ONTAP Discussions

Unix-to-Windows usermapping with LDAP to Active Directory

upgkeller
6,914 Views

Hi everybody

I try to map Unix useraccounts to Windows useraccounts, both in the same Active Directory.

Filer: Ontap 8.1P2

Active Directory: Windows 2008 R2

/etc/usermap.cfg

MY-DOMAIN\testuser == testuser

MY-DOMAIN\* == *

/etc/nsswitch.conf

hosts: files       dns nis

passwd: files   ldap nis

netgroup: files    ldap nis

group: files       ldap         nis

shadow: files      nis

options ldap:

  • ldap.ADdomain
  • ldap.base                    dc=my-domain,dc=local
  • ldap.base.group              dc=my-domain,dc=local
  • ldap.base.netgroup
  • ldap.base.passwd             dc=my-domain,dc=local
  • ldap.enable                  on
  • ldap.minimum_bind_level      simple
  • ldap.name                    CN=Administrator,CN=Users,DC=my-domain,DC=local
  • ldap.nssmap.attribute.gecos  name
  • ldap.nssmap.attribute.gidNumber gidNumber
  • ldap.nssmap.attribute.groupname cn
  • ldap.nssmap.attribute.homeDirectory homeDirectory
  • ldap.nssmap.attribute.loginShell loginShell
  • ldap.nssmap.attribute.memberNisNetgroup gidNumber
  • ldap.nssmap.attribute.memberUid uid
  • ldap.nssmap.attribute.netgroupname cn
  • ldap.nssmap.attribute.nisNetgroupTriple uid
  • ldap.nssmap.attribute.uid    msSFU30Name
  • ldap.nssmap.attribute.uidNumber uidNumber
  • ldap.nssmap.attribute.userPassword userPassword
  • ldap.nssmap.objectClass.nisNetgroup nisNetgroup
  • ldap.nssmap.objectClass.posixAccount User
  • ldap.nssmap.objectClass.posixGroup Group
  • ldap.passwd                  ******
  • ldap.port                    389
  • ldap.rfc2307bis.enable       on
  • ldap.servers                 192.168.246.67
  • ldap.servers.preferred
  • ldap.skip_cn_unescape.enable on
  • ldap.ssl.enable              off
  • ldap.timeout                 20
  • ldap.usermap.attribute.unixaccount sAMAccountName
  • ldap.usermap.attribute.windowsaccount sAMAccountName
  • ldap.usermap.base            dc=my-domain,dc=local
  • ldap.usermap.enable          on
  • ldap.usermap.windows-to-unix.objectClass user

options wafl:

  • wafl.default_nt_user
  • wafl.default_unix_user       pcuser
  • wafl.nt_admin_priv_map_to_root on
  • wafl.root_only_chown         on

wcc -s testuser

(NT - UNIX) account name(s):  (MY-DOMAIN\testuser - pcuser)

        ***************

        UNIX uid = 65534

        NT membership

                MY-DOMAIN\testuser

                MY-DOMAIN\Domain Users

                BUILTIN\Users

        User is also a member of Everyone, Network Users,

        Authenticated Users

        ***************

wcc -u testuser

no passwd entry for testuser

getXXbyYY getpwbyname_r testuser

Could not get passwd entry for name = testuser

Has anyone an idea what could be wrong?

2 REPLIES 2

upgkeller
6,759 Views

I could solve the problem.

After installing the Unix Services role on one of the domain controllers, there is a new tab "UNIX Attributes" in the "Active Directory Users and Computers" tool. There I had to fill out all fields like NIS Domain, UID, Login Shell, Home Directory and GID. It's not enough to set the corresponding fields in the "Attribute Editor".

jeremypage
6,759 Views

Be aware that installing SFU also extends your schema. The RFC2307 objects and attributes are already in Windows 2003R2 or later, the only thing SFU gives you is an easy way to edit those attributes.

In addition you probably want to change the following

  • ldap.nssmap.attribute.homeDirectory homeDirectory
  • ldap.nssmap.attribute.userPassword userPassword

to

  • ldap.nssmap.attribute.homeDirectory unixHomeDirectory
  • ldap.nssmap.attribute.userPassword unixUserPassword

Finally if you have multiple domains you want to connect on the Global Catalog port (3268 or 3269 with SSL) and to make sure the attributes in your NSS maps are replicated to GCs.

Public