We have file systems that we need to present to both windows hosts (via CIFS) and linux hosts (via NFS). I have the file systems, shares and exports setup and I can see them from both my linux and my windows hosts.
The linux hosts can interact (read/write etc) with the file system as expected, but the windows hosts I can see the files but I can't for example open them or copy them elsewhere. I believe this is due to how the linux host has set permissions on the file, the windows host is treated as "others".
For our windows hosts and the CIFs server on the SAN we use Active Directory authentication.
For the linux hosts they either use local auth OR active directory (the linux hosts are joined to active directory).
I think this has to do with user mapping what I'm not clear on is exactly how to fix it. I found the following document which outlines various configurations but its extremely confusing: http://corpusweb130.emc.com/upd_prod_VNX/UPDFinalPDF/en/User_Mapping.pdf
Do I need to disable the usermapper? Or should I leave it enabled? Do I need to install the Services for Unix and Identity Management for UNIX on our Active Directory server(s)? There's a flow charge in the PDF document above but I'm not sure from reading it which we need.
I have a very limited use case:
- I have two NFS exports
- I need to provide two windows users access to those exports via CIFS
I noticed in active directory if I pull up an accounts's attributes I can set uid, uidnumber, and gidnumber. I've set all of those to '0' (essentially making that user root - who is the owner of the files). But despite doing that the account I've modified still can't interact with the files.
I've tried disabling the usermapper service for server_2 (which doesn't help).
I tried updating the secmap with the following command:
server_cifssupport server_2 -secmap -update -sid #mysid-redacted#
(That results in an error stating: 38 = NetworkInterfaceNotFound)
Sort of at a loss as to how to get this working. I've tried to open a support case with EMC support but its been lingering for 2 days without any response. Has anyone else done something similar and can give me some pointers as to what I need to do?
If it is multi-protocol environment with both Windows and Linux/Unix users access the same files or folders, you'd better not to using internal usermapper service to map Windows SID to VNX internal UID/GID.
<Configuring VNX User Mapping >
User mapping in multiprotocol environments
In multiprotocol environments, file systems can be accessed by UNIX/Linux and Windows
users. File access is determined by the permissions on the file or directory, specifically by
one or both of the following:
◆ UNIX/Linux permissions
◆ Windows access control lists (ACLs)
Therefore, if a user has UNIX/Linux and Windows user accounts, you should choose a
mapping method that allows you to indicate that the two accounts represent the same user.
The mapping methods that enable you to control the mappings used, and ensure that specific
Windows SIDs are mapped to the corresponding UIDs or GIDs and that the opposite is also
◆ LDAP-based directory services, such as the Active Directory (that uses Microsoft Windows
Services for UNIX [SFU] or Identity Management for UNIX [IdMU])
◆ A Data Mover’s local user and group files
◆ Network Information Service (NIS)
◆ Active Directory (by using VNX CIFS Microsoft Management Console [MMC] snap-ins)
Note: If a user in a multiprotocol environment uses only a single login (either through Windows or
UNIX/Linux), then you can use Usermapper. If a user has only one account, mapping to an equivalent
identity in the other environment is not necessary