ONTAP Discussions
ONTAP Discussions
I've been searching for this online and have not come across any issues from other users I'm afraid.
So basically I want to do a name mapping between win to unix. security style of the volume is unix and I want 2 windows users (win-user1 and win-user2) to be mapped to unix user unix-user. Reading this KB: https://kb.netapp.com/app/answers/answer_view/a_id/1030441 and other explanations I expect my name mapping to look something like this:
vserver name-mapping modify -direction win-unix -position 1 -pattern win-usr1 -replacement unix-user
vserver name-mapping modify -direction win-unix -position 1 -pattern win-usr2 -replacement unix-user
II now access from my windows system over CIFS to this volume and create a file.
Now I'm going to the linux machine which has it mounted over NFS and check the permission and what I can see is that it's 'nfsnobody'. I've been googling about it online and found this article of Justion (Thank you Justin as always!) : https://whyistheinternetbroken.wordpress.com/2017/01/24/mixed-perceptions-multiprotocol-nas/ and in this article it's perfectly explained that the default unix user which is set for CIFS is if you don't touch it set to 'pcuser'. pcuser in this case will write down the file with uid=65534. 65534 in unix is usually either 'nobody' or 'nfsnobody' so this is proof that the name mapping is not working at all.
So I think there's 2 possibilities here:
1. Name-mapping expression is wrong?
> I believe this is the case, since the user is coming from a workgroup and I'm not sure how it's going to try to authenticate
2. everything is running through default user and default user would need to be changed?
> I guess if you have a name-mapping in place this will be overwritten.
3. win/unix user is missing on netapp and/or win/linux side
> user is in place on netapp for ntfs:
cifs users-and-groups local-user show -vserver svmaxt
Vserver User Name Full Name Description
------------ --------------------------- -------------------- -------------
svmx SVMX\Administrator Built-in administrator account
svmx SVMX\win-usr1 - -
svmx SVMX\win-usr2 - -
> user is in place on netapp for unix:
svmx nobody 65535 65535
svmx unix-user 700 700
svmx pcuser 65534 65534
svmx root 0 1
svmx daemon 1
svmx nobody 65535
svmx unix-group 700
svmx pcuser 65534
svmx root 0
Anyone has any idea how I could further check this. Or know's how the regular expression should look like, so that the name-mapping does work?
Thank you!
Axsys
Solved! See The Solution
You're close:
vserver name-mapping create -direction win-unix -position 1 -pattern domain\\win-usr1 -replacement unix-user
vserver name-mapping create -direction win-unix -position 2 -pattern domain\\win-usr2 -replacement unix-user
etc.
You need to create a name-mapping - once it is created you can modify it if need be. There are a limited number of name-mapping positions you can create per SVM (2147483647), so you have to specify which position you are using for each mapping.
You're close:
vserver name-mapping create -direction win-unix -position 1 -pattern domain\\win-usr1 -replacement unix-user
vserver name-mapping create -direction win-unix -position 2 -pattern domain\\win-usr2 -replacement unix-user
etc.
You need to create a name-mapping - once it is created you can modify it if need be. There are a limited number of name-mapping positions you can create per SVM (2147483647), so you have to specify which position you are using for each mapping.
Thanks for your reply Alexj. I did indeed already create them but somehow the name-mapping didn't work (that's why I posted it with modify) but I think I figured it out why.
So my users are not in a domain, they are in a workgroup and I believe this configuration fixed it for me:
vserver name-mapping create -direction win-unix -position 1 -pattern (.+)\\win-usr1 -replacement unix-user
vserver name-mapping create -direction win-unix -position 2 -pattern (.+)\\win-usr2 -replacement unix-user
It's just akward because I have transitioned some from 7-mode and they're all non-domain accounts and they don't have this (.+)\\ pattern infront as domain. I believe this is only working because on them I have also set a default-unix user to be a different one and all accounts are just mapping to that one. Not nice but would explain it.
Cheers,
Axsys