This post is more than 5 years old
51 Posts
0
7903
NFS/CIFS permission (or AD and NIS user ID translation problem).
Hello fellow experts,
I have a Celerra mostly serves CIFS for user home directories. However within this same Celerra there're 2 filesystem being used for NFS and CIFS. For NFS we have users on Unix servers authenticate through NIS server. For CIFS we have user authenticate through AD. The problem I have is that we have is when user create a file in Unix (via NFS) using this NIS id, the file is accessible fine with correct permission in Windows share (via CIFS). But when he/she creates a file in Windows share (same share), the file is not being recognized in Unix. It seems like NIS doesn't have record of that same user from windows. This only happens to some users. Some other users it works fine both ways. Does usermapper file has anything to do with this or is usermapper file only used in CIFS ONLY environment and not mixed? There must be somekind of service that translates AD SID (windows userid) to NIS uid and vice versa, but I can't seem to find where and what this service is. Is there even such thing? Does anyone know what this is and where it's supposed to run on (Celerra, Windows server, etc.)? I am clueless so anything would be greatly appreciated.
Thanks
HT
I have a Celerra mostly serves CIFS for user home directories. However within this same Celerra there're 2 filesystem being used for NFS and CIFS. For NFS we have users on Unix servers authenticate through NIS server. For CIFS we have user authenticate through AD. The problem I have is that we have is when user create a file in Unix (via NFS) using this NIS id, the file is accessible fine with correct permission in Windows share (via CIFS). But when he/she creates a file in Windows share (same share), the file is not being recognized in Unix. It seems like NIS doesn't have record of that same user from windows. This only happens to some users. Some other users it works fine both ways. Does usermapper file has anything to do with this or is usermapper file only used in CIFS ONLY environment and not mixed? There must be somekind of service that translates AD SID (windows userid) to NIS uid and vice versa, but I can't seem to find where and what this service is. Is there even such thing? Does anyone know what this is and where it's supposed to run on (Celerra, Windows server, etc.)? I am clueless so anything would be greatly appreciated.
Thanks
HT
HT2
51 Posts
0
July 22nd, 2008 19:00
What you instructed me solved my problem. I had confirmation from users few hours ago that everything is good. I still have the GID I need to deal with, but that's minor and I can take this from here. I'd like to say thank you for all the clear explanations and patience. It's much appreciated. Just can't say thank you enough :~). Thanks again. I know who to ask questions next now (it's your fault) J/K :~). Take care guys
HT
nandas
1.5K Posts
0
July 23rd, 2008 06:00
Thanks for the update. It was my pleasure to provide any kind of remote help to you on this forum. Request you to kindly mark the appropriate answers as "Correct" and/or "Helpful" which will help to search similar queries in future. You may mark upto 2 answers as Helpful and one as Correct.
Cheers,
Sandip
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
August 3rd, 2008 05:00
idea of having issues with user-mapping in
multi-protocol environment and why it is not
recommended to run UserMapper in multi-protocol
environment.
Sandip ..so what do customers need to do if for example i have an existing environment where UserMapper is used and now i have a need to provide multi-protocol access to a file system. What are my options ?
Thanks
nandas
1.5K Posts
0
August 4th, 2008 07:00
You may dump the existing user mapper database (UID and GID mapped by user mapper) and map all those existing users to the same UID and GID manually or any other alternate mapping method you are going to use. This may require a change of their UID/GID in the UNIX environment. But with the same UID/GID mapping the data on the NAS will not have any permission issue for Windows users.
However, I am not sure though - but there may be some way/tricks available/known to higher level of EMC Support personnel to change the UID/GID of the existing data on the NAS - but again, I am not sure on this.
Rainer/Bill/Ian or anyone else - any comments/suggestions please..
Regards,
Sandip
Rainer_EMC
8.6K Posts
0
August 4th, 2008 08:00
- how many of your users are really multi-protocol
- how much of your data is multi-protocol
- how multi-procol is your access - are you creating and changing the same file from both worlds
- how many user changes (add/del) do you have
- how automated is your user management process
Most customers start of mult-protocol in the beginning or only have simple data exchange demands.
As Sandip outlined it's certainly possible to dump user mapper and convert that info to feed it into other mapping sources
There are also customers that are happily using usermapper for Windows-only users and other mapping sources for multi-protocol users.
You just then have to be really aware of how it works and make sure with your user creation and provisioning process that they arent accessing the Celerra before they are configured in the static mapping source.
JohnH4
32 Posts
0
August 8th, 2008 09:00
This has hit us before also - there is an option not to use SECMAP at all, does anyone know if a performance hit is really noticeable if you disable SECMAP ?
-John
Rainer_EMC
8.6K Posts
0
August 11th, 2008 04:00
You can delete single secmap entries using server_cifssupport
If you have a need to delete the complete secmap database please contact support - they can do that for you