Cluster-ModeUnderstanding Multiprotocol Usermapping for ONTAPNAS Oliver Krause v20120205 For NetApp internal and authorized partners use only
Agenda • What is User Mapping about? • Some Definitions • Using Name Services
What is User Mapping about? Hi, I am Fred the User. I use a Windows™ PC to access my files on IT’sfileserver. Uses Hi, I am Bob from IT. I manage Fred’s access rights to our IT infrastructure like the fileserver data. CIFS Hi, I am IT’s fileserver. I store the Documents of Fred and protect them from unauthorized access by enforcing the permissions Bob set onto them.
What is User Mapping about? Sometimes I need to use a UNIX system and want to access my documents on the fileserver. Uses Hi, I am the security auditor here. I require that access to Fred’s files is protected equally, no matter how the files are accessed. CIFS NFS I already manage permission rights to Fred’s documents for Windows. Why should I manage the permissions again for UNIX?
What is User Mapping about? Don’t worry folks, I am here to help! Fred, you can use Windows or UNIX on your files. Bob, simply tell me Fred’s usernames for Windows and UNIX. I do the rest. Everything is fine, leave Bob and Fred alone.
What is User Mapping about? ONTAPenforces access permission by checking the access rights stored with each file against the Identity of the accessing user ONTAPuses User Mapping to match the Windows Identity of a user with his UNIX Identity
What is a Windows User? • Windows identifies users by a Security Identifier (SID). • CIFS sends SID to identify user of request • SID stored in Active Directory. • From Wikipedia • SID has format as follows: S-1-5-12-7623811015-3361044348-030300820-1013 • S – The string is a SID. • 1 – The revision level. • 5 – The identifier authority value. • 12-7623811015-3361044348-030300820 – domain or local computer identifier • 1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.
What is a UNIX User? • A UNIX users is identified by a user ID (UID) and one or more group ID’s (GID). • NFS v2/v3 sends UID/GIDs to identify user, v4/v4.1 send username as Unicode-String • Historically stored in /etc/passwd: • ONTAP only uses RED fields • Additional groups stored in /etc/groups • root::0:1::/: • pcuser::65534:65534::/: • nobody::65535:65535::/: • okrause:x:500:100:Oliver Krause, SE:/home/okrause:/bin/bash • username:pw:uid:gid:GECOS:homedir:shell
Qtree Security Styles ONTAP uses Security Styles to define which kind of permissions are enforced for a files: UNIX – Standard UNIX permission bits and NFSv4 ACLs are used NTFS – Standard NTFS ACLs are used Mixed – Either UNIX permissions orNTFS ACLs are set on file granularity Security Styles can be set on Volumesor Qtrees
How Does ONTAP User Mapping Work? • Every File or Directory has only oneactivePermission Set (PermSet) • Active PermSet type controlled by Qtree Security Style • Every PermSet contains either a NTFS Access Control List (ACL) orUNIX permissions (Owner + mode bits + optional NFSv4 ACL) • Depending on access protocol (NFS or CIFS) we have to distinguish 4 different cases: • NFS client accessing file with UNIX PermSet • NFS client accessing file with NTFS PermSet • CIFS client accessing file with UNIX PermSet • CIFS client accessing file with NTFS PermSet
CIFS Client Accessing UNIX PS CIFS-Call / SID, e.g. S-1-5-12-7623811015-… Lookup Username in Active Directory WIN-Username, e.g. EXAMPLE\jdoe Name-mapping of Username UNIX-Username, e.g. johnd Lookup User in Name Service (local, NIS, LDAP) Not found User = vservercifsoptions -default-unix-user Found UID / GID Default Username (default “pcuser”) Lookup User in Name Service Found UID / GID Not found Data with UNIX-Security-Style Access denied
NFS Client Accessing NTFS PS NFS-Call / UID+GID’s, e.g. UID=501, GID=20 Lookup User in Name Service (local, NIS, LDAP) UNIX-Username, e.g. johnd Name-mapping of Username WIN-Username, e.g. EXAMPLE\johnd Lookup Username at Active Directory Not found User = vservernfs -default-win-user Found SID Default Username (default “”) Lookup Username at AD Found SID Not found Data with NTFS-Security-Style Access denied
NFS Client Accessing NTFS PS • NTFS ACL is too complex to be visually mapped on simple mode bit scheme • ONTAP sends 777 if asked for permissions • But in reality NTFS ACL is enforced in ONTAP • So permissions seen on UNIX are misleading • chmodand chownwill fail • Use Windows or Samba’s smbcacls(unsupported) to view and manipulate NTFS ACL
Common Question – POSIX ACLs Some customers used UNIX systems with Draft-POSIX ACLs to build fileservers. Clients use NFSv3 but need better ACLs. There are two ways to move them to ONTAP: • Use UNIX Qtree. Use NFSv4 ACLsand use V4 client to manage ACLs • Use NTFS Qtree. Use Windows client to manage NTFS ACLs No matter which ACL model you use, ONTAP enforces the ACL, independent of the access protocol (NFSv2/3/4 or CIFS)
Name-mapping of Username • Use vserver name-mapping to map UNIX<>Windows Users • If you specify no rule, ONTAP automatically maps Windows usernames to same Unix username • Vserver name-mapping can be don independently for UNIX2WIN and WIN2UNIX, using regular expressions
What About Groups? • ONTAP doesn’t support Group Mapping • While companies today normally have unified User Identities for Windows and UNIX the Groups are normally NOT unified • If Groups are not unified, the same User would have different access on different platforms=> Security Gap • If Groups are unified, User Mapping already takes care of everything
Debugging name mapping • SECD does all the lookups, mapping and caching. Use diagsecdin set diag mode. • Check AD nameresolution:diagsecd authentication translate –node <node> -vserver <vserver> -win-name <username> • Check Unix nameresolution:diagsecd authentication translate –node <node> -vserver <vserver> -unix-user-name <username> • Check Windows to Unix mapping:diagsecd name-mapping show –node <node> -vserver<vserver> -direction win-unix<username> • Check Windows to Unix mapping:diagsecd name-mapping show –node <node> -vserver <vserver> -direction unix-win <username>
Debugging name mapping • Watch event log for secd error messages. Itshowsproblemswithusermapping:event log show -source secd Example2/5/2012 17:23:25 steve-01 DEBUG secd.nfsAuth.noUnixCreds: vserver(xxx-nas) Cannot determine UNIX identity. Acquire UNIX Credentials procedure failed! [ 1 ms] Using a cached connection to dc2.example [ 2] ID 65534 not found in UNIX authorization source LDAP [ 2] Could not get credentials for ID 65534 using any NS-SWITCH authorization source **[ 2] FAILURE: Unable to retrieve credentials for UNIX user with UID 65534 • This vserver got no local user pcuser with id 65534. pcuser is the default user for windows users who cannot be mapped to a unix user.
Best Practices • Never use Security Style “mixed” => Permission Nightmare. Last permission change wins! Hard to maintain and debug • Set default users with lowest possible privileges (UNIX: pcuser, Windows: guest) • Set Qtree style to match the NAS protocol primarily used to access data • The users and groups pcuser, nobody, root, daemon are used but not created by default. Create them with vserver services unix-user/unix-group