Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1017673.1
Update Date:2010-04-13
Keywords:

Solution Type  Technical Instruction Sure

Solution  1017673.1 :   Sun StorageTek[TM] 5000 Series NAS: Configuring and Verifying CIFS/NFS User and Group Credential Mapping Rules  


Related Items
  • Sun Storage 5320 NAS Gateway/Cluster System
  •  
  • Sun Storage 5320 NAS Appliance
  •  
Related Categories
  • GCS>Sun Microsystems>Storage - Disk>Network Attached Storage
  •  

PreviouslyPublishedAs
228864


Description
User and group credential mapping allows CIFS and NFS users to share files and directories.

These mappings create associations between the CIFS (typically Windows) users ID (RID) and a particular UNIX/NFS UID. This allows users with both NFS and Windows accounts to access their own data from either type of client, and to share data with heterogeneous workgroups. The mapping rules determine how the NFS UID or GID for a particular Windows user or group is obtained.



Steps to Follow
Sun StorageTek[TM] 5000 Series NAS: Configuring and Verifying CIFS/NFS User and Group Credential Mapping Rules

NOTE: All of the credential mapping functionality described below applies only to Windows Domain mode. To understand how UIDs and security is handled in Workgroup mode, please see <Document: 1013073.1> .

Every time a Windows user accesses the system for the first time (or a mapping otherwise does not exist) a new user mapping is created. Similarly, a new group mapping is created the first time each user from a particular Windows primary group logs in.

It is strongly recommended that you define a mapping rule and import NFS accounts to the system or configure LDAP/NIS+ prior to the migration of data. This minimizes the amount of manual configuration required.

The primary tool to automate credential mapping is the selection of user and group mapping rules. Each of the available mapping policies is detailed below, along with configuration instructions.

To Set Up Credential Mapping:

  1. Open a browser to http://hostname or the IP address of your system.
  2. Type the administrator password.
  3. Navigate to Windows Configuration/Manage SMB CIFS Mapping/Configure User Mapping.
  4. In this screen there are radio buttons for each of three user mapping options and each of three group mapping options. Select the desired mapping policy as explained below, and click Apply at the bottom of the screen.

The user mapping options are as follows:

  • Default Mapping
    This is the default setting. When a new user connects, a new UID is generated by the system. This UID is one larger than the largest current UID found on the system. Any desired mapping of CIFS users to NFS users must be done manually.
  • Map by User Name
    This setting specifies that the Windows users name is looked up through the configured passwd lookup service. If the lookup is successful, the NFS UID is taken from the matching entry. If the lookup fails, a new UID is generated as with the no mapping rule.
  • Map by Full Name
    This setting specifies that the Windows NT users full name is looked up through the configured passwd lookup service. If the lookup is successful, the NFS UID is taken from the matching entry. If the lookup fails, a new UID is generated as with the Default Mapping rule.

The group mapping options are as follows:

  • Default Mapping
    This is the default setting. When a new user connects, a new GID is generated by the system. This GID is one larger than the largest current GID found on the system. Any desired mapping of SMB groups to NFS groups must be done manually.
  • Map by Group Name
    This setting specifies that the NT group name is looked up through the configured group lookup service. If the lookup is successful, the NFS GID is taken from the matching entry. If the lookup fails, a new GID is generated as with the Default Mapping rule.
  • Map to Primary Group
    This setting specifies that the Windows users UNIX group is determined by the primary GID field in the passwd entry obtained during the user mapping operation. With this setting, the group.map file is never consulted and the Windows group membership is ignored. The GID for all file operations is set with the GID in the passwd file. If a GID cannot be determined, the UNIX nobody group GID (60001) is used. This setting is very useful for environments where Windows primary groups have not been defined.

Modifying Existing User and Group Credential Mappings

User and group mappings are stored in the configuration files users.map and group.map. A menu interface enables you to edit these mappings. Editing is necessary in cases where the NFS user and group account names do not match the CIFS user and group account names, and in cases where mapping was not configured prior to migration of users and data.

  1. Open a browser to http://hostname or the IP address of your system.
  2. At the login screen, type the administrator password .
  3. Navigate to Windows Configuration/Manage SMB CIFS Mapping/Configure maps.
  4. Edit or add mapping per the instructions below.

There are radio buttons at the top of the screen to select users or groups. The screen displays a list of all existing maps. For each user or group, the following information is provided (listed from right to left): UNIX user or group name, UNIX UID or GID, Windows user or group name, Windows Domain, and RID.

The RID is roughly equivalent to the UNIX UID or GID. RID information is stored in a database on the Windows domain controllers. Note that changing a users RID in the system administration interface is not possible. Modifying the value collected from the domain controller simply invalidates the mapping.

To edit a mapping, select either the user or group radio button, and double click the mapping. You are presented with four fields, as described above, with the exception that the Windows Domain and username are merged into one field in the format DOMAIN/user. If you omit the Windows Domain, it will be automatically populated with the Windows Domain that the NAS is currently a member of. Any of these fields can be edited, however, the RID should not be changed, as noted above.

To add a mapping click Add at the bottom of the screen, complete the four fields noted above. In order to use this option, you will need to know the RID information from the Windows domain controllers. It is generally easier to allow the NAS to retrieve the RIDs automatically as users connect, and edit as needed.



Product
Sun StorageTek 5320 NAS Gateway/Cluster System
Sun StorageTek 5320 NAS Appliance
Sun StorageTek 5320
Sun StorageTek 5310 NAS Gateway/Cluster System
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5220 NAS Appliance
Sun StorageTek 5210 NAS Appliance

Internal Comments
This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:

storage-nas-domain@sun.com

The Knowledge Work Queue for this article is KNO-STO-NAS.


NAS, CIFS, Credential Mapping, user mapping, group mapping, nfs, audited
Previously Published As
90648

Change History
Date: 2010-04-12
User Name: 79977
Action: Currency check
Comment: Verified still current, william.harper@oracle.com
Date: 2007-09-26
User Name: 95826
Action: Approved
Comment: - checked normalized : ok
- verified metadata
- review date ok : 2008-09-18
- checked for TM - 1 added
- checked audience : contract
Publishing
Version: 4
Date: 2007-09-25
User Name: 160775
Action: Add Comment
Comment: Doc 90649 is now published, please continue final review.
Version: 0
Date: 2007-09-21
User Name: 95826
Action: Add Comment
Comment: document linked to 90649, which is still in TR stage.
Waiting for 90649 to progress in the workflow before publishing this one.
Version: 0
Date: 2007-09-21
User Name: 95826
Action: Accept
Comment:
Version: 0
Date: 2007-09-21
User Name: 147406
Action: Approved




Product_uuid
ef8d4cb2-9cd6-11da-85b4-080020a9ed93 | Sun StorageTek 5320 NAS Gateway/Cluster System
27ca3082-cb13-11da-857a-080020a9ed93 | Sun StorageTek 5320 NAS Appliance
9d23ea64-a8be-11da-85b4-080020a9ed93 | Sun StorageTek 5320

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback