docu5414_Configuring-Celerra-User-Mapping.pdf

1 of 48

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

User mapping concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Configuring user mapping in Windows-only environments. . . . . . . .7Configuring user mapping in multiprotocol environments . . . . . . . .8

How user mapping works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

EMC NAS Interoperability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . .10User interface choices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Using Celerra Manager to configure user mapping . . . . . . . . . . . . .11User mapping roadmap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Using Internal Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Planning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Using the default single-Celerra Usermapper configuration . . . . . .16Configuring a multi-Celerra Usermapper environment. . . . . . . . . . .16Managing Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Changing Usermapper default configuration settings . . . . . . . . . . .25

Using External Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Using the Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Celerra UNIX user management snap-in . . . . . . . . . . . . . . . . . . . . . .28Celerra UNIX users and groups property page extension . . . . . . . .29

Using local files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30Task 1: Copy files from the Data Mover . . . . . . . . . . . . . . . . . . . . . . .31Task 2: Add Windows domain name as a group name. . . . . . . . . . .32Task 3: Add Windows usernames. . . . . . . . . . . . . . . . . . . . . . . . . . . .33Task 4: Copy files to the Data Mover . . . . . . . . . . . . . . . . . . . . . . . . .34

Using NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Using user account migration tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Celerra UNIX Attributes Migration tool . . . . . . . . . . . . . . . . . . . . . . .37NTMigrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Configuring the primary group mapping for file system objects . . . . . .38Using user UNIX GIDs for file system objects . . . . . . . . . . . . . . . . . .38Determining the GIDs on copied file system objects . . . . . . . . . . . .39

Troubleshooting user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Known problems and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Configuring Celerra User MappingP/N 300-002-715

Rev A01

Version 5.5March 2006

Configuring Celerra User MappingVersion 5.5 2 of 48

Events and notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Customer training programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

3 of 48Version 5.5Configuring Celerra User Mapping

Introduction Every user of the Celerra® Network Server, either a Windows user or a UNIX user, must be identified by a unique numeric user identifier (UID) and group identifier (GID). Windows, however, does not use numeric IDs to identify users. Instead, it uses strings called security identifiers (SIDs). Therefore, before you configure the Windows file-sharing service (referred to as CIFS) on your Celerra Network Server, you must select a method of mapping Windows SIDs to UIDs and GIDs. The method you use depends on whether you have a Windows-only or UNIX and Windows (multiprotocol) environment. These methods include:

◆ Usermapper (Internal or External)

◆ Active Directory

◆ Local files

◆ Network Information Service (NIS)

This technical module is part of the Celerra Network Server information set and is intended for system administrators responsible for configuring and managing Windows user ID mapping.

Terminology This section defines terms important to understanding user mapping capabilities on the Celerra Network Server. The Celerra Network Server User Information Glossary provides a complete list of Celerra terminology.

ACL (Access control list): A list of access control entries (ACEs) that provide information about the users and groups that are allowed access to an object.

Active Directory: An advanced directory service included with Windows 2000 Servers. It stores information about objects on a network and makes this information available to users and network administrators through a protocol such as LDAP.

authentication: The process for verifying the identity of a user who is trying to access a resource or object, such as a file or a directory.

CIFS (Common Internet File System): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets.

CIFS server: A logical server that uses the CIFS protocol to transfer files. A Data Mover can host many instances of a CIFS server. Each instance is referred to as a CIFS server.

CIFS service: A CIFS server process that runs on the Data Mover and presents shares on a network as well as on Windows-based computers.

Control Station: A hardware and software component of the Celerra Network Server that manages the system and provides the user interface to all Celerra components.

../../mergedprojects/Glossary/index.htm

Configuring Celerra User Mapping4 of 48 Version 5.5

Data Mover: A Celerra Network Server cabinet component running the DART operating system that retrieves files from a storage device and makes the files available to a network client.

DNS (Domain Name System): A name resolution software that allows users to locate computers and services on a UNIX network or TCP/IP network by name. The DNS server maintains a database of domain names, hostnames and their corresponding IP addresses, and services provided by these hosts.

domain: A logical grouping of Microsoft Windows servers and other computers that share common security and user account information. All resources such as computers and users are members of the domain and have an account in the domain that uniquely identifies them. The domain administrator creates one user account for each user in the domain, and the users log in to the domain once. Users do not log in to each individual server.

GID (group identifier): A number assigned to a particular group of users.

Kerberos: An authentication, data integrity, and data privacy encryption mechanism used in Windows 2000 to encode authentication information. Kerberos coexists with NTLM (Netlogon services) and, using secret-key cryptography, provides authentication for client/server applications.

NFS (Network File System): A distributed file system that provides transparent access to a remote storage system. NFS allows all systems on the network to share a single copy of a file system.

NIS (Network Information System): A distributed data lookup service that shares user and system information across a network, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions.

NTP (Network Time Protocol): A protocol used to synchronize the real-time clock in a computer with a network time source.

primary Usermapper service: The instance of the Usermapper service that assigns UIDs and GIDs to Windows users and groups asking the Celerra Network Server for access to system objects.

quota: A limit on the amount of allocated disk space as well as the number of files (inodes) that a user or group of users can create in a production file system. Quotas control the amount of disk space and the number of files that a user or group of users can consume.

secondary Usermapper service: In a multi-Celerra environment, an instance of the Usermapper service that forwards requests for user mappings to the primary Usermapper service and returns those mappings to the Data Movers in addition to storing the mappings it processes.

SID (security identifier): A unique identifier that defines a user or group in a Microsoft Windows environment. Each user or group has its own SID.

UID (user identifier): A number that corresponds to a particular user.

user file: Refers to the passwd file that resides on each Data Mover.

Usermapper: A service that automatically maps distinct Windows users and groups to distinct UNIX-style UIDs and GIDs.

Usermapper host: A machine that runs an External Usermapper daemon or service.


Windows 2000/Windows Server 2003 domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows server/Windows 2003 server using the Active Directory to manage all system resources and using the DNS for name resolution.

Windows NT domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows NT server using a SAM database to manage user and group accounts and a NetBIOS namespace. In a Windows NT domain, there is one primary domain controller (PDC) that has a read/write copy of the SAM, and possibly several backup domain controllers (BDCs) with read-only copies of the SAM.

WINS (Windows Internet Naming Service): A Microsoft name resolution system that determines the IP address associated with a particular network node. WINS provides the mapping between the machine name and the Internet address, allowing Microsoft networking to function over TCP/IP networks.


User mapping concepts Every Celerra Network Server user must be assigned a unique numeric UID and GID to indicate the ownership of directories and files. The Celerra Network Server uses directory and file ownership to apply and enforce access permissions and quota limits.

Note: For connections from Windows users, file access checking is performed using SIDs only. This is done to prevent errors due to UID mismatches and to reduce dependency on the Usermapper database.

Like the Celerra Network Server, UNIX versions 2 and 3 use UIDs and GIDs to identify users and groups. Consequently, the Celerra Network Server can use the UIDs and GIDs supplied by UNIX without requiring any additional mappings. Windows, however, does not use numeric IDs to identify users. Instead, it uses strings called security identifiers (SIDs). Therefore, before you configure the Windows file-sharing service (referred to a CIFS) on your Celerra Network Server, you must select a method of mapping Windows SIDs to UIDs and GIDs. You select a mapping method based on whether you have a Windows-only or UNIX and Windows (multiprotocol) environment.

Figure 1 identifies the factors that determine the user mapping technique best suited for your environment.


Figure 1 Flow Chart of User Mapping Techniques

Configuring user mapping in Windows-only environmentsThe Celerra Network Server’s Usermapper feature automatically assigns UIDs and GIDs to Windows users and groups. Beginning with Celerra Network Server Version 5.2, there are two types of Usermapper.

◆ Internal Usermapper is part of the Data Mover's software. It does not require a separate installation and, in the case of a new Celerra Network Server, requires no additional configuration procedures.

◆ External Usermapper runs as a daemon on a Celerra Control Station. It requires a separate installation as well as additional configuration and management procedures.

EMC® recommends that you use Internal Usermapper in Windows-only environments. Celerra Network Server installations after version 5.2 use Internal

No

Start

No, Windows-only

Active Directory andcifs.useADMap parameter

NIS andcifs.resolver parameter

Usermapper

Active Directory

Do you haveonly one Windows

domain or user namesthat are unique across

all your Windowsdomains?

Is Active Directoryor UNIX your primary user

mapping managementenvironment?

Do users haveboth UNIX and

Windowsaccounts?

Local files

Yes

Yes

CNS-000598

UNIX


Usermapper by default. External Usermapper Version 3.1 and earlier versions are maintained only for existing customers until they can transition to Internal Usermapper.

Note: Before you configure and run Usermapper, note these restrictions: - You should have only one primary Usermapper in a Celerra Network Server environment.- You should not run External Usermapper and Internal Usermapper simultaneously in the same Celerra environment.

Configuring user mapping in multiprotocol environmentsIn multiprotocol environments, file systems can be accessed by both UNIX and Windows users. File access is determined by the permissions on the file or directory, either the UNIX permissions, Windows access control lists (ACLs), or both permissions and ACLs. Therefore, if a user has both UNIX and Windows user accounts, you should choose a mapping method that allows you to indicate that the two accounts represent the same user. The mapping methods that enable you to control the mappings used and ensure that specific Windows SIDs are mapped to the corresponding UNIX UIDs/GIDs and vice versa include the following:

◆ Active Directory (using Microsoft Management Console snap-ins)

◆ A Data Mover’s local user and group files

◆ Network Information Service (NIS)

Note: If a user in a multiprotocol environment will only use a single logon (either through Windows or UNIX), then it is acceptable to use Usermapper. If a user has only one account, mapping to an equivalent identity in the other environment is not necessary.


How user mapping works When a user logs in to a Windows domain and requests access to a Data Mover’s resources, the following sequence of events occurs:

1. When logging into a Windows NT domain or when accessing a Data Mover that was declared as a pre-Windows 2000 computer, the user is authenticated using NTLM (NT LAN Manager). If the Data Mover is using a computer name and is joined to a Windows 2000 or Windows Server 2003 domain, the user is authenticated through Kerberos or NTLMSSP (NT LAN Manager secure-socket provider).

2. The user’s identification is forwarded to the Data Mover.

3. The Data Mover searches the following sources for an existing mapping of the user’s SID to a UID/GID:

a. The Data Mover first checks its local resources (its local cache and then its local passwd and group files) for an existing SID to UID/GID mapping.

b. If no mapping is found, and NIS is configured, the Windows domain controller is queried for the user or group name associated with the SID, and then NIS is queried for a UID/GID to associate with the name.

c. If no mapping is found, and queries to the Active Directory are configured (in Windows 2000 and Windows Server 2003 environments), the Data Mover queries the Active Directory for a SID to UID/GID mapping.

d. If no mapping is found, the Data Mover queries Usermapper for a SID to UID/GID mapping.

e. The primary Usermapper service checks its database to determine if this user or group has already been assigned a UID/GID. If not, the primary Usermapper generates a new UID or GID and adds the new user or group to its database along with the mapping. It then returns the mapping to the Data Mover.

f. The Data Mover permanently caches all mappings it receives from any source (local files, NIS, Active Directory, and Usermapper), making the response to subsequent SID to UID/GID mapping requests faster and less susceptible to network problems.

g. The user is then authenticated and given access to the CIFS share (network drive).

h. If a user ID mapping cannot be resolved through one of these methods, an error is logged in the server log and the user is unable to access the CIFS share (network drive).

Note: If an nsswitch.conf file has been created on the Data Mover, the Data Mover will query the sources defined in that file for users and groups in the order defined after it checks its local cache. The Configuring Celerra Naming Services technical module provides information on using the nsswitch.conf file.

../NameServices/index.htm


System requirements This section describes the Celerra Network Server software, hardware, network, and storage configurations required for using user mapping as described in this technical module.

EMC NAS Interoperability MatrixThe EMC NAS Interoperability Matrix is available on Powerlink™. It contains definitive information on supported software and hardware, such as backup software, Fibre Channel switches, and application support for Celerra network-attached storage (NAS) products.

Table 1 System requirements for user mapping

Software Celerra Network Server Version 5.5.

Hardware No specific hardware requirements.

Network Windows 2000, Windows Server 2003, or WIndows NT domain. You must configure the domains with the following: • Windows 2000 or Windows Server 2003 domains:

Active DirectoryKerberos or NT Lan Manager (NTLMSSP) DNSNTP

• Windows NT domains:NT Lan Manager (NTLM)WINS

Storage Verify that sufficient space is available in the root file system. Contact your EMC Customer Support Representative for assistance with determining size requirements.


User interface choices The Celerra Network Server offers flexibility in managing networked storage based on your support environment and interface preferences. This technical module describes how to configure user mapping using the command line interface (CLI). You can also perform some of these tasks using one of the Celerra management applications:

◆ Celerra Manager - Basic Edition

◆ Celerra Manager - Advanced Edition

◆ Celerra Monitor

◆ Microsoft Management Console (MMC) snap-ins

◆ Active Directory Users and Computers (ADUC) extensions

For additional information about managing your Celerra, refer to:

◆ Learning about Celerra

◆ Celerra Manager Online Help

◆ Monitoring Celerra

◆ Application’s online help system on the Celerra Network Server Documentation CD

The Installing Celerra Management Applications technical module includes instructions on launching Celerra Manager, and on installing the MMC snap-ins and the ADUC extensions.

Using Celerra Manager to configure user mappingCelerra Manager can be used to configure a Data Mover to use Usermapper and NIS, as described in Table 2. You cannot use Celerra Manager to manage the Active Directory or local files.

Table 2 User mapping configured using Celerra Manager

Naming service Celerra Manager procedure

NIS To configure the Data Mover as an NIS client, select Celerras > [Celerra_name] > Network and click the NIS Settings tab.

Usermapper To configure Usermapper, select Celerras > [Celerra_name] > CIFS and click the Usermappers tab.

Note: Celerra Manager can be used to configure Internal Usermapper services as well as upgrade or migrate an existing External Usermapper by transferring the primary Usermapper service from the Control Station to the Data Mover.

../../mergedprojects/Concepts/Celerra_Product_Line.htm

../../HelpSystems/ManagerHelp/wwhelp/wwhimpl/java/html/wwhelp.htm

../InstallationManagement/index.htm


../../mergedprojects/MonitoringCelerra/Monitoring_Celerra.htm


For more information on using Celerra Manager to configure user mapping, refer to the Celerra Manager online help.

Note: You can also use the configuration wizards to set up the use of NIS or basic Internal Usermapper.


User mapping roadmap Table 3 lists the user mapping methods described in this technical module.

Table 3 User mapping roadmap

Task Procedure

Use Internal Usermapper. "Using Internal Usermapper" on page 14

Use External Usermapper. "Using External Usermapper" on page 27

Use the Active Directory with MMC snap-ins. "Using the Active Directory" on page 28

Use local files. "Using local files" on page 30

Use NIS. "Using NIS" on page 35

Use migration tools to move user accounts between Windows and UNIX environments.

"Using user account migration tools" on page 37

Configure primary group mapping. "Configuring the primary group mapping for file system objects" on page 38


Using Internal UsermapperInternal Usermapper is a Celerra service that automatically generates and maintains a database that maps SIDs to UIDs and GIDs for users or groups accessing file systems from a Windows domain.

◆ One instance of the Usermapper service serves as the primary Usermapper service, meaning that it assigns UIDs and GIDs to Windows users and groups. By default, this instance is configured on the Data Mover in slot 2 (server_2).

◆ The other Data Movers in a single Celerra environment are configured as clients of the primary Usermapper service, meaning that they send mapping requests to the primary service when they do not find a mapping for a user or group in their local cache. By default, all the client Data Movers automatically issue a broadcast over the Celerra system’s internal interfaces to discover the location of the primary Usermapper service.

◆ In a multi-Celerra environment, other instances of the Usermapper service can serve as secondary Usermapper services. Like a primary Usermapper service, a secondary Usermapper service checks its database to determine if a user or group has already been assigned a UID/GID. If not, it forwards the mapping request to the primary Usermapper service. The primary Usermapper service checks its database and, if necessary, generates a new UID or GID, returning the mapping to the secondary Usermapper service. The secondary Usermapper service then adds the new user or group to its database along with the mapping and returns the mapping to the Data Mover. Secondary Usermapper services provide high availability by allowing mappings to be collected and stored on each Celerra server in a multi-Celerra environment. If the secondary Usermapper service is unavailable, new users are not able to access files and existing users are only able to access files if a user has used the Data Mover before and the Data Mover’s local cache contains the previous mapping.

RestrictionsBefore you configure and run Usermapper, note these restrictions:

◆ Designate only one primary Usermapper service in a Celerra Network Server environment. Otherwise, the same user can be assigned different mappings.

◆ In a single Celerra, make sure that there is only one instance of the Usermapper service, either primary or secondary. All the other Data Movers in that Celerra are clients of the primary or secondary service.

◆ In a multi-Celerra environment, make sure that the primary Usermapper service is enabled before you configure any secondary Usermapper services.

◆ By default, Usermapper runs on the Data Mover in slot 2 (server_2). This is the preferred location from which to run the primary or secondary Usermapper service.

◆ You cannot configure a primary or secondary Usermapper service on a virtual Data Mover (VDM).


◆ Do not run Internal Usermapper and External Usermapper simultaneously in the same Celerra environment.

Planning considerations Before you begin using Internal Usermapper, consider the following situations:

◆ Usermapper stops mapping new UIDs and GIDs once the root file system of the Data Mover on which the Usermapper database is stored becomes 95 percent full. In this situation, new users will not be allowed access to system objects. The size of the root file system that is required is based on the number of users in your Windows environment. Contact your EMC Customer Support Representative for assistance with determining size requirements.

◆ If you are replicating a Windows environment that uses Usermapper or if you are using the Symmetrix Remote Data Facility (SRDF®), special Usermapper restrictions may apply. Contact your EMC Customer Support Representative for more information.

◆ In Internal Usermapper, the UID and GID ranges are fixed in the Usermapper database and Usermapper automatically assigns new UIDs and GIDs based on the next available value. Therefore, it does not need to use a Usermapper configuration file to define UID and GID ranges. However, it is possible to import an existing usrmap.cfg and use this file to define UID and GID ranges. This is referred to as the manual mapping method. Once the ranges defined in the usrmap.cfg file are enabled, Internal Usermapper’s automatic mapping method maintains this information and prevents duplicate mappings.

Note: If there is no special reason to use particular UID and GID ranges for your environment’s domains, EMC encourages you to use the automatic mapping method and let Internal Usermapper automatically assign new UIDs and GIDs based on the next available values. If a future revision to the usrmap.cfg file cannot be avoided, contact your EMC Customer Support Representative for assistance.

◆ Usermapper supports the SID (security identifier) history functionality introduced in Windows 2000. This aids the migration of users from Windows NT domains to Windows 2000 native mode domains. To use the SID History, it must be enabled in Windows 2000 and on your Celerra system. Refer to your Windows 2000 documentation for the correct procedure for enabling SID History on your Windows 2000 systems. With SID History enabled, when you are migrating users from a Windows NT domain or a Windows 2000 domain in mixed mode to a Windows 2000 domain in native mode, the Security Access Token contains the SID History from the Windows NT domain and a new SID from the Windows 2000 domain. Internal Usermapper automatically assigns UID and GID mappings, including SID history, by default.


Using the default single-Celerra Usermapper configurationWhen a new Celerra Network Server running software Version 5.3 or later is started for the first time, it is automatically configured with the default single-Celerra Usermapper configuration. In this situation, Usermapper is automatically enabled as a NAS service and no additional installation or configuration procedures are required. The default Usermapper configuration consists of a single Celerra Network Server in which the Data Mover in slot 2 (server_2) is configured with the primary Usermapper service. The remaining Data Movers in the Celerra system each cache all the SID-to-UID/GID mappings it has used. However, if one of these Data Movers is accessed by a user for whom it does not have a mapping, it queries the primary Usermapper service. These Data Movers are clients of the primary Usermapper service. By default, all the Data Movers in the Celerra system automatically issue a broadcast over the Celerra’s internal interfaces to discover the location of the primary Usermapper service.

Certain UID and GID values are reserved and cannot be mapped to SIDs. For example, 0 is reserved for the UNIX root account. Additional numbers are reserved for maintenance. UID and GID values can start at 32K. The maximum possible value for UIDs and GIDs is imposed by the underlying file system. All domain users and groups accessing this file system are assigned UIDs and GIDs based on these definitions.

Note: As in a standard Celerra configuration, you can configure another Data Mover to serve as a failover Data Mover, providing a backup for the primary Usermapper service.

"Displaying Usermapper status" on page 20 describes how to verify the Usermapper configuration and display its current status. If the primary Usermapper service is not automatically enabled, refer to "Troubleshooting user mapping" on page 41. "Managing Usermapper" on page 20 provides information on managing your Usermapper environment.

Configuring a multi-Celerra Usermapper environmentIf you have a Celerra Network Server environment in which there is more than one Celerra Network Server that shares the same Windows domain space, the default Usermapper configuration is not suitable. In this situation, you must modify the default Usermapper configuration on all the additional Celerra Network Servers to use one primary Usermapper service. In this situation, EMC recommends a configuration in which the Data Mover located in slot 2 (server_2) of each of the additional Celerra servers is configured as a secondary Usermapper service. The remaining Data Movers in each Celerra server then send mapping requests to their local secondary Usermapper service, and each secondary Usermapper service then forwards these requests to the single primary Usermapper service.

Note: The secondary Usermapper service sends mapping requests to the primary Usermapper service one at a time and only when needed. Therefore, all the secondary Usermapper services in an environment may not have the same entries in their databases.


Note: If you have a Celerra Network Server environment in which there multiple Celerra Network Servers that do not share the same Windows domain, each domain should be configured with its own primary Usermapper service.

The online Celerra man pages or the Celerra Network Server Command Reference Manual provide a detailed synopsis of the commands and syntax conventions presented in this section.

Note: In the following description, the Celerra Network Server that supports the primary Usermapper service is referred to as Celerra 1 and the Celerra Network Server that runs the secondary Usermapper service is referred to as Celerra 2.

Task 1: Verify the status of the primary Usermapper service On Celerra 1, verify that the primary Usermapper service is enabled on server_2. This is the default configuration.

Table 4 Tasks for configuring a multi-Celerra Usermapper environment

Task Action Procedure

1. On the first Celerra, verify that the primary Usermapper service is enabled.

"Task 1: Verify the status of the primary Usermapper service" on page 17

2. On the second Celerra, disable the default primary Usermapper service.

"Task 2: Disable the primary Usermapper service" on page 18

3. On the second Celerra, configure a secondary Usermapper service.

"Task 3: Configure the secondary Usermapper service" on page 18

4. On the second Celerra, verify that the secondary Usermapper service is enabled.

"Task 4: Verify the status of the secondary Usermapper service" on page 19

Action

To verify that the primary Usermapper service is enabled, use this command syntax: $ server_usermapper <movername>

Where: <movername> = name of the specified Data Mover Example:To verify that the primary Usermapper service is enabled on server_2 of Celerra 1, type: $ server_usermapper server_2

Output

server_2 : Usrmapper service: EnabledService Class: Primary

../CommandReference/index.htm



Task 2: Disable the primary Usermapper serviceSince the default Usermapper configuration always designates the Data Mover in slot 2 (server_2) as supporting the primary Usermapper service, you must explicitly configure a Data Mover on Celerra 2 to support a secondary Usermapper service.

On Celerra 2, disable the primary Usermapper service that is enabled by default.

Note: No user mapping requests should be sent to the primary Usermapper service on Celerra 2 before you have reconfigured it. Consequently, you should not configure CIFS on the Celerra 2 Data Movers until the Usermapper service is reconfigured as a secondary service.

Task 3: Configure the secondary Usermapper serviceOnce you have disabled the primary Usermapper service on Celerra 2, you can configure server_2 to run as a secondary Usermapper service.

When you enable a secondary Usermapper service, you also indicate the location of the primary Usermapper service to which the secondary service will send mapping requests. To do this, you specify the IP address of the Data Mover on which the primary service is located.

Note: The primary Usermapper service must be enabled before you can configure a secondary service.

Action

To disable the primary Usermapper service, use this command syntax: $ server_usermapper <movername> -disable

Where: <movername> = name of the specified Data MoverExample:To disable the primary Usermapper service on server_2 of Celerra 2, type: $ server_usermapper server_2 -disable

Output

server_2 : done


Task 4: Verify the status of the secondary Usermapper service Verify that the secondary Usermapper service has been enabled on server_2 of Celerra 2.

Action

To enable a secondary Usermapper service, use this command syntax: $ server_usermapper <movername> -enable primary=<ip addr>

Where: <movername> = name of the specified Data Mover <ip addr> = network IP address of the Data Mover on which the primary Usermapper service is runnning Example:To enable a secondary Usermapper service on server_2 of Celerra 2, type: $ server_usermapper server_2 -enable primary=192.168.21.1

Output

server_2 : done

Action

To verify that the secondary Usermapper service is enabled, use this command syntax: $ server_usermapper <movername>

Where: <movername> = name of the specified Data Mover Example:To verify that the secondary Usermapper service is enabled on server_2 of Celerra 2, type: $ server_usermapper server_2

Output

server_2 : Usrmapper service: EnabledService Class: SecondaryPrimary = 192.168.21.1


Managing Usermapper This section describes the tasks you perform to manage Usermapper.


Displaying Usermapper statusYou can display Usermapper status on your Celerra Network Server using two commands:

◆ The server_usermapper command displays the status of Internal Usermapper services running on a Data Mover.

◆ The server_cifs command displays a Data Mover’s CIFS configuration, including the Usermapper service it is using.

Displaying Usermapper service information

The server_usermapper command displays the status of Internal Usermapper services running on a Data Mover, including:

◆ Whether the Usermapper is configured as a primary or secondary service.

◆ The IP address of the primary Usermapper service used by the secondary.

◆ The operational status of the service.

Table 5 Usermapper management tasks

Management task Procedure

Display Usermapper status. "Displaying Usermapper status" on page 20.

Import and export user and group information. "Importing and exporting database information" on page 22.

Maintain the Usermapper database. "Maintaining the Usermapper database" on page 24.

Back up Usermapper. "Backing up Usermapper" on page 25.

Action

To display the status of the Usermapper service, use this command syntax: $ server_usermapper <movername>

Where: <movername> = name of the specified Data MoverExample: To display the status of the Usermapper service on server_2, type: $ server_usermapper server_2




Displaying the Data Mover’s Usermapper service

The server_cifs command displays a Data Mover’s CIFS configuration, including the Usermapper service it is using.

Note: If you issue a server_cifs command for the Data Mover on which the Usermapper service is running (typically server_2), the Usermapper service listed displays the Data Mover’s loopback address (127.0.0.1) as the IP address of its Usermapper service.

Output Note

server_2 : Usrmapper service: EnabledService Class: SecondaryPrimary = 192.168.21.1

Usermapper has three operational states:• Uninitialized — When Usermapper is not

available on the Data Mover • Initialized — When Usermapper has

been created on the Data Mover but disabled for some reason

• Enabled — When Usermapper is running You should have only one instance of the Usermapper service, either primary or secondary, in a single Celerra server. All the other Data Movers in that environment are clients of the primary or secondary service.

Action

To display the Usermapper service used by a Data Mover, use this command syntax: $ server_cifs <movername>

Where: <movername> = name of the specified Data MoverExample: To display the Usermapper service used by server_3, type: $ server_cifs server_3

Output

server_3 :96 Cifs threads startedSecurity mode = NTMax protocol = NT1I18N mode = UNICODEHome Directory Shares DISABLEDUsermapper auto broadcast enabled

Usermapper[0]=[192.168.1.2] state:active (auto discovered)Usermapper[1]=[192.168.2.2] state:active (auto discovered)

Default WINS servers = 192.168.4.230Enabled interfaces: (All interfaces are enabled)

Disabled interfaces: (No interface disabled)

Note

This example shows that server_3 is using the Usermapper service located on server_2 at internal IP addresses 192.168.1.2 and 192.168.2.2, the service is available, and the service was located using the auto-discovery broadcast.


Importing and exporting database informationYou can import and export user and group information to and from the Usermapper database.

Importing database information

Typically, you import information into the Usermapper database from a user and group file in order to reimport an edited Usermapper database, migrate the primary Usermapper service from one Data Mover to another, or upgrade or migrate your Usermapper configuration. Contact your EMC Customer Support Representative for assistance if you are migrating the primary Usermapper service from one Data Mover to another or if you are upgrading or migrating from External Usermapper to an Internal Usermapper configuration.

Use the -Import option to the server_usermapper command to import a user or group file. Usermapper can import files in either of two formats: a standard UNIX format that corresponds to the passwd and group file formats, or a format that includes the SID in the first field, as shown in the following examples.

Note: These two file formats were referred to as Format 1 and Format 3 in External Usermapper.

Example of a user file entry in standard UNIX format (Format 1):

rob.hilder.dir:*:26831:903:rob.hilder.dir:/usr/rob.hilder.dir:/bin/sh

Example of a user file entry in SID-based format (Format 3):

S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder from domain dir:/usr/S-1-5-15-139d2e78-56b177fd-5475b975-3323d:/bin/sh

Example of a group file entry in standard UNIX format (Format 1):

people.mass.subscribers.db.dir:*:58362:people.mass.subscribers.db.dir:

Example of a group file entry in SID-based format (Format 3):

S-1-5-15-139d2e78-56b177fd-5475b975-2c3d6:*:58362:people.mass.subscribers.db.dir:

To import user information into the Usermapper database, use the following command syntax.

Action

To import user information into the Usermapper database, use this command syntax: $ server_usermapper <movername> -Import -user <pathname>

Where: <movername> = name of the specified Data Mover<pathname> = name and location of the user file to be importedExample: To import user information into the Usermapper database on server_2, type: $ server_usermapper server_2 -Import -user /nas/cifs/usrmapperV3/linux/usrmap.passwd


To import group information into the Usermapper database, use the following command syntax.

Exporting database information

Typically, you would export user and group information from the Usermapper database in order to migrate the primary Usermapper service, back up the Usermapper database, or collect information for troubleshooting.

Use the -Export option to the server_usermapper command to export a user or group file. Usermapper exports files in a format that includes the SID in the first field, as shown in the following examples.

Note: This file format was referred to as Format 3 in External Usermapper.

Example of a user file entry in SID-based format (Format 3):

S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder from domain dir:/usr/S-1-5-15-139d2e78-56b177fd-5475b975-3323d:/bin/sh

Example of a group file entry in SID-based format (Format 3):

S-1-5-15-139d2e78-56b177fd-5475b975-2c3d6:*:58362:people.mass.subscribers.db.dir:

Output

server_2 : done

Action

To import group information into the Usermapper database, use this command syntax: $ server_usermapper <movername> -Import -group <pathname>

Where: <movername> = name of the specified Data Mover<pathname> = name and location of the user file to be importedExample: To import group information into the Usermapper database on server_2, type: $ server_usermapper server_2 -Import -group /nas/cifs/usrmapperV3/linux/usrmap.group

Output

server_2 : done


To export user information from the Usermapper database, use the following command syntax.

To export group information from the Usermapper database, use the following command syntax.

Maintaining the Usermapper databaseDo not modify the Usermapper database files. Windows users may have problems accessing files if you modify the Usermapper database files.

If an issue seems to require a change to a Usermapper mapping entry, you must consult your EMC Customer Support Representative to determine the best course of action.

Note: Changes made to the Usermapper database are not reflected by a client Data Mover if the client Data Mover has already cached the existing Usermapper information in its local cache. If files and folders have already been created using the existing UIDs and GIDs, simply changing the UID or GID map will make file objects inaccessible.

Action

To export user information from the Usermapper database, use this command syntax: $ server_usermapper <movername> -Export -user <pathname>

Where: <movername> = name of the specified Data Mover<pathname> = name and location of the file to which information is to be exportedExample: To export user information from the Usermapper database on server_2, type: $ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd

Output

server_2 : done

Action

To export group information from the Usermapper database, use this command syntax: $ server_usermapper <movername> -Export -group <pathname>

Where: <movername> = name of the specified Data Mover<pathname> = name and location of the file to which information is to be exported Example: To export group information from the Usermapper database on server_2, type: $ server_usermapper server_2 -Export -group /home/nasadmin/backup.group

Output

server_2 : done


Backing up Usermapper Use the following procedure to back up your Internal Usermapper configuration.

Changing Usermapper default configuration settingsUsermapper has default configuration settings, but you can change them by modifying the following parameters:

◆ usrmap minuid

◆ usrmap maxuid

◆ usrmap mingid

◆ usrmap maxgid

You can view and dynamically modify parameter values using the server_param command or the Celerra Manager graphical user interface. This technical module describes only the command-line procedures. The Celerra Manager Online Help explains how to use the graphical user interface to modify parameter values. The Celerra Network Server Parameters Guide describes all Celerra Network Server parameters.

Step Action

1. As root, dump the password and group files to a specified directory by typing: $ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd $ server_usermapper server_2 -Export -group /home/nasadmin/backup.group

2. Make a backup copy of the current usrmap.cfg file (if one is in use) by typing:$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.cfg /home/nasadmin/usrmap.cfg

3. Also make a backup copy of the usrmap.settings file by typing:$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.settings /home/nasadmin/usrmap.settings


../Parameters/index.htm


To change one of the default Usermapper UID or GID minimum or maximum values (refer to Table 6), use the following command syntax.

Table 6 shows the Usermapper parameters and their values.

Note: If you have imported a preexisting configuration file, these UID and GID range limits only apply when a new Usermapper database entry is created. Once the database is created, you cannot change maximum UID and GID values.

Action

To change one of the default Usermapper UID or GID minimum or maximum values, use this command syntax: $ server_parameter <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where: <movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameter Example: To change the minimum UID value, type: $ server_param server_2 -facility usrmap -modify minuid -value 32

Note: Parameter and facility names are case-sensitive.

Output

server_2 : done

Table 6 Usermapper parameters

Module Parameter Value Comment/Description

usrmap minuid 16 - 2^31-1Default 16

Minimum UID value. minuid must be less than maxuid.

usrmap maxuid 16 - 2^31-1Default 2^31-1

Maximum UID value. maxuid must be greater than minuid.

usrmap mingid 16 - 2^31-1Default 16

Minimum GID value. mingid must be less than maxgid.

usrmap maxgid 16 - 2^31-1Default 2^31-1

Maximum GID value. maxgid must be greater than mingid.


Using External UsermapperExternal Usermapper runs as a daemon on a Celerra Control Station. Typically, this Usermapper daemon serves as the primary Usermapper service (the instance of Usermapper that assigns UIDs and GIDs) for the Data Movers within a Celerra Network Server environment. The Data Movers function as clients of the primary Usermapper, meaning they send mapping requests to the primary Usermapper when they cannot determine file access locally.

Other instances of Usermapper can serve as secondary Usermappers, meaning they collect requests for mappings and forward them to the primary Usermapper. Typically, you would only configure a secondary Usermapper in a distributed environment in which remote locations communicate with the primary Usermapper over a wide area network (WAN).

Note: The recommended Usermapper configuration runs the Usermapper daemon, functioning as the primary Usermapper, on Control Station CS_0. Consult with EMC Customer Service to determine whether the use of secondary Usermappers will be advantageous.

The Configuring External Usermapper for Celerra technical module provides information on configuring and managing External Usermapper.

../ExternalUsermapper/index.htm


Using the Active DirectoryIf your multiprotocol environment consists primarily of Windows users, you can use the Active Directory to centralize both your Windows and UNIX user account management.

If the Active Directory schema is extended to include UNIX attributes for Windows users and groups, you can configure a Data Mover to query the Active Directory to determine if a user and the group the user is a member of has UNIX attributes assigned. If so, information stored in these attributes is used for file access authorization.

To configure a Data Mover to query the Active Directory, you must do the following:

1. Install the UNIX user management component of the Celerra CIFS Microsoft Management Console (MMC) snap-ins for managing Celerra users from a Windows computer. These snap-ins provide a manual mapping method that enables you to assign specific UIDs and GIDs to Windows users.

2. Set the cifs.useADMap parameter to 1 to enable the snap-ins to interact with the Data Mover.

The Installing Celerra Management Applications technical module and the Celerra UNIX User Management and Celerra UNIX Attribute Migration online help systems provide more information. The online help provides details of the Active Directory schema extensions. Also refer to "Using user account migration tools" on page 37 for information about migrating user information from one environment to another.

Celerra UNIX user management snap-in Celerra UNIX User Management is an MMC snap-in to the Celerra Management view that you can use to assign, remove, or modify UNIX UID/GIDs for a single Windows user or group on the local domain and on remote domains.

You also use this snap-in to select the location of the attribute database. This location can either be in a local or a remote domain. You would choose to store the attribute database in the Active Directory of a local domain if:

◆ You have only one domain.

◆ Trusts are not allowed.

◆ You have no need to centralize your UNIX user management information.

You would choose a remote domain if:

◆ You have multiple domains.

◆ Bidirectional trusts between domains that need to access the attribute database already exist.

◆ You want to centralize your UNIX user management.



Celerra UNIX users and groups property page extension Celerra UNIX Users and Groups property pages are extensions to Active Directory Users and Computers view. You can use these property pages to assign, remove, or modify UNIX UID/GIDs for a single Windows user or group on the local domain.

Note: You cannot use this extension to manage users or groups on a remote domain.


Using local files If your multiprotocol environment consists primarily of UNIX users and has more than one Windows domain, or usernames that are not unique across the Windows domains, you can manually edit the Data Mover’s local passwd and group files.

By default, the Data Mover checks for a username in the form username.domain and a groupname in the form groupname.domain. If the usernames and groupnames do not have a domain association, you must add the Windows domain name as well as verify that the Windows user is assigned the UID and GID of the existing UNIX account.

Note: "Using user account migration tools" on page 37 provides information about migrating user information from one environment to another.

If you have added usernames and groupnames to the local files without a domain association, you can set the cifs.resolver parameter so the Data Mover looks for the names without appending the domain. "Using NIS" on page 35 provides a description of using the cifs.resolver parameter.

When editing the passwd and group files, the following rules apply:

◆ All of the entries (Windows names, usernames, domain names, global group names) in the passwd and group files must be entered in lowercase ASCII only.

◆ Any spaces in Windows domain or group names should be replaced with =20 so that they become legal in a UNIX-style passwd or group file.

◆ If you are using UNIX user authentication, issue the server_user command to generate an encrypted password in the password field, but do not include the domain as part of the username.

Note: The Configuring Celerra Naming Services technical module provides additional information on using local files for naming services.

Use this procedure to manually add Windows users and groups to the passwd and group files on the Data Mover.


Table 7 Using local files tasks


1. Copy the passwd and group files from the Data Mover to the Control Station for editing. If the local files do not exist, create them with an ASCII editor such as vi or Emacs.

Task 1: "Copy files from the Data Mover" on page 31.

2. Add the Windows domain name as a group name to the UNIX group file.

Task 2: "Add Windows domain name as a group name" on page 32





Task 1: Copy files from the Data MoverBefore you can edit the local files, you must copy them from the Data Mover.

!CAUTION!This command overwrites existing files of the same name without notification. Use care when copying files.

3. Add the Windows usernames from the Windows domain to the UNIX password file.

Task 3: "Add Windows usernames" on page 33

4. Copy the passwd and group files back to the Data Mover.

Task 4: "Copy files to the Data Mover" on page 34

Action

To copy the passwd or group file, use the following command syntax for each file:$ server_file <movername> -get <src_file> <dst_file>

Where:<movername> = name of the specified Data Mover<src_file> = name of the source file<dst_file> = name of the destination fileExample:To copy the passwd file to /home/nasadmin/passwd, type:$ server_file server_2 -get passwd /home/nasadmin/passwd

Output

server_2 : done

Table 7 Using local files tasks (continued)



Task 2: Add Windows domain name as a group nameUse this procedure to add the domain name to the copy of the group file on the Data Mover.

Note: Use the UNIX text editors vi or Emacs to manually modify the configuration file. You can also use Windows Notepad.

Action

Using a text editor, add the Windows domain name as a group name in the group file. Assign a GID for the newly created group name. The group file entries are in the following format:<groupname.domain>:*:<GID>:

Where: <groupname.domain> = the group name and Windows domain name.* = indicates the UNIX password for the group. This field should contain an asterisk (*) because the password is not used on the Celerra Network Server.<GID> = unique numeric group ID that you assign to the group name.Example 1:To add the Windows domain galaxy to the group file, add the following line:galaxy:*:100:

The Windows domain galaxy is the group name; 100 is the GID.Example 2:Here is an example of a group file, including the galaxy example and the default Windows global groups:. (numerous UNIX groups skipped).galaxy:*:100:domain=20admins.galaxy:*:101:domain=20users.galaxy:*:102:domain=20guests.galaxy:*:103:


Task 3: Add Windows usernamesUse this procedure to add usernames to the copy of the passwd file on the Data Mover.

Action

Add the Windows usernames from the Windows domain to the passwd file and assign each user a unique UID and the GID specified for the Windows domain in "Add Windows domain name as a group name" on page 32.Password file entries are in the following format:<user.domain>:*:<UID>:<GID>:<name>:<path>:<shell>

Where:<user.domain> = the Windows username and domain name.* = indicates the UNIX password for the user. If the user authentication mode on the Data Mover is set to NT or SHARE, this field should contain an asterisk (*). If the Data Mover uses UNIX user authentication, the field should contain the encrypted password for the user.<UID> = a unique user ID that you assign.<GID> = GID assigned to the domain.<name>, <path>, and <shell> are optional informational fields and are ignored during processing.Example:The following is an example of a password file entry of user glenn in domain galaxy. This requires an entry in passwd as:glenn.galaxy:*:530:100:J.GLENN:/usr/home/jdir:/bin/csh

Where:glenn = Windows username.galaxy = Windows domain name; appended to preclude accidental mapping to existing UNIX or Windows clients of the same name.* = indicates the UNIX password for the user. If the user authentication mode on the Data Mover is set to NT or SHARE, this field is ignored.530 = UID.100 = GID.J.GLENN = username (optional; ignored during processing)./usr/home/jdir = UNIX home directory path (optional; ignored during processing)./bin/csh = UNIX shell (optional; ignored during processing).


Task 4: Copy files to the Data MoverUse the following procedure to copy the edited local files back to the Data Mover.

!CAUTION!This command overwrites existing files of the same name without notification. Use care when copying files.

Action

To copy the passwd or group file, type the following for each file:$ server_file <movername> -put <src_file> <dst_file>

Where:<movername> = name of the specified Data Mover<src_file> = name of the source file<dst_file> = name of the destination fileExamples:$ server_file server_2 -put passwd passwd$ server_file server_2 -put group group

Output

server_2 : done


Using NIS If your multiprotocol environment consists primarily of UNIX users and has only one Windows domain, or usernames that are unique across multiple Windows domains, you can use NIS to manage user and group mapping.

The Configuring Celerra Naming Services technical module provides information on configuring a Data Mover to access a NIS server. For information about manually updating the NIS passwd and group maps, refer to your NIS server documentation.

Note: All of the entries (Windows names, usernames, domain names, global group names) in the passwd and group maps must be entered in lowercase ASCII only.

"Using user account migration tools" on page 37 provides information about migrating user information from one environment to another.

Once you have NIS configured, the Data Mover automatically checks NIS for a user and group names. By default, it checks for a username in the form username.domain and a groupname in the form groupname.domain. If you have added usernames and groupnames to NIS without a domain association, you can set the cifs.resolver parameter so the Data Mover looks for the names without appending the domain.

To change the default format of username and groupname so they can be retrieved from NIS without a domain extension, use the following command syntax.

Action

To change the default format of username and groupname so they can be retrieved from NIS without a domain extension, use this command syntax: $ server_parameter <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where: <movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameter Example: To change the default format of username and groupname so they can be retrieved from NIS without a domain extension, type: $ server_param server_2 -facility cifs -modify resolver -value 1


Output

server_2 : done



Table 8 shows the cifs.resolver parameter and its values.


Table 8 cifs.resolver parameter


cifs resolver 0 (default) or 1 Setting this parameter to 1 enables the retrieval of NIS entries without domain extensions for SID mapping.param cifs.resolver=1 first tries to retrieve the UID/GID from NIS or local user/group files without appending the domain extension. If this fails, the extension is then used.param cifs.resolver=0 always uses the domain extension to get the UID/GID.




Using user account migration toolsIf you currently have a single protocol environment (either pure CIFS or pure NFS), and you want to convert to a multiprotocol environment (supporting both Windows and UNIX clients), you can use the following tools to migrate your user accounts from one environment to the other.

◆ Celerra UNIX Attributes Migration Tool

◆ NTMigrate

Celerra UNIX Attributes Migration tool Celerra UNIX Attributes Migration is a tool that enables you to migrate existing UNIX users from the Celerra Network Server (local files) or NIS to the Active Directory. You can select the UNIX attributes (UIDs and GIDs) to add to the Active Directory. However, you cannot add new users or groups, nor can you modify existing UNIX UIDs/GIDs. To add new users or groups, or to modify existing UNIX attributes, refer to "Using the Active Directory" on page 28 for more information on using the Active Directory for user mapping.

Note: Using this tool extends the Active Directory schema. Once the schema is extended, you cannot revert to the original Active Directory schema.

The Installing Celerra Management Applications technical module provides more information on installing this tool. The Celerra UNIX Attributes Migration Tool online help provides more information on using this tool.

NTMigrateNTMigrate is a tool that migrates Windows users to an existing UNIX UID/GID database (local passwd file or NIS). NTMigrate collects user information from the Windows domain and merges it with UNIX password and group files.

NTMigrate is best suited for mapping large Windows domains into UNIX UIDs and GIDs.

The Using NTMigrate with Celerra technical module provides more information.

../NTMigrate/index.htm



Configuring the primary group mapping for file system objects In a file system, every object (such as a file, directory, link, and shortcut) has an associated owner and owner group (identified by a UID and GID). NFS uses the UID and GID to control access to the file system object. Since a user can be a member of many groups, the Celerra Network Server needs some way to determine which group should be associated with a newly created file. A user’s primary group setting determines which GID gets assigned to the file system object.

Both NFS and CIFS have the concept of a primary group for a user. In NFS, the primary group is required; however, the primary group is optional on Windows platforms and defaults to the Domain Users group.

All file system objects (FSOs) on a Data Mover have an associated owner (identified by a UID) and group (identified by a GID). The UID and GID associated with an FSO are determined as follows:

◆ For NFS: When a FSO is created from a UNIX client, the FSO GID is taken from the GID supplied by the UNIX client (based on the creator’s primary group).

◆ For CIFS: When a FSO is created from a Windows client, the GID can be determined in the following ways:

• (Default) The file system object GID is taken from the GID associated with the creator’s primary group.

• The file system object GID is taken from a user’s UNIX primary group as defined in the passwd file, NIS, or Active Directory.

Using user UNIX GIDs for file system objectsThe cifs acl.useUnixGid parameter controls whether the Celerra Network Server obtains an FSO’s GID from a user’s primary group or from the user’s GID stored in the passwd file, NIS, or Active Directory.





To set the GID mapping for file system objects created on an Windows client to the Windows user’s GID stored in the passwd file, NIS, or Active Directory, use the following command syntax.

Table 9 shows the cifs acl.useUnixGid parameter and its values.

Determining the GIDs on copied file system objectsTypically, when a Windows user copies an FSO using a tool such as Windows Explorer, the ownership of the new FSO is assigned to the user who did the copying—in effect, the user takes ownership of the copied FSO.

Since the Celerra Network Server also maintains GIDs on FSOs, a GID must be applied to the copied FSO. The cifs acl.takegroupship parameter determines the source of the GID for the copied FSO.

Action

To set the GID mapping for file system objects created on an Windows client to the Windows user’s GID, use this command syntax: $ server_parameter <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where: <movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameter Example: To set the GID mapping for file system objects created on an Windows client to the Windows user’s GID, type: $ server_param server_2 -facility cifs -modify acl.useUnixGid -value 1


Output

server_2 : done

Table 9 cifs acl.useUnixGid parameter


cifs acl.useUnixGid 0 (default) or 1 Sets the GID mapping for file system objects created on an Windows client.param cifs acl.useUnixGid=0Assigns the GID of the Windows Primary Group to which the user belongs.param cifs acl.useUnixGid=1Assigns the Windows user’s GID (as found in the GID field of the passwd file, NIS database entry, or Active Directory).



To change the source of the GID for the copied FSO (that is, determine that the primary group is derived from the source specified by the acl.useUnixGid parameter), use the following command syntax.

Table 10 shows the cifs acl.takegroupship parameter and its values.

Action

To determine that the primary group is derived from the source specified by the acl.useUnixGid parameter, use this command syntax: $ server_parameter <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where: <movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameter Example: To determine that the primary group is derived from the source specified by the acl.useUnixGid parameter, type: $ server_param server_2 -facility cifs -modify acl.takegroupship -value 1


Output

server_2 : done

Table 10 cifs acl.takegroupship parameter


cifs acl.takegroupship 0 (default) or 1 When changing ownership of a FSO from Windows (if a new primary group is not provided), this parameter determines if the new primary group for a FSO is based on the UseUnixGid parameter.param cifs acl.takegroupship=0 disables this setting. The primary group is derived from the Windows Primary Group of the user who copied the FSO.param cifs acl.takegroupship=1 enables this setting. The primary group is derived from the source specified by the acl.useUnixGid parameter.




Troubleshooting user mapping You can query the EMC WebSupport database for problem information, obtain release notes, or report a Celerra technical problem to EMC on Powerlink, the EMC secure extranet site. The Celerra Problem Resolution Roadmap technical module contains additional information about using Powerlink and resolving problems.

Error messages Table 11 lists Usermapper error messages and their descriptions. These error messages are written to the Celerra Network Server’s system log (/nas/log/sys_log). The Celerra Network Server Error Messages Guide contains additional information on error messages.

Table 11 Usermapper server log error messages

Message text Description Corrective action

Cannot connect (to the server, primary, secondary, etc...)

A connection or connections among the Usermapper services and/or Data Movers are down.

1. Check the connectivity between the primary Usermapper, the secondary Usermappers, and the Data Movers.

2. Use the server_log command to ensure that the correct IP addresses are listed using server_cifs.

3. If the IP addresses are incorrect, use server_cifs to provide the correct IP addresses for the primary and secondary Usermappers.

Internal error This could be any of the UNIX or database errors that are internal to the Usermapper software. It is not specific to any request made by the Data Movers.

Check the usrmapper.log for any description of the problem. If the problem description is not clear or no problem is reported, contact EMC Customer Service.

Invalid input The input received by Usermapper is invalid due to communication problems between the Usermapper service and its client (Data Mover or secondary Usermapper).

Contact EMC Customer Service.

No record for the domain

Usermapper receives a request for a UID or a GID for assignment in a domain, but the domain is not configured in the usrmap.cfg file.This error message is only returned if you are using a usrmap.cfg file.

Modify the usrmap.cfg file to include the domain.

Primary error There is an error at the primary Usermapper.

Check the error log at the primary Usermapper.

../ErrorMsgs/index.htm

../ProblemResolutionRoadmap/index.htm



Primary down The primary Usermapper is unreachable. This error appears in the error log on the secondary Usermapper.

Check the network connection between the primary and the secondary Usermapper.

Request from the server is not supported

Usermapper cannot process the request from the Data Mover.

1. Check the usrmapper.log for the request type.

2. Use rpcinfo on a Solaris Usermapper host or pmap_dump on a Linux Usermapper to determine if program 536870919 Versions 1 and 3 of the UDP/TCP protocol are running.

RPC error This is a remote procedure call error, probably between the primary Usermapper, the secondary Usermappers, and the Data Movers.

1. Check the network connectivity between the primary and the secondary Usermappers.

2. Use the server_log command to ensure that the correct IP addresses are listed using server_cifs.

3. If the IP addresses are incorrect, use server_cifs to provide the correct IP addresses for the primary and secondary Usermappers.

System error A system error has occurred. Check the usrmapper.log and the system log for the exact error. If there are any environmental errors—file permissions, for example—they can be fixed. If the problem description is not clear or if there is no problem reported, contact EMC Customer Service.

There are no more gids that can be given out

No more GIDs are available as specified in the GID ranges for this domain in the usrmap.cfg file.This error message is only returned if you are using a usrmap.cfg file.

Modify the usrmap.cfg file to include more GIDs for the domain.

There are no more uids that can be given out

No more UIDs are available as specified in the UID ranges for this domain in the usrmap.cfg file.This error message is only returned if you are using a usrmap.cfg file.

Modify the usrmap.cfg file to include more UIDs for the domain.

Table 11 Usermapper server log error messages (continued)



Known problems and limitationsTable 12 describes known problems that might occur when using Usermapper and presents workarounds.

UID account request error

Usermapper received a request for the account name domain (in other words, a reverse lookup) for a UID. No UID, however, matched the account. Most probably, Usermapper has not yet assigned the UID to any account.

If Usermapper is not running on the Usermapper host, do the following:1. Use rpcinfo on Solaris Usermapper

host or pmap_dump on a Linux Usermapper to determine if program 536870919 Versions 1 and 3 of the UDP/TCP protocol are running.

2. Start the Usermapper service or daemon.

If the UID has not been assigned, do the following:1. Check the usrmapper.log file to find

which UID was sent to Usermapper.2. Output the Usermapper database to

see if this UID is in the database for at least one user.

Table 12 Usermapper known problems and workarounds

Known problem Symptom Workaround

The primary Usermapper service must be enabled before secondary services can be configured.

When you issue the server_usermapper <movername> -enable primary= command, you receive the following error:Error 4020: <movername>:failed to complete command

Check the operational state of the primary service and enable it using the server_usermapper <movername> -enable command.

Internal Usermapper stops mapping new UIDs and GIDs once the root file system of the Data Mover (where the Usermapper database is stored) becomes 95% full. New users will be denied access to system objects.

The following errors are entered repeatedly in the server log for any additional mapping requests once the root file system reaches capacity:error: -20 for user uid requesterror: -20 for group gid request

You should determine the size of the root file system required based on the number of users in your Windows environment. Contact your EMC Customer Support Representative for assistance in determining size requirements.

Table 11 Usermapper server log error messages (continued)



Events and notificationsTable 13 lists the Usermapper events. The Configuring Celerra Events and Notifications technical module provides a description of how to configure the Celerra Network Server to record and display these events.

Table 13 USRMAP events

Facilityname

Facility ID

Facilitydescription Event ID Event

description

USRMAP 93 Monitors Usermapper events

0 Usermapper OK

1 Usermapper database created

2 Usermapper service enabled

3 Usermapper service stopped

4 Usermapper database destroyed

5 Usermapper available

6 Usermapper unreachable

7 Usermapper file system quota exceeded

../EventsandNotifications/index.htm



Related information For specific information related to the features and functionality described in this technical module, refer to:

◆ Celerra Network Server Command Reference Manual

◆ Online Celerra man pages

◆ Celerra Network Server Parameters Guide

◆ Managing Celerra for the Windows Environment

◆ Configuring CIFS on Celerra

◆ Managing Celerra for a Multiprotocol Environment

◆ Configuring External Usermapper for Celerra

◆ Using NTMigrate with Celerra

◆ Installing Celerra Management Applications

◆ Using Windows Administrative Tools with Celerra

◆ Configuring Celerra Naming Services

◆ Celerra Network Server Error Messages Guide

◆ Configuring Celerra Events and Notifications

The Celerra Network Server Documentation CD, supplied with your Celerra Network Server and also available on Powerlink, provides general information on other EMC Celerra publications.

Customer training programsEMC customer training programs are designed to help you learn how EMC storage products work together and integrate within your environment to maximize your entire infrastructure investment. EMC customer training programs feature online and hands-on training in state-of-the-art labs conveniently located throughout the world. EMC customer training programs are developed and delivered by EMC experts. For program information and registration, refer to Powerlink, our customer and partner website.



../ManCIFS/index.htm

../ConfWindows/index.htm

../ConfWinMulti/index.htm

../ExternalUsermapper/index.htm

../NTMigrate/index.htm


../WindowsAdminTools/index.htm






Index

AActive Directory 28

CCelerra Manager, using 11cifs acl.takegroupship parameter 39cifs acl.useUnixGid parameter 38configuration

default 16multicabinet 16secondary 16settings, modifying 25

Ddatabase, modifying 24

Eerror messages 41

cannot connect 41internal error 41no more gids 42no more uids 42No record for the domain 41primary error 41primary is down 42request not supported 42RPC error 42system error 42uid account request error 43

events, list of USRMAP 44exporting database information 23External Usermapper 27

GGIDs

on copied files 39using UNIX GIDs 38

Iimporting database information 22installation 16Internal Usermapper 14

Llocal files 30

Mmapping

primary groups 38user IDs, resolution order 9

MMC snap-ins 28multiprotocol environments 8

NNIS 35

Pparameters 25

cifs acl.takegroupship 39cifs acl.useUnixGid 38

password and group files 30, 35primary groups 38

Rrestrictions 8

SSID history 15snap-ins, UNIX User Management 28

Ttools

UNIX Attribute Migration 37UNIX User Management 28UNIX Users and Groups property page extension 29

UUNIX Attributes Migration tool 37UNIX User and Groups property page extenion 29UNIX User Manager snap-in 28user ID resolution

local files 30NIS 35UNIX Attributes Migration tool 37UNIX User and Groups property page extension 29UNIX User Manager snap-in 28

user IDs, look-up order 9Usermapper

default configuration 16error messages 41exporting database information 23external 7importing database information 22internal 7modifying

database 24default settings 25

multicabinet configuration 16restrictions 8, 14

one primary only 8secondary configuration 16using secondary service 16

WWindows-only environments 7

About this technical moduleAs part of its effort to continuously improve and enhance the performance and capabilities of the Celerra Network Server product line, EMC from time to time releases new revisions of Celerra hardware and software. Therefore, some functions described in this document may not be supported by all revisions of Celerra software or hardware presently in use. For the most up-to-date information on product features, see your product release notes. If your Celerra system does not offer a function described in this document, contact your EMC Customer Support Representative for a hardware upgrade or software update.

Comments and suggestions about documentationYour suggestions will help us improve the accuracy, organization, and overall quality of the user documentation. Send a message to [email protected] with your opinions of this document.

Copyright © 1998-2006 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

Version 5.5 48 of 48

Documents

docu5414_Configuring-Celerra-User-Mapping.pdf