ntxmap for cifs user mapping

EMC® Celerra® Network ServerRelease 6.0

Using ntxmap for Celerra CIFS User MappingP/N 300-009-997

REV A01

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748-91031-508-435-1000

www.EMC.com

Copyright © 1998 - 2010 EMC Corporation. All rights reserved.

Published September 2010

EMC believes the information in this publication is accurate as of its publication date. Theinformation is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATIONMAKES NO REPRESENTATIONS ORWARRANTIES OF ANY KINDWITH RESPECT TOTHE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires anapplicable software license.

For the most up-to-date regulatory document for your product line, go to the TechnicalDocumentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks onEMC.com.

All other trademarks used herein are the property of their respective owners.

Corporate Headquarters: Hopkinton, MA 01748-9103

2 Using ntxmap for Celerra CIFS User Mapping 6.0

Contents

Preface.....................................................................................................5

Chapter 1: Introduction...........................................................................7System requirements...............................................................................................8Restrictions...............................................................................................................8User interface choices.............................................................................................9Related information................................................................................................9

Chapter 2: Concepts.............................................................................11ntxmap mapping methods...................................................................................12

Windows credential mapping...................................................................12UNIX to Windows mapping......................................................................13

Windows user mapping rule...............................................................................14ntxmap bidirectional mapping — Examples...........................................15

Secure mapping and ntxmap...............................................................................15Configuring ntxmap for Windows user mapping............................................15

Chapter 3: Configuring.........................................................................17Create the ntxmap.conf file..................................................................................18Modify the ntxmap.conf file................................................................................19

Chapter 4: Managing............................................................................21Verify the ntxmap.conf file...................................................................................22Verify the CIFS configuration..............................................................................22Verify the ntxmap mappings...............................................................................24Disable ntxmap .....................................................................................................26

Using ntxmap for Celerra CIFS User Mapping 6.0 3

Chapter 5: Troubleshooting..................................................................27EMC E-Lab Interoperability Navigator..............................................................28Error messages.......................................................................................................28EMC Training and Professional Services...........................................................28

Glossary..................................................................................................31

Index.......................................................................................................35


Contents

Preface

As part of an effort to improve and enhance the performance and capabilities of its product lines,EMC periodically releases revisions of its hardware and software. Therefore, some functions describedin this document may not be supported by all versions of the software or hardware currently in use.For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this document, pleasecontact your EMC representative.


Special notice conventions

EMC uses the following conventions for special notices:

CAUTION:Acaution contains information essential to avoid data loss or damage to the systemor equipment.

Important: An important note contains information essential to operation of the software.

Note: A note presents information that is important, but not hazard-related.

Hint: A note that provides suggested advice to users, often involving follow-on activity for aparticular action.

Where to get help

EMC support, product, and licensing information can be obtained as follows:

Product information — For documentation, release notes, software updates, or forinformation about EMC products, licensing, and service, go to the EMC Powerlinkwebsite (registration required) at http://Powerlink.EMC.com.

Troubleshooting — Go to Powerlink, search for Celerra Tools, and select CelerraTroubleshooting from the navigation panel on the left.

Technical support—For technical support, go to EMCCustomer Service onPowerlink.After logging in to the Powerlink website, go to Support ➤ Request Support. To opena service request through Powerlink, you must have a valid support agreement.Contact your EMC Customer Support Representative for details about obtaining avalid support agreement or to answer any questions about your account.

Note: Do not request a specific support representative unless one has already been assigned toyour particular system problem.

Your comments

Your suggestionswill help us continue to improve the accuracy, organization, and overallquality of the user publications.

Please send your opinion of this document to:

[email protected]


Preface

http://Powerlink.EMC.com

http://powerlink.emc.com


1

Introduction

In a multiprotocol Celerra environment, when a Microsoft Windows userwants to access a UNIX resource, or a UNIX user wants to access aWindows resource, the username must be mapped in the same way ineach environment; otherwise, the mapping cannot occur and the user isdenied access to the resource.

However, you might want to map Windows and UNIX users who areidentified differently in each environment. The EMC Celerra ntxmapfeature allows you to define explicit mappings between such Windowsand UNIX usernames. Chapter 2 provides more information.

This document is part of the Celerra Network Server information set andis intended for system administrators responsible for configuring andmanagingWindows usermapping in an environmentwhere the users areidentified differently on Windows and UNIX platforms.

Topics included are:◆ System requirements on page 8◆ Restrictions on page 8◆ User interface choices on page 9◆ Related information on page 9


System requirements

Table 1 on page 8 describes the EMC® Celerra® Network Server software, hardware,network, and storage configurations.

Table 1. System requirements

Celerra Network Server version 6.0.Software

No specific hardware requirements.Hardware

Windows 2000, Windows Server 2003, or Windows NT domain.

You must configure the domains with:

◆ Windows 2000 or Windows Server 2003 domains:

Active Directory

Kerberos or NT Lan Manager (NTLMSSP)

DNS

NTP

◆ Windows NT domains:

NT Lan Manager (NTLM)

WINS

Network

Follow the procedures in Managing Celerra for a Multiprotocol Environment to configurethe Celerra storage requirements. The ntcred mount option should be set to use the NT

Storage

credential cache. Ensure that the security mode for CIFS is not set to UNIX or SHARE onthe Data Mover.Verify that sufficient space is available in the root file system. Contact yourEMC Customer Support Representative for assistance with determining size requirements.

Restrictions

The ntxmap.conf file is a text file that is sequentially parsed for every mapping request. Ifthe mapping entries exceed 1,000, EMC recommends that you do not use ntxmap. Morethan 1,000 user mapping entries can lead to authentication latency issues, and potentiallyimpact the Windows user login and work sessions.


Introduction

User interface choices

This document describes how to configure ntxmap by using the command line interface(CLI). You cannot use other Celerra management applications to configure ntxmap.

Related information

For additional information related to the features and functionality described in thisdocument:

◆ Celerra Network Server Command Reference Manual

◆ Celerra Network Server Error Messages Guide

◆ Celerra Network Server Parameters Guide

◆ Configuring Celerra Events and Notifications

◆ Configuring Celerra User Mapping

◆ Configuring Celerra Naming Services

◆ Installing Celerra Management Applications

◆ Managing Celerra for a Multiprotocol Environment

◆ Configuring and Managing CIFS on Celerra

◆ Online Celerra man pages

◆ Using NTMigrate with Celerra

◆ Using Windows Administrative Tools with Celerra

EMC Celerra Network Server Documentation on Powerlink

The complete set of EMC Celerra customer publications is available on the EMCPowerlink®website at http://Powerlink.EMC.com. After logging in to Powerlink, clickSupport, and locate the link for the specific product technical documentation required.

Celerra Support Demos

Celerra Support Demos are available on Powerlink. Use these instructional videos tolearn how to perform a variety of Celerra configuration and management tasks. Afterlogging in to Powerlink, clickSupport. Then click the link for the specific product required.Click Tools. Locate the link for the video that you require.

User interface choices 9

Introduction


Celerra wizards

Celerra wizards can be used to perform setup and configuration tasks. Using Wizards toConfigure Celerra provides an overview of the steps required to configure a CelerraNetwork Server by using the Set Up Celerra wizard.


Introduction

2

Concepts

The ntxmap feature supports mapping requirements in a multiprotocolenvironment, where the Windows and UNIX users are identifieddifferently. The ntxmap.conf file is used to relate the different usernames.

Note: In a multiprotocol environment, ntxmap is used only for users who cannotbemapped byusing another usermappingmethod.A typical Celerra configurationmight include a few users who are mapped by using the ntxmap.conf file, andothers who are mapped by using another user mapping method appropriate forthat configuration.

ConfiguringCelerraUserMappingprovides information on the usermappingmethods best suited for your Celerra environment.

Topics included are:◆ ntxmap mapping methods on page 12◆ Windows user mapping rule on page 14◆ Secure mapping and ntxmap on page 15◆ Configuring ntxmap for Windows user mapping on page 15


ntxmap mapping methods

ntxmap uses two user mapping methods:

◆ Windows credentials mapping◆ UNIX to Windows mapping

Note: If the ntxmap.conf file does not exist or is unable to provide a mapping, the Data Mover thenuses the user mapping method configured for its environment.

Windows credential mapping

Typically, if SID mapping is required, the Data Mover searches for a corresponding uniqueUID that has the same username.

In Windows credentials mapping, the ntxmap.conf file first provides the mapped UNIXname, if one is available. The Data Mover then uses the user mapping method configuredfor its environment to search for a UID that corresponds to the mapped name provided byntxmap, instead of searching for a UID that corresponds to the Windows username.

When a Windows user logs in and requests a UNIX resource:

1. The user logs in to the Data Mover and provides a Windows credential, which includesthe SID, domain, and Windows username.

2. The Data Mover uses the domain andWindows username to query the ntxmap.conf filefor a corresponding mapped UNIX name, if one is available.

Note: A mapped name is found if the domain and Windows username match the domain andusername in a mapping entry created in the ntxmap.conf file. The domain name must be theNETBIOS domain name, in uppercase. If the domain in the mapping rule is empty or is specifiedas "*", any user domain is valid. The username is not case-sensitive for mapping. However, theUNIX name is case-sensitive. The first entry that matches the mapping is used.

3. If a mapped UNIX name is available, the Data Mover uses the user mapping methodconfigured for its environment to search for a UID and GIDs that correspond to themapped name.

4. In addition, if the Windows acl.extendExtraGid parameter is set, the Windows usergroups are mergedwith the UNIX secondary groups and added to the list of GIDs in theWindows credentials.


Concepts

Example scenario

This example shows howWindows credentials mapping works. The ntxmap.conf filecontains this mapping rule:

INTGW2K3:WINuser:=:UNIXuser

When the userWINuser of domain INTGW2K3 logs in to the DataMover, theWindowscredential contains the SID, UID, and GIDs associated with UNIXuser. The UID andGIDs are retrieved by using the user mapping method configured for that environment.Each time the user uses a resource, access is granted by checking the user access rights(SID, UID, and GIDs) against the resource’s access rights.

Note: Configuring Celerra User Mapping provides information on the user mapping methods bestsuited for your Celerra environment.

UNIX to Windows mapping

Note: In UNIX to Windows mapping methods, the SID is retrieved from the UNIX UID.

Typically, the Data Mover searches for a UNIX username. The domain name is added tothe UNIX name and the domain controller is requested to provide the corresponding SID.

In UNIX to Windows mapping, the ntxmap.conf mapping file provides the domain andusername.

When a UNIX user logs in and requests a Windows resource:

1. TheUNIX authentication procedure provides theUID andGIDs for theUNIX username.

2. The Data Mover uses the UID to UNIX name resolution mechanism to get the UNIXname.

3. With theUNIXnameprovided, theDataMover queries the ntxmap.conf file for amappedWindows NT name and its domain name. A mappedWindows NT name is found if theUNIX name in the mapping entry matches the UNIX name (case-sensitive) of the user.

4. Using the mapped Windows name, the Data Mover queries the domain controller forthe corresponding SID mapping.

Note: If the domain name is empty, the default domain name of the Data Mover is used to querythe domain controller.

5. The retrieved UID and SID are used to grant access to the resources.

6. In addition, if the Windows acl.extendExtraGid parameter is set, the Windows usergroups are merged with the UNIX secondary groups, and added to the list of GIDs forthe UNIX user. The UID, the SIDs, and the GIDs for this user are then cached locally,

ntxmap mapping methods 13

Concepts

and are used for subsequent requests. Each mapping entry in the cache has an expiryperiod. When the expiry period is over, the entry is automatically deleted.

Example scenario

Thismapping rule explains how theUNIX toWindowsmappingworks. The ntxmap.conffile contains this:

INTGW2K3:WINuser:=:UNIXuser

When the user UNIXuser requests resources, SIDs of the user WINuser of domainINTGW2K3 are mapped to the UNIX user’s UID. Each time the user uses a resource,access is granted by checking the user access rights (SID, UID, and GIDs) against theresource’s access rights.

Note: Configuring Celerra User Mapping provides information on the user mapping methods bestsuited for your Celerra environment.

Windows user mapping rule

The Windows user mapping rule is stored in the /.etc/ntxmap.conf file in the Data Mover,and uses the following syntax:

domain : user : direction : unix_name

where:

◆ domain is the user’s domain. It refers to the NetBIOS name, and is written in uppercase.Empty domain names are allowed, and if used, only the username is checked for themapping match.

◆ user is the user’s Windows name, and is not case-sensitive.◆ direction indicates how the mapping rule applies.◆ unix_name indicates the user’s UNIX name, and is case-sensitive.

In Celerra Network Server version 6.0, only the bidirectional mapping rule, "=", is availablewhen using ntxmap. Bidirectional mapping is valid for mapping fromWindows to UNIX,and from UNIX to Windows.

Create the ntxmap.conf file on page 18 andModify the ntxmap.conf file on page 19 providemore information.

Note: Usernames contain non-alphanumeric characters. "=xx" is used to set a character by its hexadecimalASCII value. "==xxxx" is used to set a character by its hexadecimal Unicode value. This helps whenstoring non-ASCII names.

Note: Comments are allowed in the ntxmap.conf file. A comment line starts with "#".


Concepts

ntxmap bidirectional mapping — Examples

Table 2 on page 15 provides rules and examples of the ntxmapmappings for different users.

Table 2. Bidirectional mapping — Examples

ExamplesRules

INTGW2K3:user1:=:unixname1A Windows user with a domain name

*:user2:=:unixname2A Windows user of any domain

INTGW2K3:use=20r:=:unixname2 # Win-dows username is "use r"

A Windows user with name containinga blank character

INTGW2K3:==00fcser:unixname3# Win-dows username is "user"

A Windows user with name containinga Unicode character

Secure mapping and ntxmap

When ntxmap is enabled, the mapping mechanism first refers to the ntxmap rules beforeusing secmap. The mapping provided by ntxmap replaces any previous secmap cache fora user, which was created by another user mapping method. Any existing entry in secmapfor this user either gets updated with the new information, or a new ntxmap mapping iscached.

Secmap is queried for ntxmap users only if the ntxmap.conf file is unavailable, empty, orunable to provide a mapping.

Configuring ntxmap for Windows user mapping

Celerra does not provide a default ntxmap.conf file. You must use a text editor to create thefile on the Control Station, define the mapping rules, and add the mappings. Then copy thefile to the /.etc directory of the Data Mover’s root file system. After you have copied the fileto this location, it can be used automatically.

It is recommended that you copy the edited files to every Data Mover. Maintaining the fileon one Data Mover might add latency to the authentication process and slow down theconnection response time.

Windows user mapping rule 15

Concepts


Concepts

3

Configuring

The tasks to configure ntxmap are:◆ Create the ntxmap.conf file on page 18◆ Modify the ntxmap.conf file on page 19


Create the ntxmap.conf file

ActionStep

Use any text editor to create a bidirectional ntxmap mapping for Windows users by using the following rulesyntax:

1


where:

domain = the user's domain; it refers to the NetBIOS name, and is case-sensitive

Note: Empty domain names are allowed, and only user is checked for the mapping match. A domain valueof "*" is equivalent to an empty domain.

user = user's Windows name; this name is case-sensitive

direction = how the rule applies; the sign "=" indicates a bidirectional mapping, that is, valid for mappingfrom Windows to UNIX and from UNIX to Windows

unix_name = UNIX name of the user

Note: The rule syntax for a domain, user, and unix_name includes: ASCII characters, blank characters, andUnicode characters. Any special ASCII character can be used by using the "=xx" format, where xx is the ASCIIvalue of the character in hexadecimal. A blank character is a special character. Any Unicode character canbe used by using the "==xxxx" format, where xxxx is the hexadecimal value for the Unicode character.

Note: Domains and usernames are case-insensitive. "*" for domain means any domain is valid. A "#" characterat the beginning of the line is a comment. A comment can be added at the end of the line by using "#" followedby the comment.

ntxmap bidirectional mapping — Examples on page 15 provides more information on bidirectional mappings.

Save the ntxmap.conf file.2


Configuring

ActionStep

Copy the ntxmap.conf file from the Control Station to the Data Mover by using this command syntax:3

$ server_file <movername> -put ntxmap.conf ntxmap.conf

where:

<movername> = name of the Data Mover on which the file is to be copied

Example:

To copy the ntxmap.conf file from the Control Station to the Data Mover, type:

$ server_file server_2 -put ntxmap.conf ntxmap.conf

Output:

server_2: done

Note: The modified ntxmap.conf file is used automatically after it is placed in the /.etc directory of the DataMover’s root file system.

Modify the ntxmap.conf file

ActionStep

Copy the ntxmap.conf file from the Data Mover to the Control Station by using this command syntax:1

$ server_file <movername> -get ntxmap.conf ntxmap.conf

where:

<movername> = name of the Data Mover from which the file is being copied

Example:


$ server_file server_2 -get ntxmap.conf ntxmap.conf

Output:

server_2: done

Modify the ntxmap.conf file 19

Configuring

ActionStep

Use any text editor and edit the ntxmap.conf file to add, delete, or modify mapping entries.2

The file format includes the following rule syntax for a bidirectional mapping for each Windows user:


Note: The rule syntax for a domain, user, and unix_name includes: ASCII characters, blank characters, andUnicode characters. Any special ASCII character can be used by using the "=xx" format, where xx is the ASCIIvalue of the character in hexadecimal. A blank character is a special character. Any Unicode character canbe used by using the "==xxxx" format, where xxxx is the hexadecimal value for the Unicode character.

Note: Domains and usernames are case-insensitive. "*" for domain means any domain is valid. A "#" characterat the beginning of the line is a comment. A comment can be added at the end of the line by using "#" followedby the comment.

ntxmap bidirectional mapping — Examples on page 15 provides more information on bidirectional mappings.

Save the ntxmap.conf file.3

Copy the ntxmap.conf file from the Control Station to the Data Mover by using this command syntax:4

$ server_file <movername> -put ntxmap.conf ntxmap.conf

where:

<movername> = name of the Data Mover to which the file is being copied

Example:


$ server_file server_2 -put ntxmap.conf ntxmap.conf

Output:

server_2: done

Note: The modified ntxmap.conf file is used automatically after it is placed in the /.etc directory of the DataMover’s root file system.

Note: There is a risk of temporary inconsistency while the file is being moved, especially if the file is too large.Restrictions on page 8 provides more information.


Configuring

4

Managing

The ntxmap management tasks are:◆ Verify the ntxmap.conf file on page 22◆ Verify the CIFS configuration on page 22◆ Verify the ntxmap mappings on page 24◆ Disable ntxmap on page 26


Verify the ntxmap.conf file

Action

To verify only the syntax of the rules in the ntxmap.conf file, use this command syntax:

$ server_checkup <movername> -test CIFS -subtest ntxmap

where:

<movername> = name of the Data Mover

Example:

To verify only the syntax of the rules in ntxmap.conf file on server_2, type:

$ server_checkup server_2 -test CIFS -subtest ntxmap

Output

server_2:-----------------------------Checks------------------------------------Component CIFS:Ntxmap : Checking the ntxmap configuration file..................Pass

Verify the CIFS configuration

Action

To verify the CIFS configuration, including the syntax of the mapping rules in the ntxmap.conf file, use this commandsyntax:

$ server_checkup<movername> -test CIFS

where:

<movername> = name of the Data Mover.

Example:

To check the CIFS configuration, including the syntax of the rules in the ntxmap.conf file, on server_2, type:

$ server_checkup server_2 -test CIFS


Managing

Output

server_2:-----------------------------Checks------------------------------------Component CIFS:ACL : Checking the number of ACLs per file system............PassConnection: Checking the load of CIFS TCP onnections...............PassCredential: Checking the validity of credentials...................PassDC : Checking the connectivity and configuration of DomainControlle..........................................................PassDFS : Checking the DFS configuration files and DFS registry..PassDNS : Checking the DNS configuration and connectivity to DNSservers...........................................................FailEventLog : Checking the configuration of Windows Event Logs.......PassFS_Type : Checking if all file systems are in the DIR3 format....PassGPO : Checking the GPO configuration.........................PassHomeDir : Checking the configuration of home directory shares....PassI18N : Checking the I18N mode and the Unicode/UTF8 translationtables............................................................ PassKerberos : Checking password updates for Kerberos.................PassLDAP : Checking the LDAP configuration........................PassLocalGrp : Checking the database configuration of local groups....PassNIS : Checking the connectivity to the NIS servers...........PassNS : Checking the naming services configuration.............PassNTP : Checking the connectivity to the NTP servers...........PassNtxmap : Checking the ntxmap configuration file.................PassSecmap : Checking the SECMAP database...........................PassSecurity : Checking the CIFS security settings....................PassServer : Checking the CIFS file servers configuration...........PassShare : Checking the network shares database...................PassSmbList : Checking the range availability of SMB IDs.............PassThreads : Checking for CIFS blocked threads......................PassUM_Client : Checking the connectivity to usermapper servers........PassUM_Server : Checking the usermapper server database................PassUnsupOS : Checking for unsupported client network operatingsystems........................................................... PassUnsupProto: Checking for unsupported client network protocols......PassVC : Checking the configuration of Virus Checker servers....PassWINS : Checking the connectivity to WINS servers..............Pass

Note: A result with a '*' means that some tests were not executed. Use the -full option to run them.

Verify the CIFS configuration 23

Managing

Verify the ntxmap mappings

Using this procedure, you can compare each line of the output with the ntxmap.conf file toensure that the mapping is correct.

Action

To verify the existing ntxmap mappings, use this command syntax:

$ server_cifssupport<movername> -secmap -list

where:


Example:

To verify the existing ntxmap mappings on server_2, type:

$ server_cifssupport server_2 -secmap -list

Output

server_2 : doneSECMAP USER MAPPING TABLEUID Origin Date Name SID692 ntxmap Wed Dec 26 14:15:14 2007 INTGW2K3\administrator S-1-5-15-56db7d78-9b661160-9e19279b-1f4

SECMAP GROUP MAPPING TABLE

GID Origin Date Name SID32769 usermapper Wed May 30 15:45:47 2007 INTGW2K3\Domain Admins S-1-5-15-56db7d78-9b661160-9e19279b-20032773 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Domain Users S-1-5-15-56db7d78-9b661160-9e19279b-20132774 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Domain Guests S-1-5-15-56db7d78-9b661160-9e19279b-20232791 usermapper Fri Sep 14 11:36:51 2007 INTGW2K3\Domain Computers S-1-5-15-56db7d78-9b661160-9e19279b-20332770 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Domain ControllersS-1-5-15-56db7d78-9b661160-9e19279b-204


Managing

32777 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Schema Admins S-1-5-15-56db7d78-9b661160-9e19279b-20632778 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Enterprise Admins S-1-5-15-56db7d78-9b661160-9e19279b-20732775 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Group Policy CreatorOwS-1-5-15-56db7d78-9b661160-9e19279b-20832788 usermapper Wed Sep 12 17:48:34 2007 INTGW2K3\adfs_test S-1-5-15-56db7d78-9b661160-9e19279b-c4732790 usermapper Fri Sep 14 16:10:56 2007 INTGW2K3\rmagroup S-1-5-15-56db7d78-9b661160-9e19279b-c4b32792 usermapper Tue Sep 25 19:13:19 2007 INTGW2K3\sambausers S-1-5-15-56db7d78-9b661160-9e19279b-c5132771 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Exchange DomainServersS-1-5-15-56db7d78-9b661160-9e19279b-49432772 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Exchange EnterpriseSerS-1-5-15-56db7d78-9b661160-9e19279b-49532776 usermapper Wed May 30 15:48:21 2007 INTGW2K3\Exchange Services

S-1-5-15-56db7d78-9b661160-9e19279b-49b32789 usermapper Wed Sep 12 17:48:34 2007 INTGW2K3\gg1 S-1-5-15-56db7d78-9b661160-9e19279b-4a732779 usermapper Wed May 30 15:48:21 2007 INTGW2K3\PasswordPropDeny S-1-5-15-56db7d78-9b661160-9e19279b-4ac

Verify the ntxmap mappings 25

Managing

Disable ntxmap

ActionStep

Using any text editor, create an empty file on the Control Station.1

Example:

To create ntxmap_empty.conf file by using a text editor, type:

$ vi ntxmap_empty.conf

Save the empty file.2

Copy the empty file on the Data Mover by using the following command syntax:3

$ server_file <movername> -put <filename> ntxmap.conf

where:

<movername> = name of the Data Mover to which the file is being copied

<filename> = name of the empty file

Example:

To copy the ntxmap_empty.conf file from the Control Station to the Data Mover, type:

$ server_file server_2 -put ntxmap_empty.conf ntxmap.conf

Output:

server_2: done

Delete the existing ntxmap mappings in secmap cache by using the following command syntax:4

$ server_cifssupport <movername> -secmap -delete -name <username>

-domain <domain name>

where:


<username> = name of the user

<domain name> = name of the domain

Example:

To delete the existing ntxmap mapping in secmap, for the user WINuser of domain INTGW2K3, on server_2,type:

$ server_cifssupport server_2 -secmap -delete -name WINuser -domain INTGW2K3

Output:

server_2: done


Managing

5

Troubleshooting

Aspart of an effort to continuously improve and enhance the performanceand capabilities of its product lines, EMCperiodically releases newversionsof its hardware and software. Therefore, some functions described in thisdocument may not be supported by all versions of the software orhardware currently in use. For themost up-to-date information on productfeatures, refer to your product release notes.

If a product does not function properly or does not function as describedin this document, contact your EMC Customer Support Representative.

Problem Resolution Roadmap for Celerra contains additional informationabout using Powerlink and resolving problems.

Topics included are:◆ EMC E-Lab Interoperability Navigator on page 28◆ Error messages on page 28◆ EMC Training and Professional Services on page 28



EMC E-Lab Interoperability Navigator

The EMC E-Lab™ Interoperability Navigator is a searchable, web-based application thatprovides access to EMC interoperability support matrices. It is available athttp://Powerlink.EMC.com. After logging in to Powerlink, go to Support ➤ Interoperabilityand Product Lifecycle Information ➤ E-Lab Interoperability Navigator.

Error messages

All event, alert, and statusmessages provide detailed information and recommended actionsto help you troubleshoot the situation.

To view message details, use any of these methods:

◆ Unisphere software:

• Right-click an event, alert, or status message and select to view Event Details, AlertDetails, or Status Details.

◆ CLI:

• Type nas_message -info <MessageID>, where <MessageID> is the messageidentification number.

◆ Celerra Network Server Error Messages Guide:

• Use this guide to locate information about messages that are in the earlier-releasemessage format.

◆ Powerlink:

• Use the text from the error message's brief description or the message's ID to searchthe Knowledgebase on Powerlink. After logging in to Powerlink, go to Support ➤Search Support.

EMC Training and Professional Services

EMCCustomer Education courses help you learn howEMCstorage productswork togetherwithin your environment tomaximize your entire infrastructure investment. EMCCustomerEducation features online and hands-on training in state-of-the-art labs conveniently locatedthroughout theworld. EMC customer training courses are developed and delivered by EMCexperts. Go to EMC Powerlink at http://Powerlink.EMC.com for course and registrationinformation.


Troubleshooting




EMCProfessional Services can help you implement yourCelerraNetwork Server efficiently.Consultants evaluate your business, IT processes and technology, and recommend waysthat you can leverage your information for the most benefit. From business plan toimplementation, you get the experience and expertise that you need without straining yourIT staff or hiring and training new personnel. Contact your EMC representative for moreinformation.

EMC Training and Professional Services 29

Troubleshooting


Troubleshooting

Glossary

A

Active Directory (AD)Advanced directory service included with Windows operating systems. It stores informationabout objects on a network and makes this information available to users and networkadministrators through a protocol such as Lightweight Directory Access Protocol (LDAP).

authenticationProcess for verifying the identity of a user trying to access a resource, object or service, such asa file or a directory.

C

Common Internet File System (CIFS)File-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users toshare file systems over the Internet and intranets.

Control StationHardware and software component of the Celerra Network Server that manages the systemand provides the user interface to all Celerra components.

D

Data MoverIn a Celerra Network Server, a cabinet component that is running its own operating systemthat retrieves data from a storage device and makes it available to a network client. This is alsoreferred to as a blade. A Data Mover is sometimes internally referred to as DART since DARTis the software that is running on the platform.

domainLogical grouping of Microsoft Windows servers and other computers that share commonsecurity and user account information. All resources such as computers and users are domainmembers and have an account in the domain that uniquely identifies them. The domainadministrator creates one user account for each user in the domain, and the users log in to thedomain once. Users do not log in to each individual server.


domain controllerServer that authenticates user logins andmaintains the security policy and the security account’smaster database for a Windows domain. Domain controllers manage user access to a network,which includes logging in, authentication, and access to the directory and shared resources.

See alsoWindows domain.

Domain Name System (DNS)Name resolution software that allows users to locate computers on a UNIX network or TCP/IPnetwork by domain name. The DNS server maintains a database of domain names, hostnames,and their corresponding IP addresses, and services provided by the application servers.

See also ntxmap.

G

group identifier (GID)Numeric identifier assigned to a particular group of users.

L

LDAP-based directoryDirectory servers that support LDAP, includingActiveDirectorywith IdMU, or SFU,OpenLDAP,or iPlanet (also known as Sun Java System Directory Server and Sun ONE Directory Server).

N

network file system (NFS)Network file system (NFS) is a network file system protocol that allows a user on a clientcomputer to access files over a network as easily as if the network devices were attached to itslocal disks.

Network Information Service (NIS)Distributed data lookup service that shares user and system information across a network,including usernames, passwords, home directories, groups, hostnames, IP addresses, andnetgroup definitions.

Network Time Protocol (NTP)Protocol used to synchronize the realtime clock in a computer with a network time source.

ntxmapCustomized software used to support mapping requirements in a multiprotocol environment.

S

secure mapping (secmap)Cache that contains all mappings between SIDs and UID or GIDs used by a Data Mover orVirtual Data Mover (VDM).

security identifier (SID)Unique identifier that defines a user or group in a Microsoft Windows environment. Each useror group has its own SID.


Glossary

T

time to live (TTL) time stampTTL time stamp is used to maintain the consistency of the credential. In case the TTL expires,the credential is rebuilt to take into account any modification that might have occurred.

U

user fileRefers to the passwd file that resides on each Data Mover.

User ID (UID)Numeric identifier that corresponds to a particular user.

UsermapperService that automatically maps distinct Windows users and groups to distinct UNIX-styleUIDs and GIDs.

W

Windows domainMicrosoft Windows domain controlled andmanaged by aMicrosoft Windows Server by usingthe Active Directory tomanage all system resources and by using the DNS for name resolution.

Windows Internet Naming Service (WINS)Software service that dynamically maps IP addresses to computer names (NetBIOS names).This allows users to access resources by name instead of requiring them to use IP addressesthat are difficult to recognize and remember. WINS servers support clients by runningWindows NT 4.0 and earlier versions of Microsoft operating systems.

Windows NT domainMicrosoft Windows domain controlled and managed by a Microsoft Windows NT server byusing a SAM database to manage user and group accounts and a NetBIOS namespace. In aWindows NT domain, there is one primary domain controller (PDC) with a read/write copy ofthe SAM, and possibly several backup domain controllers (BDCs) with read-only copies of theSAM.

See also domain and domain controller.


Glossary


Glossary

Index

CCIFS

mapping methods 11verifying configuration 22

command line interface 9configuring ntxmap 15creating ntxmap.conf file 18

Ddisabling ntxmap 26

EEMC E-Lab Navigator 28error messages 28

Iinformation, related 9

Mmapping methods

UNIX to Windows mapping 13Windows credential 12

messages, error 28modifying ntxmap.conf file 19multiprotocol 7

Nntxmap

configuring 15description 7disabling 26

ntxmap (continued)mapping methods 12mapping rules 14mapping verification 24UNIX to Windows mapping 13using with secmap 15Windows credentials mapping 12

ntxmap.conf filecreating 18function 12modifying 19verifying 22

Rrules, defining mapping 14

Ssecmap 15

Ttroubleshooting 27

UUNIX to Windows mapping 13user mapping 11

Vverifying

CIFS configuration 22mapping 24


verifying (continued)ntxmap.conf file 22

WWindows credentials mapping 12


Index

ntxmap for cifs user mapping

Documents

emc software

windows mapping

windows user mapping

emc powerlink

emc corporationmakes

secure mapping

mapping methods

credential mapping