Professional Documents
Culture Documents
Understanding
Multiprotocol
Usermapping for
ONTAP NAS
Oliver Krause
v20140318
Agenda
What is User Mapping about?
Some Definitions
CIFS
Hi, I am ITs fileserver.
I store the Documents of Fred and protect
them from unauthorized access by enforcing
the permissions Bob set onto them.
CIFS
NFS
I already manage permission
rights to Freds documents for
Windows. Why should I manage
the permissions again for UNIX?
Everything is fine,
leave Bob and Fred
alone.
Some Definitions
10
11
12
13
14
Name-mapping of Username
UNIX-Username, e.g. johnd
UID / GID
UID / GID
Data with UNIX-Security-Style
Not found
Access denied
15
Permission denied
BURT 751845
Workaround: create
local users/groups
Name-mapping of Username
WIN-Username, e.g. EXAMPLE\johnd
SID
Lookup Username at AD
Found
SID
Data with NTFS-Security-Style
2009 NetApp. All rights reserved.
Not found
Access denied
16
17
18
19
Name-mapping of Username
Use vserver name-mapping to map
UNIX<>Windows Users
If you specify no rule, ONTAP automatically
maps Windows usernames to same Unix
username
Vserver name-mapping can be done
independently for UNIX2WIN and WIN2UNIX,
using regular expressions
20
21
22
23
Best Practices
Never use Security Style mixed =>
Permission Nightmare. Last permission
change wins! Hard to maintain and debug
Set default users with lowest possible
privileges (UNIX: pcuser, Windows: guest)
Set Qtree style to match the NAS protocol
primarily used to access data
The users and groups pcuser, nobody,
root, daemon are created since 8.2. Check
them with vserver services unix-user/
unix-group!
2009 NetApp. All rights reserved.
24
Top Links
25
Thank You !
Q&A
26