The customer has two AD domains connected via bidirectional trust with selective authentication. I will call them the old and the new domain till end of my mail.
Some of the users are already in the new one and some reside still in the old one.
The users who have been already migrated to the new domain authenticate themselves onto objects in the old domain with their SID history (user in the old domain is still available, but it has been disabled).
Active users in the old domain have been already created in the new domain with status disabled.
// There are users who are in both domains and should also do UNIX, but they are disabled in the new domain, e.g. user AA5052, it still has to be migrated)
// There are users who are in both domains and should also do UNIX, but they are disabled in the old domain, e.g. user AA5215, it has been migrated)
NFSv3, NFSv4 and CIFS are in use.
The AD Server is used as LDAP Server.
The customer must be able to access the same files from UNIX and Windows.
Both users from the old and the new domain must have access.
CIFS server has been joined to the old domain (security style = NTFS):
+ CIFS access by users from the old and new domains works
+ NFS mount v3 and v4 works
- “ls” gets stuck for users from the new domain
CIFS server has been joined to the new domain (security style = NTFS):
+ NFS and CIFS access works with users form the new domain
- NFS and CIFS access does not work with users from the old domain
You can configure storage virtual machines (SVMs) to perform multidomain name-mapping searches. This enables ONTAP to search every bidirectional trusted domain to find a match when performing UNIX user to Windows user name mapping.