Mixed & NTFS security styles not working for UNIX accounts

FIZEENETAPP · ‎2011-08-27

Hello friends,

I am a newbie to netapp.I am using simulaor running on Ontap 7.3.I have setup CIFS integrating Active directory using Kerberos authentication.I have shared some qtrees out of which some are in UNIX mode and some in Mixed.

I have created a qtree (named 'qtree2' and it is shared)and have given permission only to the Active directory user AD\grant2 .I have made the qtree security type to 'mixed'.I dont have any issues with logging to windows xp box in accessing the share.I also have a seperate Linux box running REDHAT 5 where i got 'Permission Denied' i tried to login with the same name 'grant2' and same password .This user is a local user of the Linux box and this Linux box is not a part of the active directory domain.I tried to access the share(qtree2) .I turned on options cifs.trace_login to debug the issue.When i tried to login as a local linux user (grant2) to the storage box it gave me the following error.

[auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Error in passwd look up of uid 502 during login from 192.168.20.100.

where 192.168.20.100 is the IP address of the Redhat box.

UID 502 is the grant2 (local user of RedHAT box).

I beleive if the usernames don't match which the storage box knows we need to insert an entry in the usermap.cfg. In my case the user in the active directory domain and the local user in the Linux box are the same(includes username and password).Despite i inserted an entry in usermap.cfg.The entry is as follows

AD\"#grant2" <= grant2

And in another case if qtree (qtree1) is set to ntfs security style and trying to login from a Linux box it shows up the following error.

Sat Aug 27 12:31:00 IST [cifs.umap.cfgFile.quotaWarn:warning]: CIFS: The /etc/usermap.cfg file has been reloaded. If any mapping definitions were changed, it could affect disk space usage values in the quota database. Turn quotas off and then on to recompute disk space usage.

Sat Aug 27 12:31:00 IST [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: LSA lookup: Lookup of account "AD\root" failed: STATUS_NONE_MAPPED (0xc0000073).

Sat Aug 27 12:31:13 IST [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Error in passwd look up of uid 503 during login from 172.19.84.100.

Sat Aug 27 12:32:48 IST [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Error in passwd look up of uid 503 during login from 172.19.84.100.

where 192.168.20.100 is the IP address of the Redhat box.

UID 503 is the grant1 (local user of RedHAT box).

And my qtree and CIFS share information are as follows.

storage> cifs shares

Name Mount Point Description

---- ----------- -----------

ETC$ /etc Remote Administration

** priv access only **

HOME /vol/vol0/home Default Share

everyone / Full Control

C$ / Remote Administration

** priv access only **

Public /vol/vol1

everyone / Full Control

qtree2 /vol/vol1/qtree2

AD\grant2 / Full Control

qtree1 /vol/vol1/qtree1

AD\grant1 / Full Control

storage> qtree

qtree: This command is deprecated; using qtree status.

Volume Tree Style Oplocks Status

-------- -------- ----- -------- ---------

vol1 qtree1 ntfs enabled normal

vol1 qtree2 mixed enabled normal

Still nothing in favour.Kindly let me know where i am wrong.Thanks in advance.

Regards

Fizeen.

aborzenkov · ‎2011-08-27

Do not use mixed security unless you are completely sure you understand how it works. It almost never does what people naively assume it to

Look at it http://www.netapp.com/us/library/technical-reports/tr-3490.html for description how multi-protocol data access works in NetApp. In short - you need to configure user mapping and users you map to have to be known on NetApp using local files (/etc/passwd), LDAP, NIS or whatever methods you have.

FIZEENETAPP · ‎2011-08-27

Hello Aborzenkov,

The document was very helpful.I was able to see the mappings using the 'wcc' command for mapping from Unix box to Windows NT.I tried to list the mappings for the user grant2 and root on the storage console.Also the document tells me that if mapping is done in the usermap.cfg file we are good to go.

> wcc -s root (didnt show me) .But when i added the below entry in usermap.cfg file ,

grant1 <= root # Map UNIX root user to AD\grant1.

and the output of wcc showed

(NT - UNIX) account name(s): (AD\grant1 - root)

***************

UNIX uid = 0

user is a member of group daemon (1)

NT membership

AD\grant1

AD\Allowed

AD\Domain Users

BUILTIN\Administrators

BUILTIN\Users

User is also a member of Everyone, Network Users,

Authenticated Users

***************

I was able to login with the root account to my mixed security tree qtree2.

Just confirmed with this output

Sat Aug 27 18:12:28 IST [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: LSA lookup: Located account "AD\grant1" in domain "AD"..

But still guest2 of Linux local user doesnt work out and it still shows me the error

Usermap.cfg

-------------------

grant1 <= root

grant2 <= grant2 //left one is the AD\grant2 user and right one is Linux user which is not in LDAP or local /etc/passwd of SS.

storage> wcc -s grant2

Sat Aug 27 18:14:24 IST[auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Error in passwd look upof uid 502 during login from 172.19.84.100.

Sat Aug 27 18:14:45 IST[cifs.umap.cfgFile.quotaWarn:warning]: CIFS: The /etc/usermap.cfg file has beenreloaded. If any mapping definitions were changed, it could affect disk spaceusage values in the quota database. Turn quotas off and then on to recomputedisk space usage.

Sat Aug 27 18:14:45 IST[auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: grant2 not found inpasswd database during login from 0.0.0.0.

I have aquestion here.Storage system doesnt care about the user accounts in Workgroupsystem( the system that is not a part of AD or doesnt have useraccount in Storagesystem /etc/passwd file or NISor LDAP. It only takes user accounts which are part of LDAP ,local /etc/passwd,NIS. The reason why iasking is Netapp was able to get me the UID of the user for which it is showingthe error.Puzzle is how its not able to map this Linux UID to another knownuser which it is able resolve

My question can be silly.But please show me a light on this.Thanks.

Regards,

Fizeen

aborzenkov · ‎2011-08-27

Unix UID is part of NFS request. To check access NetApp has to map this UID to Windows SID. To do it it must associate Unix UID with Unix user name first before it can even begin with usermap.cfg (mapping goes UID => Unix name => Windows name => SID). This association is missing in your case.

root is usually present in /etc/passwd by default that is why it works.

FIZEENETAPP · ‎2011-08-27

Thanks alot Aborzenkov.I shall go ahead with configuring OpenLDAP and be back .And the UID => UNIX => Windows => SID .Here i am at the first part. UID ==> UNIX.Is there any way i can match the UID from a remote system to UNIX user of Netapp.I believe i have made entry in UNIX => Windows in usermap.cfg file and Windows => SID is already set (i checked with cifs lookup AD\grant2).Thanks.

Regards,

Fizeen

aborzenkov · ‎2011-08-27

Is there any way i can match the UID from a remote system to UNIX user of Netapp.

If this is a question - yes, of course. You mentioned LDAP yourself.

FIZEENETAPP · ‎2011-09-29

Hello Aborzenkov,

I had setup a LDAP Server on SUSE server and tried integrating with netapp simulator. Below are the settings i have made

netapp> options ldap.

ldap.ADdomain

ldap.base dc=storage,dc=internal

ldap.base.group

ldap.base.netgroup

ldap.base.passwd

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd ******

ldap.port 389

ldap.servers suse.storage.internal

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount

ldap.usermap.base

ldap.usermap.enable on

I have enabled ssh service on the filer.

When i try to login from a linux host to the filer using a LDAP account the below error message is shown up on the netapp console

wed sep 28 15:41:05 IST [sshd_0:info: Failed password for ldap1 from 192.168.1.100 port 48765ssh2

And on the Linux host it shows up

ssh ldap1@192.168.1.101

ldap1@192.168.1.101's password:

Permission denied, please try again.

ldap1@192.168.1.101's password:

I checked logging from the Linux host to SUSE openLDAP server and was able to login with the LDAP account(ldap1).I

Is there a way i can list the users or check for an LDAP user from netapp like cifs lookup command ?

aborzenkov · ‎2011-09-30

And Linux host is also using LDAP for user lookup and authentication?

FIZEENETAPP · ‎2011-09-30

Yes.I am able to login to the SUSE (LDAP server) from Linux host.

# ssh ldap1@suse.storage.internal

ldap1@suse.storage.internal's password:

It takes me to the home directory created for ldap1 user.

aborzenkov · ‎2011-10-01

And you are sure passwords are kept in LDAP and not in local files? Do you see passwords when dumping LDAP content? Does LDAP attribute where passwords are stored match what is defined on NetApp?