                    -
svmx       SVMX\win-usr2        -                    -

> user is in place on netapp for unix:
svmx         nobody          65535  65535
svmx         unix-user          700    700
svmx         pcuser          65534  65534
svmx         root            0      1

svmx         daemon              1
svmx         nobody              65535
svmx         unix-group            700
svmx         pcuser              65534
svmx         root                0

Anyone has any idea how I could further check this. Or know's how the regular expression should look like, so that the name-mapping does work?

 

Thank you!

Axsys

Re: vserver name-mapping (win-unix) not working (unix security style)

You're close:

 

vserver name-mapping create -direction win-unix -position 1 -pattern domain\\win-usr1 -replacement unix-user

vserver name-mapping create -direction win-unix -position 2 -pattern domain\\win-usr2 -replacement unix-user

etc.

 

You need to create a name-mapping - once it is created you can modify it if need be. There are a limited number of name-mapping positions you can create per SVM (2147483647), so you have to specify which position you are using for each mapping.

Re: vserver name-mapping (win-unix) not working (unix security style)

Thanks for your reply Alexj. I did indeed already create them but somehow the name-mapping didn't work (that's why I posted it with modify) but I think I figured it out why.

So my users are not in a domain, they are in a workgroup and I believe this configuration fixed it for me:

 

vserver name-mapping create -direction win-unix -position 1 -pattern (.+)\\win-usr1 -replacement unix-user

vserver name-mapping create -direction win-unix -position 2 -pattern (.+)\\win-usr2 -replacement unix-user

 

It's just akward because I have transitioned some from 7-mode and they're all non-domain accounts and they don't have this (.+)\\ pattern infront as domain. I believe this is only working because on them I have also set a default-unix user to be a different one and all accounts are just mapping to that one. Not nice but would explain it.

 

Cheers,

Axsys