Question about usermapper

I'm not fully understand the purpose of disable the primary usermapper in the documentation. In my case, is it necessary?

Thanks for the info. I read the documentation few times and still have some trouble to follow through based on my environment.

So like you mentioned, it will use new UID/GID of current NIS account.

The tool to find out the AD user info is using the VNX CIFS Microsoft Management Console and for NIS user info is using UNIX user management snap-in. Correct?

So I don't need to turn off usermapper if I just want to one or few specific mapping, correct?

[nasadmin@tiny ~]$ server_usermapper server_2

server_2 : Usrmapper service: Enabled

Service Class: Primary

Please take a good look at the manuals related to multi-protocol and user mapping.

It is not a simple topic and one where it pays to read and plan first

What we call usermapper isn’t really used for mapping specific users

Usermapper is a service designed for CIFS only environment – it will automatically assign a free UID/GID from a pre-defined range to any unknown Windows user/group

It WILL not follow any of the real user mapping methods.

Its probably a bit bit misleading to call it usermapper – its more of a UID/GID assigner in case you don’t want specific mapping.

So if you want defined user mapping you need to turn off the automatic usermapper

Take a look at your current mappings with server_cifssupport – that can tell you where a mapping came from

You can also tell if its very high UID/GID numbers that it come from usermapper

Rainer

You need to turn off usermapper if you want to do mapping through AD or NIS or ntxmap

If you just need one specific mapping look at ntxmap or local user/group files

I think you need to dig deeper into the concepts

There are at least 5 different user mapping methods

You should use only one - otherwise it gets very difficult to configure and troubleshoot

So you either use AD or NIS for user mapping - but not both at the same time

Similar for usermapper - if you don't disable it than anything that doesn't fit the real use mapping methods will be assigned a uid/gid

If you go down that path then it will hide any mistakes in user mapping

Or it your user connects before you have setup his mapping he will get an automatic mapping from usermapper and it will be difficult to fix later - especially when he haas already written files

Keep in mind that secmap is a cache - it is not meant as a user mapping database

Yes - you can manually change secmap entries for troubleshooting

No - this shouldn't be used instead of a proper user mapping config for several reason

Below is part of README file when I download the CIFStools and I have few questions:

C)2. How should I found out the GID for the AD domain? Should I just use the one that is not being use by NIS?

Please advise.

C) MANUAL CONVERSION

     -----------------

  To perform the manual conversion in a UNIX environment, do the following:

    1.Add the NT domain name as a group name in the UNIX group file.

    2.Assign a GID for the newly created group name.

    3.Add the NT user accounts from the NT domain to the UNIX

      password file, assigning each user a unique UID and the GID

      assigned to the NT domain in step 1. The format is as follows:

    user.domain:password:UID:GID:username::

      An NT user may be given the UID and GID of an existing UNIX

      user in the UNIX password file; therefore, you must add the NT

      user after the UNIX user. If the UNIX user has entries in the

      group file, you must add the NT user after the same line where

      the UNIX user is defined.

    4.Add the NT global groups with a unique GID assigned to the

      UNIX group list.

      Important: Due to a UNIX restriction, that prevents certain

       characters that are recognized by NT from being recognized

       by UNIX, you must convert any character outside of range of

           ASCII value 32 <12> to the format "=HEX". For example,

           space-ASCII Value=32(=20 in HEX), therefore "=20"

      EXAMPLE

      User jdoe in domain USRDOM requires an entry in the NIS or

      etc/passwd directory as:

        jdoe.usrdom:*:530:100:J.DOE:/usr/home/jdir:/bin/csh

      where:

    jdoe: NT username

    usrdom: NT domain name is appended so that there is no i

        accidental mapping to existing UNIX or NT clients

        of the same name

    *: UNIX password is not checked in NT security buy is checked

       for UNIX security

    530: UID

    100: GID

    J.DOE: user name

    /usr/home/jdir: UNIX path (not required)

    /bin/csh: shell (not required)

       If you are using UNIX security mode, do not include the domain as

       part of the username, instead use a valid password in the password

       field.

Further checking from the README file mention below:

USERMAPPER is strictly  for an NT only environment,

  where users do not have a UNIX account. When NT users

  are added to the NT domain, no further action is needed  for

  new NT users to be able to map shares from the datamover.

  A unique UID/GID will be assigned to new users during their

  first attempt to map shares from the datamover.

        CAUTION:

          If the USERMAPPER is used in a mixed environment, it will generate

          UNIX UIDs and GIDs for NT users that will not match their existing

          UIDs and GIDs of their UNIX account. This may cause files created

          from their NT account to be inaccessible to them from NFS/UNIX

          clients.

So I'm not using the usermapper, but just the manual conversion method.

I didn't created group file but did below for passwd file and upload to server_2

In passwd file:

wai.chan.domain:*:5355:14:ricky::

username: wai.chan

AD domain: domain

GID: 5355 (same as NIS)

UID 14 (same as NIS)

NIS account: ricky

Does it work?

If so, could someone please advise how can i test and verify it?

Thanks

Did you disable usermapper explicitly?

How to test:

See "man server_cifssupport" and it's TechNote

Are you wanting to join an ad/ldap domain or create local users/groups?

Basically, I want to create a share that can access by NFS and CIFS. Can someone please show me steps how to get this done?

Oh thanks for reminding. I just did.

[nasadmin@tiny2 ~]$ server_usermapper server_2

server_2 : Usrmapper service: Initialized

Service Class: Primary

When I launch the computer management MMC and point to the VNX storage, I can't access the shares and received "access denied"