Network and Storage Protocols

Active Directory users integration

cr_emilio
7,157 Views

I have joined a netapp filer to a domain. The authentication works, also the NTFS ACLs are set properly and users can access the shares. But I need to provision every user twice: first for the domain and secondly in /etc/passwd from the netapp. Is there a way to avoid that? The authentication and authorization is done using Active Directory but the user needs to appear in /etc/passwd for some reason...

1 ACCEPTED SOLUTION

aborzenkov
7,157 Views

Does it happen for this particular qtree only or for any qtree with NTFS security?

NetApp always performs NT-to-Unix user mapping, even for access to NTFS qtree from Windows client. If mapping fails, access is denied. Check, that

- usermap.cfg does not deny access by listing empty Unix user name, like

\ => ""

Any NT user which maps to empty Unix user in this way will be denied access

- you have non empty wafl.default_unix_user. Default is pcuser that is normally available in /etc/passwd

View solution in original post

8 REPLIES 8

rkaramchedu1
7,157 Views

I don't think so - is this a multiprotocol filer or an NTFS filer?

Check out /etc/usermap.cfg and its related man pages

cr_emilio
7,157 Views

It is multiprotocol. I am serving both NFS and CIFs. But this qtree in particular is NTFS only. It only works if I add the user to the passwd file. It doesn't matter the password since it uses the one in AD.

rkaramchedu1
7,157 Views

That does not seem right. It appears that the filer is configured to do local user authentication.

Can you turn on cifs.trace_login and see what the error is? AFAIK, if you do Windows AD authentication, you do not need any /etc/passwd entries.

http://media.netapp.com/documents/wp_3014.pdf

aborzenkov
7,157 Views

What exactly do you mean under "user needs to appear in /etc/passwd"? What does not work if user is not entered there?

cr_emilio
7,157 Views

If I dont add the entry in /etc/passwd users cannot connect at all. Authentication fails. If I add them authentication works with the AD password and everything seems to be fine.

aborzenkov
7,158 Views

Does it happen for this particular qtree only or for any qtree with NTFS security?

NetApp always performs NT-to-Unix user mapping, even for access to NTFS qtree from Windows client. If mapping fails, access is denied. Check, that

- usermap.cfg does not deny access by listing empty Unix user name, like

\ => ""

Any NT user which maps to empty Unix user in this way will be denied access

- you have non empty wafl.default_unix_user. Default is pcuser that is normally available in /etc/passwd

cr_emilio
7,157 Views

Finally I made it work. It was wafl.default_unix_user which was empty so users with no mapping just mapped to anything and it didn't work. Now I can use new users without problems and they follow the access rules in the NTFS domain!!!

I will let you also know that you solved an issue NetApp support wasn't able to solve and want to say that the support from netapp in this matter has been worse than awfull.

Thanks a lot.

lovik_netapp
7,157 Views

how you are supplying the username to filer?

did you try "AD domain\AD username" format?

Public