ONTAP Hardware

Copying local groups between filers

mattmusgrove1
7,585 Views

We have a new FAS2020 and need to migrate all the data from a FAS250 on  to it.  There are hundreds of local groups on this FAS250 (because  originally an old windows server was migrated to the FAS250 using  SecureCopy which copies all the local groups and shares over as well as  the files).

If I SnapMirror to the FAS2020 of course the local groups won't  transfer.  How can I copy the local groups to the new FAS and keep all my permissions intact? If I were to use SecureCopy (or other product) would  the new RID's on the new FAS2020 be different to those on the FAS250? I don't really understand  the role the RID's play in all this?

Any advice gratefully received

1 ACCEPTED SOLUTION

mattmusgrove1
7,585 Views

Updating after a few years as I needed to do this again and found my own question.

Yes, you can copy local groups.  You need to copy /etc/filersid.cfg and /etc/lclgroups.cfg to your new filer.

cp /etc/lclgroups.cfg /etc/lclgroups.tmp

On Netapp:

useradmin domainuser load /etc/lclgroups.tmp

View solution in original post

7 REPLIES 7

ekashpureff
7,585 Views

I'm not sure I understand how you would have so many local groups ?

There's a distinct difference between local groups/users and domain users/goups.

Local groups for CIFS are defined in the /etc/lclgroups.cfg file.

They can contain domain and local users.

Domain groups are defined in AD.

In most cases Robo or other tools will sync your ACLs for you.

I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

mattmusgrove1
7,585 Views

No, I don't understand why there are so many local groups either! About 700

Can I copy the /etc/lclgroups.cfg between filers?

aborzenkov
7,584 Views

Most likely not.

Windows SID is built from (at least) two parts – computer/domain SID and RID (Relative ID) that, to put is simple, is just consecutive numbering of objects, e.g. users or groups.

Lclgroups.cfg contains just RID for each group; but your file ACLs store full SIDs that include filer SID.

New filer most likely will get new SID when you run cifs setup, which means those new groups won’t match ACEs. It is the same as deleting and creating user with the same name – it is still different user from Windows point of view.

mattmusgrove1
7,584 Views

This is bad news.  So does this mean that I would have to use a tool (like SecureCopy) to migrate from filer to filer in order to preserve the association between the local groups and the ACLs?

aborzenkov
7,584 Views

How would you do it in case of “normal” Windows servers?

mattmusgrove1
7,584 Views

Good point

mattmusgrove1
7,586 Views

Updating after a few years as I needed to do this again and found my own question.

Yes, you can copy local groups.  You need to copy /etc/filersid.cfg and /etc/lclgroups.cfg to your new filer.

cp /etc/lclgroups.cfg /etc/lclgroups.tmp

On Netapp:

useradmin domainuser load /etc/lclgroups.tmp

Public