I want to clone an NFS / CIFS environment. Some of the unix qtrees are accessed by windows AD users, I believe the filer is using NIS to map / authenticate the windows accounts into unix accounts.
The NIS environment will also be cloned as will the AD environment. I will be using snapmirror to clone the data volumes onto the new filer, however I am unsure if it is possible to configure the new filer to point at the cloned NIS environment so to allow mapping / authentication to continue as it did in the old environment – If this is possible how is this done?
Also, if using VSM / QSM from the old filer to new will all file system security / permissions also migrate? Or do I need to make sure that the filer is in the correct AD domain / NIS before I replicate the volumes / qtrees
Lastly, what config files do I need to verify on the exiting filer check if NIS is being used? – Also, anything else I should be aware of?
Solved! See The Solution
Permissions/security will migrate. Make sure to join the domain (before or after, but before to test sooner)... then also confirm options nis. settings and options ldap. settings are the same ... then confirm/compare /etc/usermap.cfg , /etc/hosts, /etc/hosts.equiv, /etc/passwd between controllers.
You can use the wcc command to check mapping...it is invaluable. wcc -s windowsusername-or-sid and wcc -u unixusername to see the mapping between users.
Thanks for the input scott.
Do you know if NIS is something you join like AD or is it something you point at? Also, if you just point at NIS does this mean that unix applied perms would still work as expected if you did not use NIS in the cloned environment and instead mapped the relevant windows user > unix user within the local files (on the filers)?
As you can tell I know nothing about NIS etc!
Great - Last question, although an administrative headache, do you think it is feasible to not use NIS in the new environment and instead map each user within local files?
You could.. But need to make passwd and netgroup entries.. Then maintain them locally.. Most don't want to maintain multiple so use ldap or nis for central management.
Typos Sent on Blackberry Wireless
It now seems the filers are members of the windows domain which is good. During this migration the new filers will be given free IPs on the same subnet as the existing filers. Once migration is complete the networks will be separated and the existing IPs of the old filers will be applied to the new. At this point the names of the filers would also be migrated, to do this would I need re run cifs setup and change the filers name? Would this cause an issue with security etc? Can I migrate the names another way with an alias or something? The idea behind the same names is to ensure that shares / exports map without re configuration of the clients etc.
To allow for a testing environment I am thinking of using mulitstore. So I would create a vfiler on the same networks as the existing filers and give them unique names / IPs then configure vfiler0 in an identical fashion to the existing filers, including name , IPs, exports, shares, usermap, hosts etc etc. I would attach the cloned vfiler0 to a segregated network which would also contain a cloned test environment which includes active directory, NIS and relevant hosts etc. Snapmirror would replicate volumes / qtrees to the unique vfiler, to allow for testing I would break off the snapmirror relationship, then move the volume / qtree to vfiler0, re apply shares / exports which will allow a cloned environment to mount / share without having to deal will all the host mappings etc.
The main reason for this approach is to allow me to clone then segregate the active directory, delete the computer accounts (names) of the real existing filers the rename vfiler0 to that of the real existing filers which will allow all exports / mappings to work in a test environment.
1, Is this a good approach ?
2, When volumes / qtrees are moved between vfilers will security (ntfs acls / unix perms) also move? Obviously this is key to the whole approach
That is brute force but sometimes a hammer works You can use the loopback adapter to snapmirror between vFilers (when on the same controller without needing a network) just by local mirror on vfiler0.. you could also use flexclone on the same controller.. clone a volume in a vfiler and move that clone to any vfiler on the same controller. The permissions will all be intact and match the source whether a mirror or clone.
Ok. flexclone looks like the best option for disk space, howerver if I create a flexclone can I maintin the same name as the parent volume in an attempt to keep the same name / path so when I move the flex clone into vfiler0 (the test environment) all links / mount / shares continue to work? Or does the flexclone need a unique name from the parent vol?
If this is not possible we will need more disk space and mirror from the unique vfiler into vfiler0 as this will not break my volume names / paths. In this senario can I mirror from "original source > unique vfiler > vfiler0"?
Ok. So within the first snapmirror relationship (original source > unique vfiler) I give the destination vol a different name, then I can name the flexclone of the destination the same as the original volume then move this into vfiler0 which should maintain the original path names?
NetApp Wins One Silver and One Bronze Stevie® Award in 2022 Stevie Awards for Sales and Customer Service