Network and Storage Protocols

NT to UNIX user mapping - one to many.


I have an NFS Share on NETAPP, mounted on a Solaris box, The filer share has also enabled for CIFS so that Windows PCs can access. Where I have issues is, I need to get one NT account to map to multiple unix accounts.

I can get a one to one mapping working no problem by adding the DOMAIN\user => unixUser in the /etc/usermap.cfg file on DATA ONTAP. What I need is the NT user to map to multiple shares owned by separate unix users. So That when the NT user maps to these different shares they have the relevant permissions on that share.

For example; What i need is the following...

DOMAIN\User1 => Unix1

DOMAIN\User1 => Unix2

DOMAIN\User1 => Unix3

Is this possible, to change the user mapping dependent on the share accessed. can anyone offer any solutions?

Thanks for your help!



I have this exact same question about one of our 7-mode implementations.  In cluster-mode, you might "work around" this issue by locating the shares on different vservers, which essentially makes them again 1:1 mappings.  Generally that's less than ideal since a vserver requires some setup work, and its own IP, etc.


I would say that isn't possible.  This suggests that it is, but the links from there don't mention it, nor did I see anything in the docs.

I'm assuming you want the CIFS users to have write access to the shares?

You can add the windows user to the group that owns the shared directories, and turn on group write permissions, and possibly set the "group sticky bit" so that all subsequent files are group-writeable.  This is how I've always accomplished this.



Thanks for the replies, yes my aim is to have the CIFS users read / write to the share. Bill, thanks for the info and link, however it appears that it doesn't quite match my requirement, it suggests a many to one mapping both ways rather than one to many. The only workaround I have been able to think of, that will suit my environment, is creating a windows domain account to match the relevant Unix accounts and set up the mapping as that user...

Domain\UnixUser1 => Unix1

Domain\UnixUser2 => Unix2

Domain\UnixUser3 => Unix3

This will work, however is not ideal for the users as they will be required to know the username and password for the mock Domain\UnixUser account and map as another user rather than straight in through their own domain accounts. I can obviously set the unix "other" permissions to allow them to read / write to the shares, but without the appropriate mapping this will result in nobody:nobody file ownership in unix which is not ideal.

Thanks for your help guys.