Solved: Windows to UNIX Name Mapping

Bob654 · ‎2018-09-27

Hi folks,

We are migrating from our 7-Mode system to our ONTAP system. We had issues before on the 7-Mode with name-mapping for Windows/UNIX users, via LDAP (AD). Eventually we got it working and that is all great.

Now on the new ONTAP system I'm setting up LDAP and name-mapping again. The Windows-To-Unix name resolutions seems to be working BUT only showing the users PRIMARY Group, rahter than ALL the UNIX enabled groups they are part of.

The Unix-To-Windows name resolution does not seem to be working at all, mapping any user to the default Windows users setup on the system.

What settings do you want from me to help resolve this issue? AD Schema? 🙂

Cheers!

Bob654 · ‎2018-09-30

Update!

So after enabling the following in the AD Schema:

Enable Support for Draft RFC 2307bis: true

The UNIX Groups are working now! 🙂

But - the WIN -> UNIX mapping is still displaying the DEFAULT Windows account to use, rather than the ACTUAL Windows account in AD....

Name Mapping config issue?

Cheers!

View solution in original post

moep · ‎2018-09-28

Did you check the ONTAP Documentation about this?

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-DF5A05D9-4F6E-45A7-A3A0-9387AB655309.html

Your current User Mapping configuration, LDAP Configuration and NSSwitch configuration would be helpful.

vserver name-mapping show
vserver services name-service ns-switch show
vserver services ldap client show

Bob654 · ‎2018-09-30

Hi moep,

Much appreciated for the reply. 🙂

I have read that and various other documentation provided by NetApp and beyond - I'm thinking it's most likely the schema to blame as it was last time... here are the details you requested:

nasw::*> vserver name-mapping show
Vserver:   NAS01w
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: necnz\\(.+)
                                          Replacement: \1

Vserver:   NAS01w
Direction: unix-win
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: (.+)
                                          Replacement: necnz\\1
2 entries were displayed.

nasw::*> vserver services name-service ns-switch show
                               Source
Vserver         Database       Order
--------------- ------------   ---------
NAS01w          hosts          files,
                               dns
NAS01w          group          files,
                               ldap, nis
NAS01w          passwd         files,
                               ldap, nis
NAS01w          netgroup       files,
                               ldap, nis
NAS01w          namemap        files,
                               ldap
VIRT01w         hosts          files,
                               dns
VIRT01w         group          files
VIRT01w         passwd         files
VIRT01w         netgroup       files
VIRT01w         namemap        files
nasw            hosts          files,
                               dns
nasw            group          files
nasw            passwd         files
13 entries were displayed.

nasw::*> vserver services ldap client show
        Client        LDAP            Active Directory              Minimum
Vserver Configuration Servers         Domain            Schema      Bind Level
------- ------------- --------------- ----------------- ----------- ----------
nasw    NECNZ         -               necnz.internal    AD-UNIX-Cluster 
                                                                    simple

CURRENT SCHEMA BEING USED:

nasw::*> vserver services ldap client schema show -schema AD-UNIX-Cluster

                                           Vserver: NAS01w
                                   Schema Template: AD-UNIX-Cluster
                                           Comment: 
                RFC 2307 posixAccount Object Class: User
                  RFC 2307 posixGroup Object Class: Group
                 RFC 2307 nisNetgroup Object Class: nisNetGroup
                            RFC 2307 uid Attribute: sAMAccountName
                      RFC 2307 uidNumber Attribute: uidNumber
                      RFC 2307 gidNumber Attribute: gidNumber
                RFC 2307 cn (for Groups) Attribute: cn
             RFC 2307 cn (for Netgroups) Attribute: cn
                   RFC 2307 userPassword Attribute: userPassword
                          RFC 2307 gecos Attribute: gecos
                  RFC 2307 homeDirectory Attribute: unixHomeDirectory
                     RFC 2307 loginShell Attribute: loginShell
                      RFC 2307 memberUid Attribute: memberUid
              RFC 2307 memberNisNetgroup Attribute: memberNisNetgroup
              RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple
              Enable Support for Draft RFC 2307bis: false
       RFC 2307bis groupOfUniqueNames Object Class: Group
                RFC 2307bis uniqueMember Attribute: Member
Data ONTAP Name Mapping windowsToUnix Object Class: posixAccount
  Data ONTAP Name Mapping windowsAccount Attribute: sAMAccountName
   Data ONTAP Name Mapping windowsToUnix Attribute: sAMAccountName
   No Domain Prefix for windowsToUnix Name Mapping: false
                               Vserver Owns Schema: false
 Maximum groups supported when RFC 2307bis enabled: 256
                   RFC 2307 nisObject Object Class: nisObject
                     RFC 2307 nisMapName Attribute: nisMapName
                    RFC 2307 nisMapEntry Attribute: nisMapEntry

Cheers!

Bob654 · ‎2018-09-30

Update!

So after enabling the following in the AD Schema:

Enable Support for Draft RFC 2307bis: true

The UNIX Groups are working now! 🙂

But - the WIN -> UNIX mapping is still displaying the DEFAULT Windows account to use, rather than the ACTUAL Windows account in AD....

Name Mapping config issue?

Cheers!

View solution in original post

moep · ‎2018-09-30

Configuration looks good. Maybe you need to put the domain in upper case.

What works in my environment with multiple domains is the following:

Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: (.+)\\(.+)
                                          Replacement: \2

Bob654 · ‎2018-10-01

I've fixed it! 🙂

You were close there but the Windows to UNIX mapping was working fine, it was the reverse and then I thought about all these \'s and what they resolved too, I added an extra one and HEY PRESTO:

nasw::*> vserver name-mapping show

Vserver:   NAS01w
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: necnz\\(.+)
                                          Replacement: \1

Vserver:   NAS01w
Direction: unix-win
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: (.+)
                                          Replacement: NECNZ\\\1
2 entries were displayed.

See the unix-win mapping above - the extra slash sorted it out. 🙂

Happy days!

Thanks for your help moep got my spark plugs working there. 🙂

Windows to UNIX Name Mapping

We're on Discord, are you?

Meet Explore, NetApp’s digital sales platform