This post is more than 5 years old
12 Posts
0
6021
user and gropus mapping mapping
1- we have a already up and running user mapping configuration . the data mover client for NIS and the cifs server joined to AD
2- now the secmap build as UID to SID the data mover get the UID from NIS and get SID from active directory
3- my problem is this configuration cover the user mapping what about groups mapping how can i make sure that the groups from NIS and AD has right mapping
4- can i beside this runing configuration use the groups local file or can i insert the groups mapping records in secmap manually
what i can do to let the data mover cover the groups mapping
in case need any out put or any file from our data mover pls let me know pls i need help in this
kindly advice
Rainer_EMC
8.6K Posts
0
April 5th, 2013 07:00
Sorry – I dont have a step-by-step guide
If you need that please engage professional services.
It really depends on your very specific setup and how much mapping and permission/access is enough for your environment.
You need to figure it out and test it yourself.
That’s why I recommendet getting a Simulator.
There you can quickly go back to clean config
First step would be to carefully read the half dozen manuals that are related to multi-protocol and user mapping.
The groups file is a Unix file – it doesn’t contain SIDs – it contains mapping of names to GID
Rainer
Rainer_EMC
8.6K Posts
1
April 4th, 2013 09:00
I wouldn’t recommend to manually edit the secmap – please see the User Mapping manual for your options
It really depends on where you want to store/administer your mapping.
What are you doing right now?
Do you have usermapper disabled ?
huossamof
12 Posts
0
April 5th, 2013 00:00
Dear Rainer
thank you so much for your advice
what we have now that the default user mapping in our celerra now disabled
and we use external user mapping because we have multiprotocole environment which let the unix users and windows users access the same data at the same time so
as you know from EMC doc there is 4 methods to configure user mapping for mutliprotocole environment
1- LDAP-based directory services, such as the Active Directory (that uses Microsoft Windows
Services for UNIX [SFU] or Identity Management for UNIX [IdMU])
2- A Data Mover’s local user and group files
3- Network Information Service (NIS)
4- Active Directory (by using Celerra CIFS Microsoft Management Console [MMC] snap-ins)
and in our environment all unix users registered in our NIS so we used method number 3
so now the secmap build automatically get the UID from NIS and SID from active directory because the cifis server jioned to the AD domain
but in the secmap you will find just UID to SID so secmap in our case cover just the usermapping
but in our environment we have alot of AD groups and unix groups and we need to cover the groups mapping part too
so what we can do it such case
is there any command to insert record manually in the secmap ?
or can i keep everything as it is and build local group file to let data mover query the groups mapping from local groups file as in method number 2 for external usermapping (( A Data Mover’s local user and group files ))
if this possible that mean data mover will use secamp to cover the usermapping part and local groups file to cover the groups mapping
but if this not possible what i can do in such case
please help if you can and we will keep in touch
have a nice day
regards
Hussam
huossamof
12 Posts
0
April 5th, 2013 05:00
Dear Rainer
i would like to thank you so much because you try to help me in my case
now in our current ruining environment the user mapping work very well
as i told you the data mover client for our NIS and the the cifs server joined to the domain
and we have no VDM and we will not configure VDM at all
all what we need to share 5 files systems as cifs and NFS because this shared file system will be accessible from both users UNIX users and windows users
and we have alot of differences between the AD groups and UNIX groups names for this we need to make sure that the groups mapping work very well
in current configuration the secmap look very good UID to SID so i think user mapping work well
but if there is no way to let groups mapping work automatically like our current user mapping
so what you think i have to stop use this way and build the local passwd and groups and put them in DM and that it
but for sure i prefer if i can have any configuration will provide automatic user mapping and groups mapping
i found something online said
#####################################################
Once you have NIS configured, the Data Mover automatically checks NIS for a user
and group name. By default, it checks for a username in the form username.domain
and a group name in the form groupname.domain. If you have added usernames
and groupnames to NIS without a domain association, you can set the cifs resolver
parameter so the Data Mover looks for the names without appending the domain.
server_param server_2 -facility cifs -info resolver
server_param server_2 -facility cifs -modify resolver -value 1
repeat to all DM, but not applicable to VDM
Setting the above will allow CIFS username lookup from NIS to match based on username,
without the .domain suffix. Use it! (Haven't seen a situation where this is bad)
server_param server_2 -f cifs -m acl.useUnixGid -v 1
Repeat for for all DM, but not for VDM.
This setting affect only files created on windows. UID is mapped by usermapper.
GID of the file will by default map to whatever GID that Domain User maps to.
Setting this setting, unix primary group of the user is looked up and used as
the GID of any files created from windows.
Windows group permission settings retains whatever config is on windows
(eg inherit from parent folder).
############################################################
but i don't understand this sentence very well
(( GID of the file will by default map to whatever GID that Domain User maps to.
Setting this setting, unix primary group of the user is looked up and used as
the GID of any files created from windows ))
if my current configuration OK and will cover for me user mapping and groups mapping so i will do nothing . again i am satisfied about user mapping by UID to SID which i have now but is this configuration will cover groups mapping too if yes i will do nothing but if no i need your help and i want you to be patient
again thanks alot for your help
regards
Hussam
Rainer_EMC
8.6K Posts
1
April 5th, 2013 05:00
NIS isnt really great for group mapping – it’s a Unix based directory service and only covers the way Unix groups work.
Unix group cannot contain other groups and they are often limited to 16 members – Windows groups are very different there.
If your Unix groups are the same literal name as the Windows groups and you only have one Windows domain then you can set the param cifs.resolv to 1 to drop the domain name from mapping.
Watch out for uppercase/lowercase differences there.
User mapping and multi-protocol can get a bit complicated – I recommend to try on a simulator first and maybe get professional services involved.
Secmap is really only meant as a persistent cache so that we don’t have latency of asking the user mapping sources every time – so I don’t recommend it to do manual mapping.
Besides secmap is per VDM – so you would have to do that on every VDM and every VNX
Rainer
Rainer_EMC
8.6K Posts
1
April 5th, 2013 06:00
I assume you mean the useUnixGid – yes that can be a bit confusing.
That’s another difference between Windows and Unix – In Unix every user has a primary group and then optional some secondary groups he also belongs to.
IN Unix every file/dir has both a user and group owner.
In Windows there is no notion of a primary group – you can be in no group at all and all groups are equal.
Normal Active Directory has no setting for what your primary group is – only if you use the RFC extension but then you need to also manually maintain it.
Also there is only one owner for a file/dir in Windows – that can be either a user or a group
So when you create a file through CIFS we have to also store a UID and GID owner in the file system.
The UID is simply from the user mapping – for the GID by default we would take the mapped GID of the first Windows group the user is a member of.
This param allows you to change that behaviour and use the GID as defined in NIS or password file instead of the mapped GID
Hope that explains it.
Technically you can mix different user mapping methods like NIS and local files or ntxmap – we just normally don’t recommend it because it can get quite confusing – especially when they contain different information.
Rainer_EMC
8.6K Posts
0
April 5th, 2013 06:00
Which of the params do you currently have set ?
huossamof
12 Posts
0
April 5th, 2013 06:00
yes 100 % you got it this is my situation
so now what you command me to do to cover the groups mapping in my situation
1- creat local groups file which will inculde the GUIfrom unix side and GSID from windows side and move this file to DM
or you think no need to do this the current configuration (( secmap which inculde UID to SID )) enough
or maybe you can tell me step by step what i have to do to cover the groups mapping
in case you need some file from DM i can attach them to you and then maybe you can give me the perfect advice
thanks again
regards
Hussam
huossamof
12 Posts
0
April 5th, 2013 08:00
thank you alot the information you gave to me it very good
and now i have to install simulator to test this
so you think i can install celerra simulator on our vsphere environmental (( deploy OVA file ))
and configure this simulator as NIS client and creat cifs server and join to the same domain and try to test to usemapping and group mapping as i want
then we will see what the best configuration to cover our needs
but maybe i need your help during build this test environment i will update this question in case i faced any issue during prepare this test environment
but in the celerra simulator is there any space to create for test at least one shard file system ?
i never used celerra simulator before i will do it and we will see
thank you alot alot alot
regards
Hussam
Rainer_EMC
8.6K Posts
0
April 5th, 2013 08:00
Simulator works with vmWare Player, Workstation or vpSphere as long as you have a 64bit CPU
Just follow the installation manual
I think default gets you about 22GB of virtual storage – that should be enough for a few test file systems
huossamof
12 Posts
0
April 5th, 2013 09:00
great next week i have centera training but once i come back from training i will start do this test
i will apply the simulator on our vsphere and configure this celerra as client for our NIS and creat cifs server
but i hope this will effect our live celerra at all
you think i can add more space more than 22 G if i need or it is not possible
anyway i will update you about my test thanks Rainer you helping me alot
regards
Hussam
huossamof
12 Posts
0
April 25th, 2013 04:00
We need to use EMCOPY to migrate data include security configuration and we got error 1337 .Then after we check we found out that we have to change some security values and we have to configure the right usermapping to let emcopy work very well
Part one we changed these values
# server_param server_2 -facility cifs -modify acl.mappingErrorAction -value 3
# server_param server_2 -facility cifs -modify acl.retryAuthSid -value 600
# server_param server_2 -facility cifs -modify acl.FailOnSDRestoreError -value 0
Part two we have to configure the external usermapping
In our case we have active directory and NIS
So I don’t want to play with live celerra and because this service not free of charge to ask EMC to do for us
So I configure celerra simulator in our vsphere environment regarding to your advice
And create cifs server and joined this cifs server to our domain
And I configured the DM as NIS clinet
And as EMC doc said
NIS
If the multiprotocol environment consists primarily of UNIX users and has only one.Windows domain, or usernames that are unique across multiple Windows domains,you can use NIS to manage user and group mapping.Configuring EMC Celerra Naming Services provides information on configuring a Data Mover to access a NIS server. NIS server documentation provides informationabout manually updating the NIS passwd and group maps.Note: All of the entries (Windows names, usernames, domain names, and global groupnames) in the passwd and group maps must be typed in lowercase ASCII only.After you have configured NIS, the Data Mover automatically checks NIS for a userand group name. By default, it checks for a username in the form username.domainand a group name in the form groupname.domain. If you have added usernamesand group names to NIS without a domain association (which reflects the use ofNIS files without any modifications), you can set the cifs resolver parameter so theData Mover looks for the names without appending the domain
Example:
To change the default format of username and group name so they can be retrieved without a
domain extension, type:
$ server_param server_2 -facility cifs -modify resolver -value 1
some output about current configuration
[nasadmin@emc9mgr ~]$ server_nis server_2
server_2 : yp domain=kessel.de server=172.16.16.2 server=172.16.16.1 server=172.16.16.8
[nasadmin@emc9mgr ~]$ server_usermapper server_2
server_2 : Usrmapper service: Initialized
Service Class: Primary
[nasadmin@emc9mgr ~]$ server_cifssupport server_2 -secmap -list | more
server_2 : done
SECMAP USER MAPPING TABLE
UID Origin Date of creation Name SID
1004 nis Tue Apr 23 16:39:34 2013 _HISTORY_SID_RANGE_\vogt S-1-5-15-59cd1a0f-9867678-a03198-3fa
11220 nis Tue Apr 23 16:32:08 2013 KESSEL\alkasti S-1-5-15-3405cf36-50b430a5-96a27172-1d05
10935 nis Tue Apr 23 17:05:14 2013 KESSEL\mayer-f S-1-5-15-3405cf36-50b430a5-96a27172-1c12
5889 nis Tue Apr 23 17:05:14 2013 KESSEL\beyer S-1-5-15-3405cf36-50b430a5-96a27172-91d
10611 nis Tue Apr 23 17:05:14 2013 KESSEL\holzv S-1-5-15-3405cf36-50b430a5-96a27172-a29
378 nis Tue Apr 23 17:05:13 2013 KESSEL\scan-edv S-1-5-15-3405cf36-50b430a5-96a27172-1d3a
360 nis Tue Apr 23 17:05:13 2013 KESSEL\scan-ks S-1-5-15-3405cf36-50b430a5-96a27172-1d3b
361 nis Tue Apr 23 17:05:13 2013 KESSEL\scan-mb S-1-5-15-3405cf36-50b430a5-96a27172-1d3c
362 nis Tue Apr 23 17:05:13 2013 KESSEL\scan-co S-1-5-15-3405cf36-50b430a5-96a27172-1d3d
364 nis Tue Apr 23 17:05:13 2013 KESSEL\scan-ex S-1-5-15-3405cf36-50b430a5-96a27172-1d3e
5653 nis Tue Apr 23 17:05:51 2013 KESSEL\reithmei S-1-5-15-3405cf36-50b430a5-96a27172-53f
365 nis Tue Apr 23 17:05:13 2013 KESSEL\scan-gf S-1-5-15-3405cf36-50b430a5-96a27172-1d3f
366 nis Tue Apr 23 17:05:13 2013 KESSEL\scan-kd S-1-5-15-3405cf36-50b430a5-96a27172-1d40
so it is look now the usermapping covered very well
but i need to configure the groups mapping so i have two options (( local files or use ntxmap ))
1- local files
as the EMC doc said i have to get the file
server_file server_2 -get passwd /home/nasadmin/passwd
server_file server_2 -get group /home/nasadmin/group
then modify the local files and then put them back
$ server_file server_2 -put passwd passwd
$ server_file server_2 -put group group
question number one : in my case user mapping covered from secmap UID to SID so I will not put local passwd file. so can i just build the group file and put it under /.etc/group and DM will query the local group file to cover group mapping and then query the secmap to cover the user mapping and then all mapping will be ok ?
question number two : i dont know exactly the right syntax how the local gropu file look like is this example right because there is /.etc group file wich inculde this out put
[nasadmin@emc9mgr etc]$ more group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
sync:x:11:sync
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
operator:x:16:operator
games:x:20:
gopher:x:30:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
rpm:x:37:
utmp:x:22:
and after i read the doc i think the file suppose to have such these lines is this syntax for mapping groups right or not ?
S-1-5-15-3405cf36-50b430a5-96a27172-1293:*:32963:itmlprg.kessel:
S-1-5-15-3405cf36-50b430a5-96a27172-12c7:*:33004:info@kessel.com.kessel:
S-1-5-15-3405cf36-50b430a5-96a27172-1bd1:*:32964:r-pw-prakt.kessel:
S-1-5-15-3405cf36-50b430a5-96a27172-1bd8:*:32965:r-sap-spv.kessel:
S-1-5-15-3405cf36-50b430a5-96a27172-1c24:*:32966:r-bhb-cnc.kessel:
S-1-5-15-3405cf36-50b430a5-96a27172-1c27:*:32967:v-team-lo@kessel.de.kessel
please advice how the group file suppose to be in my case
2- for ntxmap
i read the EMC doc about ntxmap and i almost understand nothing you think in my case i can use ntxmap.conf file to let the DM query just the group mapping this is what i saw in EMC doc please if you think ntxmap useful in my case give me some more description
both scenario talk about user mapping i need group mapping
Example scenario
This example shows how Windows credentials mapping works. The ntxmap.conf file
contains this mapping rule:
INTGW2K3:WINuser:=:UNIXuser
Example scenario
This mapping rule explains how the UNIX to Windows mapping works. The ntxmap.conf
file contains this:
INTGW2K3:WINuser:=:UNIXuser
all i want to let DM know about the users and groups in this multiprotocole environment i want to use NIS and local file i already configured NIS but even after reading emc doc i still don't know how to configure the local file to cover just group mapping
kindly advice
regards
Hussam