Cluster-Mode

Understanding
Multiprotocol
Usermapping for
ONTAP NAS
Oliver Krause
v20140318

For NetApp internal and authorized partners use only

Agenda
What is User Mapping about?

Some Definitions

Using Name Services

2009 NetApp. All rights reserved.

What is User Mapping

about?

2009 NetApp. All rights reserved.

What is User Mapping about?

Hi, I am Fred the User.
I use a Windows PC to access
my files on ITs fileserver.
Uses

Hi, I am Bob from IT.

I manage Freds access rights
to our IT infrastructure like the
fileserver data.

CIFS
Hi, I am ITs fileserver.
I store the Documents of Fred and protect
them from unauthorized access by enforcing
the permissions Bob set onto them.

2009 NetApp. All rights reserved.

What is User Mapping about?

Sometimes I need to use a UNIX
system and want to access my
documents on the fileserver.
Uses

CIFS

Hi, I am the security auditor here.

I require that access to Freds files
is protected equally, no matter
how the files are accessed.

NFS
I already manage permission
rights to Freds documents for
Windows. Why should I manage
the permissions again for UNIX?

2009 NetApp. All rights reserved.

What is User Mapping about?

Dont worry folks,
I am here to help!

Bob, simply tell me

Freds usernames
for Windows and
UNIX. I do the rest.

2009 NetApp. All rights reserved.

Fred, you can use

Windows or UNIX
on your files.

Everything is fine,
leave Bob and Fred
alone.

What is User Mapping about?

ONTAP enforces access permission

by checking the access rights stored with
each file against the Identity of the
accessing user
ONTAP uses User Mapping to match
the Windows Identity of a user with
his UNIX Identity
2009 NetApp. All rights reserved.

Some Definitions

2009 NetApp. All rights reserved.

What is a Windows User?

Windows identifies users by a Security
Identifier (SID).
CIFS sends SID to identify user of request
SID stored in Active Directory.
From Wikipedia
SID has format as follows: S-1-5-12-7623811015-3361044348-030300820-1013
S The string is a SID.
1 The revision level.
5 The identifier authority value.
12-7623811015-3361044348-030300820 domain or local computer identifier
1013 a Relative ID (RID). Any group or user that is not created by default will
have a Relative ID of 1000 or greater.

2009 NetApp. All rights reserved.

What is a UNIX User?

A UNIX users is identified by a user ID (UID)
and one or more group IDs (GID).
NFS v2/v3 sends UID/GIDs to identify user, v4/
v4.1 send username as Unicode-String
Historically stored in /etc/passwd:
root::0:1::/:
pcuser::65534:65534::/:
nobody::65535:65535::/:
okrause:x:500:100:Oliver Krause, SE:/home/okrause:/bin/bash
username:pw:uid:gid:GECOS:homedir:shell

ONTAP only uses RED fields

Additional groups stored in /etc/groups
2009 NetApp. All rights reserved.

10

Scratch: NFSv4/4.1 owner & owner_group

v4/v4.1 sends username and group names as unicode strings
RFC3530bis allows sending UID/GIDs as numeric decimal unicode
strings, if RPCSEC_GSS is not used
ONTAP setting: set diag; vserver nfs modify vserver <vsm> -v4numeric-ids true (defaults to true)
Client:
Linux: nfs.nfs4_disable_idmapping default is to send numeric if no GSS
cat /sys/module/nfs/parameters/nfs4_disable_idmapping

2009 NetApp. All rights reserved.

11

Qtree Security Styles

ONTAP uses Security Styles to define which
kind of permissions are enforced for a files:
UNIX Standard UNIX permission bits and
NFSv4 ACLs are used
NTFS Standard NTFS ACLs are used
Mixed Either UNIX permissions or NTFS ACLs
are set on file granularity
Security Styles can be set on Volumes
or Qtrees
2009 NetApp. All rights reserved.

12

How User Mapping Works

2009 NetApp. All rights reserved.

13

How Does ONTAP User Mapping Work?

Every File or Directory has only one
active Permission Set (PermSet)
Active PermSet type controlled by Qtree Security Style
Every PermSet contains either a NTFS Access Control
List (ACL) or UNIX permissions (Owner + mode bits +
optional NFSv4 ACL)
Depending on access protocol (NFS or CIFS)
we have to distinguish 4 different cases:
1. NFS client accessing file with UNIX PermSet
2. NFS client accessing file with NTFS PermSet
3. CIFS client accessing file with UNIX PermSet
4. CIFS client accessing file with NTFS PermSet
2009 NetApp. All rights reserved.

14

CIFS Client Accessing UNIX PS

CIFS-Call / SID, e.g. S-1-5-12-7623811015-

Lookup Username in Active Directory

WIN-Username, e.g. EXAMPLE\jdoe

Name-mapping of Username
UNIX-Username, e.g. johnd

Lookup User in Name Service

(local, NIS, LDAP)
Not found
Found

UID / GID

User = vserver cifs options -default-unix-user

Default Username (default pcuser)

Lookup User in Name Service

Found

UID / GID
Data with UNIX-Security-Style

2009 NetApp. All rights reserved.

Not found

Access denied

15

NFS Client Accessing NTFS PS

NFS-Call / UID+GIDs, e.g. UID=501, GID=20
Not found

Lookup User in Name Service

(local, NIS, LDAP)
UNIX-Username, e.g. johnd

Permission denied
BURT 751845
Workaround: create
local users/groups

Name-mapping of Username
WIN-Username, e.g. EXAMPLE\johnd

Lookup Username at Active Directory

Not found
Found

SID

User = vserver nfs -default-win-user

Default Username (default )

Lookup Username at AD
Found

SID
Data with NTFS-Security-Style
2009 NetApp. All rights reserved.

Not found

Access denied
16

NFS Client Accessing NTFS PS

NTFS ACL is too complex to be visually
mapped on simple mode bit scheme
ONTAP sends 777 if asked for permissions
But in reality NTFS ACL is enforced in ONTAP
So permissions seen on UNIX are misleading
chmod and chown will fail

2009 NetApp. All rights reserved.

17

Scratch: NFS Client Accessing NTFS PS

set diag; vserver nfs modify -vserver ok-nas -ntfs-unixsecurity-ops
fail: permission denied on chown/chmod
ignore: ignores chmod/chown but returns success
use_export_policy: export-policy rule modify vserver
<vsm> -policyname <policyname> -ruleindex <x> -ntfsunix-security-ops

2009 NetApp. All rights reserved.

18

Common Question POSIX ACLs

Some customers used UNIX systems with
Draft-POSIX ACLs to build fileservers.
Clients use NFSv3 but need better ACLs.
There are two ways to move them to ONTAP:
1. Use UNIX Qtree. Use NFSv4 ACLs
and use v4 client to manage ACLs
2. Use NTFS Qtree. Use Windows client
to manage NTFS ACLs

No matter which ACL model you use, ONTAP

enforces the ACL, independent of the access
protocol (NFSv2/3/4 or CIFS)
2009 NetApp. All rights reserved.

19

Name-mapping of Username
Use vserver name-mapping to map
UNIX<>Windows Users
If you specify no rule, ONTAP automatically
maps Windows usernames to same Unix
username
Vserver name-mapping can be done
independently for UNIX2WIN and WIN2UNIX,
using regular expressions

2009 NetApp. All rights reserved.

20

What About Groups?

ONTAP doesnt support Group Mapping
While companies today normally have unified
User Identities for Windows and UNIX the
Groups are normally NOT unified
If Groups are not unified, the same User would
have different access on different platforms
=> Security Gap
If Groups are unified, User Mapping already
takes care of everything

2009 NetApp. All rights reserved.

21

Debugging name mapping

SECD does all the lookups, mapping and
caching. Use diag secd in set diag mode.
Check AD name resolution:
diag secd authentication translate node <node> vserver <vserver> -win-name <username>

Check Unix name resolution:

diag secd authentication translate node <node> vserver <vserver> -unix-user-name <username>

Check Windows to Unix mapping:

diag secd name-mapping show node <node> -vserver
<vserver> -direction win-unix <username>

Check Windows to Unix mapping:

diag secd name-mapping show node <node> -vserver
<vserver> -direction unix-win <username>
2009 NetApp. All rights reserved.

22

Debugging name mapping

Watch event log for secd error messages. It
shows problems with user mapping:
event log show -source secd
Example
2/5/2012 17:23:25
steve-01
DEBUG
secd.nfsAuth.noUnixCreds: vserver (xxxnas) Cannot determine UNIX identity. Acquire UNIX Credentials procedure failed!!
[ 1 ms] Using a cached connection to dc2.example!
[
2] ID 65534 not found in UNIX authorization source LDAP!
[
2] Could not get credentials for ID 65534 using any NS-SWITCH authorization source!
**[
2] FAILURE: Unable to retrieve credentials for UNIX user with UID 65534!

This vserver got no local user pcuser with id

65534. pcuser is the default user for windows
users who cannot be mapped to a unix user.

2009 NetApp. All rights reserved.

23

Best Practices
Never use Security Style mixed =>
Permission Nightmare. Last permission
change wins! Hard to maintain and debug
Set default users with lowest possible
privileges (UNIX: pcuser, Windows: guest)
Set Qtree style to match the NAS protocol
primarily used to access data
The users and groups pcuser, nobody,
root, daemon are created since 8.2. Check
them with vserver services unix-user/
unix-group!
2009 NetApp. All rights reserved.

24

Top Links

TR-3580: NFSv4 Enhancements and Best

Practices Guide: Data ONTAP Implementation
TR-4073: Secure Unified Authentication with
NetApp Storage Systems

2009 NetApp. All rights reserved.

25

Thank You !
Q&A

2009 NetApp. All rights reserved.

26