Network and Storage Protocols

Clone NFS / CIFS environment

nsitps1976
8,237 Views

I want to clone an NFS / CIFS environment. Some of the unix qtrees are accessed by windows AD users, I believe the filer is using NIS to map / authenticate the windows accounts into unix accounts.

The NIS environment will also be cloned as will the AD environment. I will be using snapmirror to clone the data volumes onto the new filer, however I am unsure if it is possible to configure the new filer to point at the cloned NIS environment so to allow mapping / authentication to continue as it did in the old environment – If this is possible how is this done?

Also, if using VSM / QSM from the old filer to new will all file system security / permissions also  migrate? Or do I need to make sure that the filer is in the correct AD domain / NIS before I replicate the volumes / qtrees

Lastly, what config files do I need to verify on the exiting filer check if NIS is being used? – Also, anything else I should be aware of?

1 ACCEPTED SOLUTION

scottgelb
8,236 Views

No join.. Match all nis settings and check config files.. Nsswitch.conf, passwd, etc and compare and match source controller.

Typos Sent on Blackberry Wireless

View solution in original post

14 REPLIES 14

scottgelb
8,144 Views

Permissions/security will migrate. Make sure to join the domain (before or after, but before to test sooner)... then also confirm options nis. settings and options ldap. settings are the same ... then confirm/compare /etc/usermap.cfg , /etc/hosts, /etc/hosts.equiv, /etc/passwd between controllers. 

You can use the wcc command to check mapping...it is invaluable.  wcc -s windowsusername-or-sid  and wcc -u unixusername  to see the mapping between users.

nsitps1976
8,144 Views

Thanks for the input scott.

Do you know if NIS is something you join like AD or is it something you point at? Also, if you just point at NIS does this mean that unix applied perms would still work as expected if you did not use NIS in the cloned environment and instead mapped  the relevant windows user > unix user within the local files (on the filers)?

As you can tell I know nothing about NIS etc!

scottgelb
8,237 Views

No join.. Match all nis settings and check config files.. Nsswitch.conf, passwd, etc and compare and match source controller.

Typos Sent on Blackberry Wireless

nsitps1976
8,144 Views

Great - Last question, although an administrative headache, do you think it is feasible to not use NIS in the new environment and instead map each user within local files?

scottgelb
8,144 Views

You could.. But need to make passwd and netgroup entries.. Then maintain them locally.. Most don't want to maintain multiple so use ldap or nis for central management.

Typos Sent on Blackberry Wireless

nsitps1976
8,144 Views

Hi Scott

It now seems the filers are members of the windows domain which is good. During this migration the new filers will be given free IPs on the same subnet as the existing filers. Once migration is complete the networks will be separated and the existing IPs of the old filers will be applied to the new. At this point the names of the filers would also be migrated, to do this would I need re run cifs setup and change the filers name? Would this cause an issue with security etc? Can I migrate the names another way with an alias or something? The idea behind the same names is to ensure that shares / exports map without re configuration of the clients etc. 

scottgelb
8,144 Views

You could setup netbios aliasing in ontap.. But I'd rerun setup if down already which is the case.. Security on files won't change.

Typos Sent on Blackberry Wireless

nsitps1976
8,144 Views

To allow for a testing environment I am thinking of using mulitstore. So I would create a vfiler on the same networks as the existing filers and give them unique names / IPs then configure vfiler0 in an identical fashion to the existing filers, including name , IPs, exports, shares, usermap, hosts etc etc. I would attach the cloned vfiler0 to a segregated network which would also contain a cloned test environment which includes active directory, NIS and relevant hosts etc. Snapmirror would replicate volumes / qtrees to the unique vfiler, to allow for testing I would break off the snapmirror relationship, then move the volume / qtree to vfiler0, re apply shares / exports which will allow a cloned environment to mount / share without having to deal will all the host mappings etc. 

The main reason for this approach is to allow me to clone then segregate the active directory, delete the computer accounts (names) of the real existing filers the rename vfiler0 to that of the real existing filers which will allow all exports / mappings to work in a test environment.  

1, Is this a good approach ?

2, When  volumes / qtrees are moved between vfilers will security (ntfs acls / unix perms) also move? Obviously this is key to the whole approach

scottgelb
8,144 Views

That is brute force but sometimes a hammer works   You can use the loopback adapter to snapmirror between vFilers (when on the same controller without needing a network) just by local mirror on vfiler0.. you could also use flexclone on the same controller.. clone a volume in a vfiler and move that clone to any vfiler on the same controller.  The permissions will all be intact and match the source whether a mirror or clone.

nsitps1976
7,173 Views

Ok. flexclone looks like the best option for disk space, howerver if I create a flexclone can I maintin the same name as the parent volume in an attempt to keep the same name / path so when I move the flex clone into vfiler0 (the test environment) all links / mount / shares continue to work? Or does the flexclone need a unique name from the parent vol?

If this is not possible we will need more disk space and mirror from the unique vfiler into vfiler0 as this will not break my volume names / paths. In this senario can I mirror from "original source > unique vfiler > vfiler0"?

scottgelb
7,173 Views

All volnames must be unique on a controller. Regardless if vfilers.

Typos Sent on Blackberry Wireless

nsitps1976
7,173 Views

Ok. So within the first snapmirror relationship (original source > unique vfiler) I give the destination vol a different name, then I can name the flexclone of the destination the same as the original volume then move this into vfiler0 which should maintain the original path names?

scottgelb
7,173 Views

That would work. For vfiler migrate-dr and data motion the target has to be the same volnames too..

Typos Sent on Blackberry Wireless

nsitps1976
7,173 Views

Great, thanks. I may do some reading on vfiler migrate-dr to see if this could be of use....

Public