user and gropus mapping mapping

I wouldn’t recommend to manually edit the secmap – please see the User Mapping manual for your options

It really depends on where you want to store/administer your mapping.

What are you doing right now?

Do you have usermapper disabled ?

Dear Rainer

thank you so much for your advice

what we have now that the default user mapping in our celerra now disabled

and we use external user mapping because we have multiprotocole environment which let the unix users and windows users access the same data at the same time so

as you know from EMC doc there is 4 methods to configure user mapping for mutliprotocole environment

1- LDAP-based directory services, such as the Active Directory (that uses Microsoft Windows

Services for UNIX [SFU] or Identity Management for UNIX [IdMU])

2-  A Data Mover’s local user and group files

3-  Network Information Service (NIS)

4-  Active Directory (by using Celerra CIFS Microsoft Management Console [MMC] snap-ins)

and in our environment all unix users registered in our NIS  so we used method number  3

so now the secmap build automatically get the UID from NIS and SID from active directory because the cifis server jioned to the AD domain

but in the secmap you will find just UID to SID  so secmap in our case cover just the usermapping

but in our environment we have alot of AD groups and unix groups   and we need to cover the groups mapping part too

so what we can do it such case

is there any command to insert record manually in the secmap ?

or can i keep everything as it is and build local group file to let data mover  query the groups mapping  from local groups file as in  method number 2 for external usermapping  (( A Data Mover’s local user and group files ))

if this possible that mean data mover will use secamp to cover the usermapping part and local groups file to cover the groups mapping 

but if this not possible what i can do in such case

please help if you can and we will keep in touch

have a nice day

regards

Hussam

NIS isnt really great for group mapping – it’s a Unix based directory service and only covers the way Unix groups work.

Unix group cannot contain other groups and they are often limited to 16 members – Windows groups are very different there.

If your Unix groups are the same literal name as the Windows groups and you only have one Windows domain then you can set the param cifs.resolv to 1 to drop the domain name from mapping.

Watch out for uppercase/lowercase differences there.

User mapping and multi-protocol can get a bit complicated – I recommend to try on a simulator first and maybe get professional services involved.

Secmap is really only meant as a persistent cache so that we don’t have latency of asking the user mapping sources every time – so I don’t recommend it to do manual mapping.

Besides secmap is per VDM – so you would have to do that on every VDM and every VNX

Rainer

I assume you mean the useUnixGid – yes that can be a bit confusing.

That’s another difference between Windows and Unix – In Unix every user has a primary group and then optional some secondary groups he also belongs to.

IN Unix every file/dir has both a user and group owner.

In Windows there is no notion of a primary group – you can be in no group at all and all groups are equal.

Normal Active Directory has no setting for what your primary group is – only if you use the RFC extension but then you need to also manually maintain it.

Also there is only one owner for a file/dir in Windows – that can be either a user or a group

So when you create a file through CIFS we have to also store a UID and GID owner in the file system.

The UID is simply from the user mapping – for the GID by default we would take the mapped GID of the first Windows group the user is a member of.

This param allows you to change that behaviour and use the GID as defined in NIS or password file instead of the mapped GID

Hope that explains it.

Technically you can mix different user mapping methods like NIS and local files or ntxmap – we just normally don’t recommend it because it can get quite confusing – especially when they contain different information.

Which of the params do you currently have set ?

yes 100 %  you got it this is my situation

so now what you command me to do to cover the groups mapping in my situation

1- creat local groups file which will inculde the GUIfrom unix side and GSID  from windows side and move this file to DM

or you think no need to do this the current configuration (( secmap which inculde UID to SID )) enough

or maybe you can tell me step by step what i have to do to cover the groups mapping

in case you need some file from DM  i can attach them to you and then maybe you can give me the perfect advice

thanks again

regards

Hussam

thank you alot the information you gave to me it very good

and now i have to install simulator to test this

so you think i can install celerra simulator on our vsphere environmental (( deploy OVA file ))

and configure this simulator as NIS client and creat cifs server and join to the same domain and try to test to usemapping  and group mapping as i want

then we will see what the best configuration  to cover our needs

but maybe i need your help during build this test environment  i will update this question in case i faced any issue during  prepare this test environment

but in the celerra simulator is there any space to create for test at least one shard file system ?

i never used celerra simulator before i will do it and we will  see

thank you alot alot alot

regards

Hussam 

Simulator works with vmWare Player, Workstation or vpSphere as long as you have a 64bit CPU

Just follow the installation manual

I think default gets you about 22GB of virtual storage – that should be enough for a few test file systems

great next week i have centera training but once i come back from training i will start do this test

i will apply the simulator on our vsphere and configure this celerra as client for our NIS and creat cifs server

but i hope this will effect our live celerra  at all

you think i can add more space more than 22 G if i need or it is not possible

anyway i will update you about my test  thanks Rainer  you helping me alot

regards

Hussam

We need to use EMCOPY to migrate data include security configuration and we got error 1337 .Then after we check we found out that we have to change some security values and we have to configure the right usermapping  to let emcopy  work very well

Part one we changed these values  

# server_param server_2 -facility cifs -modify acl.mappingErrorAction -value 3

# server_param server_2 -facility cifs -modify acl.retryAuthSid -value 600

# server_param server_2 -facility cifs -modify acl.FailOnSDRestoreError -value 0

Part two we have to configure the external usermapping

In our case we have active directory and NIS

So I don’t want to play with live celerra and because this service not free of charge to ask EMC to do for us

So I configure celerra simulator in our vsphere environment regarding to your advice

And create cifs server and joined this cifs server to our domain

And I configured the DM as NIS clinet

And as EMC doc said 

NIS

If the multiprotocol environment consists primarily of UNIX users and has only one.Windows domain, or usernames that are unique across multiple Windows domains,you can use NIS to manage user and group mapping.Configuring EMC Celerra Naming Services provides information on configuring a Data Mover to access a NIS server. NIS server documentation provides informationabout manually updating the NIS passwd and group maps.Note: All of the entries (Windows names, usernames, domain names, and global groupnames) in the passwd and group maps must be typed in lowercase ASCII only.After you have configured NIS, the Data Mover automatically checks NIS for a userand group name. By default, it checks for a username in the form username.domainand a group name in the form groupname.domain. If you have added usernamesand group names to NIS without a domain association (which reflects the use ofNIS files without any modifications), you can set the cifs resolver parameter so theData Mover looks for the names without appending the domain

Example:

To change the default format of username and group name so they can be retrieved without a

domain extension, type:

$ server_param server_2 -facility cifs -modify resolver -value 1

some output about current configuration

[nasadmin@emc9mgr ~]$ server_nis server_2

server_2 : yp domain=kessel.de server=172.16.16.2 server=172.16.16.1 server=172.16.16.8

[nasadmin@emc9mgr ~]$  server_usermapper server_2

server_2 : Usrmapper service: Initialized

Service Class: Primary

[nasadmin@emc9mgr ~]$ server_cifssupport server_2 -secmap -list | more

server_2 : done

SECMAP USER MAPPING TABLE

UID         Origin      Date of creation         Name                            SID

1004        nis         Tue Apr 23 16:39:34 2013 _HISTORY_SID_RANGE_\vogt        S-1-5-15-59cd1a0f-9867678-a03198-3fa

11220       nis         Tue Apr 23 16:32:08 2013 KESSEL\alkasti S-1-5-15-3405cf36-50b430a5-96a27172-1d05

10935       nis         Tue Apr 23 17:05:14 2013 KESSEL\mayer-f                  S-1-5-15-3405cf36-50b430a5-96a27172-1c12

5889        nis         Tue Apr 23 17:05:14 2013 KESSEL\beyer S-1-5-15-3405cf36-50b430a5-96a27172-91d

10611       nis         Tue Apr 23 17:05:14 2013 KESSEL\holzv                    S-1-5-15-3405cf36-50b430a5-96a27172-a29

378         nis         Tue Apr 23 17:05:13 2013 KESSEL\scan-edv S-1-5-15-3405cf36-50b430a5-96a27172-1d3a

360         nis         Tue Apr 23 17:05:13 2013 KESSEL\scan-ks S-1-5-15-3405cf36-50b430a5-96a27172-1d3b

361         nis         Tue Apr 23 17:05:13 2013 KESSEL\scan-mb S-1-5-15-3405cf36-50b430a5-96a27172-1d3c

362         nis         Tue Apr 23 17:05:13 2013 KESSEL\scan-co S-1-5-15-3405cf36-50b430a5-96a27172-1d3d

364         nis         Tue Apr 23 17:05:13 2013 KESSEL\scan-ex S-1-5-15-3405cf36-50b430a5-96a27172-1d3e

5653        nis         Tue Apr 23 17:05:51 2013 KESSEL\reithmei S-1-5-15-3405cf36-50b430a5-96a27172-53f

365         nis         Tue Apr 23 17:05:13 2013 KESSEL\scan-gf S-1-5-15-3405cf36-50b430a5-96a27172-1d3f

366         nis         Tue Apr 23 17:05:13 2013 KESSEL\scan-kd S-1-5-15-3405cf36-50b430a5-96a27172-1d40

so it is look now the usermapping covered very well

but i need to configure the groups mapping so i have two options  (( local files or use ntxmap ))

1- local files

as the EMC doc said i have to get the file

server_file server_2 -get passwd /home/nasadmin/passwd

server_file server_2 -get group /home/nasadmin/group

then modify the local files and then put them back

$ server_file server_2 -put passwd passwd

$ server_file server_2 -put group group

question number one :  in my case user mapping covered from secmap UID to SID so I will not put local passwd file. so  can i just build the group file and put it under /.etc/group  and DM will query the local group file to cover group mapping and then query the secmap to cover the user mapping and then all mapping will be ok ?

question number two : i dont know exactly the right syntax how the local gropu file look like is this example right because there is  /.etc group file wich inculde this out put

[nasadmin@emc9mgr etc]$ more group

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

sys:x:3:root,bin,adm

adm:x:4:root,adm,daemon

tty:x:5:

disk:x:6:root

lp:x:7:daemon,lp

mem:x:8:

kmem:x:9:

wheel:x:10:root

sync:x:11:sync

mail:x:12:mail

news:x:13:news

uucp:x:14:uucp

man:x:15:

operator:x:16:operator

games:x:20:

gopher:x:30:

ftp:x:50:

lock:x:54:

nobody:x:99:

users:x:100:

dbus:x:81:

rpm:x:37:

utmp:x:22:

and after i read the doc i think the file suppose to have such these lines is this syntax for mapping groups right or not ?

S-1-5-15-3405cf36-50b430a5-96a27172-1293:*:32963:itmlprg.kessel:

S-1-5-15-3405cf36-50b430a5-96a27172-12c7:*:33004:info@kessel.com.kessel:

S-1-5-15-3405cf36-50b430a5-96a27172-1bd1:*:32964:r-pw-prakt.kessel:

S-1-5-15-3405cf36-50b430a5-96a27172-1bd8:*:32965:r-sap-spv.kessel:

S-1-5-15-3405cf36-50b430a5-96a27172-1c24:*:32966:r-bhb-cnc.kessel:

S-1-5-15-3405cf36-50b430a5-96a27172-1c27:*:32967:v-team-lo@kessel.de.kessel

please advice how the group file suppose to be in my case

2- for ntxmap

i read the EMC doc about ntxmap and i almost understand nothing you think in my case i can use ntxmap.conf file to let the DM query just the group mapping  this is what i saw in EMC doc please if you think ntxmap useful in my case give me some more description

both scenario talk about user mapping i need group mapping

Example scenario

This example shows how Windows credentials mapping works. The ntxmap.conf file

contains this mapping rule:

INTGW2K3:WINuser:=:UNIXuser

Example scenario

This mapping rule explains how the UNIX to Windows mapping works. The ntxmap.conf

file contains this:

INTGW2K3:WINuser:=:UNIXuser

all i want to let DM know about the users and groups in this multiprotocole environment i want to use NIS and local file i already configured NIS but even after reading emc doc i still don't know how to configure the local file to cover just group mapping

kindly advice 

regards

Hussam