Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Active Directory users integration

cr_emilio
‎2010-12-17 02:45 AM
7,148 Views

I have joined a netapp filer to a domain. The authentication works, also the NTFS ACLs are set properly and users can access the shares. But I need to provision every user twice: first for the domain and secondly in /etc/passwd from the netapp. Is there a way to avoid that? The authentication and authorization is done using Active Directory but the user needs to appear in /etc/passwd for some reason...

0 Kudos
View By:
1 ACCEPTED SOLUTION

aborzenkov
‎2010-12-20 03:04 AM
In response to cr_emilio
7,148 Views

Does it happen for this particular qtree only or for any qtree with NTFS security?

NetApp always performs NT-to-Unix user mapping, even for access to NTFS qtree from Windows client. If mapping fails, access is denied. Check, that

- usermap.cfg does not deny access by listing empty Unix user name, like

\ => ""

Any NT user which maps to empty Unix user in this way will be denied access

- you have non empty wafl.default_unix_user. Default is pcuser that is normally available in /etc/passwd

View solution in original post

0 Kudos
8 REPLIES 8

rkaramchedu1
‎2010-12-17 04:05 AM
7,148 Views

I don't think so - is this a multiprotocol filer or an NTFS filer?

Check out /etc/usermap.cfg and its related man pages

0 Kudos

cr_emilio
‎2010-12-17 04:08 AM
In response to rkaramchedu1
7,148 Views

It is multiprotocol. I am serving both NFS and CIFs. But this qtree in particular is NTFS only. It only works if I add the user to the passwd file. It doesn't matter the password since it uses the one in AD.

0 Kudos

rkaramchedu1
‎2010-12-17 06:22 AM
In response to cr_emilio
7,148 Views

That does not seem right. It appears that the filer is configured to do local user authentication.

Can you turn on cifs.trace_login and see what the error is? AFAIK, if you do Windows AD authentication, you do not need any /etc/passwd entries.

http://media.netapp.com/documents/wp_3014.pdf

0 Kudos

aborzenkov
‎2010-12-18 07:42 AM
7,148 Views

What exactly do you mean under "user needs to appear in /etc/passwd"? What does not work if user is not entered there?

0 Kudos

cr_emilio
‎2010-12-20 02:41 AM
In response to aborzenkov
7,148 Views

If I dont add the entry in /etc/passwd users cannot connect at all. Authentication fails. If I add them authentication works with the AD password and everything seems to be fine.

0 Kudos

aborzenkov
‎2010-12-20 03:04 AM
In response to cr_emilio
7,149 Views

Does it happen for this particular qtree only or for any qtree with NTFS security?

NetApp always performs NT-to-Unix user mapping, even for access to NTFS qtree from Windows client. If mapping fails, access is denied. Check, that

- usermap.cfg does not deny access by listing empty Unix user name, like

\ => ""

Any NT user which maps to empty Unix user in this way will be denied access

- you have non empty wafl.default_unix_user. Default is pcuser that is normally available in /etc/passwd

0 Kudos

cr_emilio
‎2010-12-20 09:06 AM
In response to aborzenkov
7,148 Views

Finally I made it work. It was wafl.default_unix_user which was empty so users with no mapping just mapped to anything and it didn't work. Now I can use new users without problems and they follow the access rules in the NTFS domain!!!

I will let you also know that you solved an issue NetApp support wasn't able to solve and want to say that the support from netapp in this matter has been worse than awfull.

Thanks a lot.

0 Kudos

lovik_netapp
‎2010-12-20 06:12 AM
7,148 Views

how you are supplying the username to filer?

did you try "AD domain\AD username" format?

0 Kudos
All Community Forums
Public