EMC

VNX

Series
Release 7.1
Configuring VNX

User Mapping
P/N 300-013-811 Rev 01
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
Copyright 2009 - 2012 EMC Corporation. All rights reserved.
Published July 2012
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
For the most up-to-date regulatory document for your product line, go to the Technical
Documentation and Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on
EMC.com.
All other trademarks used herein are the property of their respective owners.
Corporate Headquarters: Hopkinton, MA 01748-9103
2 Configuring VNX User Mapping 7.1
Contents
Preface.....................................................................................................7
Chapter 1: Introduction.........................................................................11
System requirements..................................................................................12
User interface choices.................................................................................12
Related information.....................................................................................14
Chapter 2: Concepts.............................................................................15
Overview.....................................................................................................16
User mapping in Windows-only environments............................................18
User mapping in multiprotocol environments..............................................18
Secure mapping..........................................................................................19
Creating secmap mapping entries......................................................19
Checking and updating secmap mapping entries..............................20
User mapping and ntxmap..........................................................................20
User mapping database..............................................................................20
User mapping process................................................................................21
Usermapper................................................................................................22
Restrictions.........................................................................................22
Planning considerations.....................................................................23
Using the default single-VNX Usermapper configuration...................24
Using a multi-VNX Usermapper environment....................................24
LDAP-based directory services...................................................................25
Local files....................................................................................................25
NIS..............................................................................................................26
Active Directory...........................................................................................26
UNIX user management snap-in........................................................27
Configuring VNX User Mapping 7.1 3
VNX UNIX users and groups property page extension......................28
User account migration tools.......................................................................28
VNX UNIX Attributes Migration tool....................................................28
NTMigrate...........................................................................................28
Chapter 3: Configuring in Windows Environments..............................29
Configure a multi-VNX Usermapper environment.......................................30
Verify the status of the primary Usermapper service.........................30
Disable the primary Usermapper service...........................................31
Configure the secondary Usermapper service...................................31
Verify the status of the secondary Usermapper service.....................32
Chapter 4: Configuring in Multiprotocol Environments......................33
Retrieve user and group names without a domain association...................34
Configure a Data Mover to query local files................................................34
Copy local files from the Data Mover..................................................35
Add the Windows domain name as a group name.............................36
Add Windows usernames...................................................................37
Copy edited local files to the Data Mover...........................................38
Configure a Data Mover to query the Active Directory................................38
Chapter 5: Managing Usermapper.....................................................39
Display Usermapper status.........................................................................40
Display Usermapper service information............................................40
Display the Data Movers Usermapper service..................................41
Import and export database information.....................................................42
Import database information..............................................................42
Export database information..............................................................43
Maintain the Usermapper database............................................................43
Back up Usermapper...................................................................................44
Change Usermapper default configuration settings....................................45
Chapter 6: Managing secmap............................................................47
Disable secmap...........................................................................................48
Display secmap mapping entries................................................................48
Display secmap reverse mapping entries....................................................49
Create secmap mapping entries.................................................................50
Check secmap mapping entries..................................................................51
Update secmap mapping entries.................................................................52
4 Configuring VNX User Mapping 7.1
Contents
Remove secmap mapping entries...............................................................53
Export secmap mapping entries..................................................................53
Import secmap mapping entries from a file.................................................54
Report secmap status.................................................................................54
Chapter 7: Troubleshooting..................................................................57
EMC E-Lab Interoperability Navigator.........................................................58
Known problems and limitations..................................................................58
Known problems and limitations in using secmap..............................58
Usermapper events and notifications..........................................................59
Error messages...........................................................................................60
EMC Training and Professional Services....................................................61
Glossary..................................................................................................63
Index.......................................................................................................67
Configuring VNX User Mapping 7.1 5
Contents
6 Configuring VNX User Mapping 7.1
Contents
Preface
As part of an effort to improve and enhance the performance and capabilities of its product
lines, EMC periodically releases revisions of its hardware and software. Therefore, some
functions described in this document may not be supported by all versions of the software
or hardware currently in use. For the most up-to-date information on product features, refer
to your product release notes.
If a product does not function properly or does not function as described in this document,
please contact your EMC representative.
Configuring VNX User Mapping 7.1 7
Special notice conventions
EMC uses the following conventions for special notices:
Note: Emphasizes content that is of exceptional importance or interest but does not relate to
personal injury or business/data loss.
Identifies content that warns of potential business or data loss.
CAUTION Indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.
Indicates a hazardous situation which, if not avoided, could result in death or serious injury.
DANGER Indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
Where to get help
EMC support, product, and licensing information can be obtained as follows:
Product information For documentation, release notes, software updates, or for
information about EMC products, licensing, and service, go to the EMC Online Support
website (registration required) at http://Support.EMC.com.
Troubleshooting Go to the EMC Online Support website. After logging in, locate
the applicable Support by Product page.
Technical support For technical support and service requests, go to EMC Customer
Service on the EMC Online Support website. After logging in, locate the applicable
Support by Product page, and choose either Live Chat or Create a service request. To
open a service request through EMC Online Support, you must have a valid support
agreement. Contact your EMC sales representative for details about obtaining a valid
support agreement or with questions about your account.
Note: Do not request a specific support representative unless one has already been assigned to
your particular system problem.
8 Configuring VNX User Mapping 7.1
Preface
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall
quality of the user publications.
Please send your opinion of this document to:
[email protected]
Configuring VNX User Mapping 7.1 9
Preface
10 Configuring VNX User Mapping 7.1
Preface
1
Introduction
Every user of the EMC VNX, either a Microsoft Windows user or a
UNIX/Linux user, must be identified by a unique numeric user identifier
(UID) and group identifier (GID). Windows, however, does not use numeric
IDs to identify users. Instead, it uses strings called security identifiers
(SIDs). Therefore, before you configure the Windows file-sharing service,
Common Internet File System (CIFS), on the VNX, you must select a
method of mapping Windows SIDs to UIDs and GIDs. The method you
use depends on whether you have a Windows-only or UNIX/Linux and
Windows (multiprotocol) environment. These methods include:
x
Usermapper
x
LDAP-based directory services (including Active Directory that uses
Microsoft Windows Services for UNIX [SFU] or Identity Management
for UNIX [IdMU])
x
Local files
x
Network Information Service (NIS)
x
Active Directory (by using CIFS Microsoft Management Console [MMC]
snap-ins)
x
ntxmap
Chapter 2 provides more information.
This document is part of the VNX documentation set and is intended for
use by system administrators responsible for configuring and managing
Windows user ID mapping.
Topics included are:
x
System requirements on page 12
x
User interface choices on page 12
x
Related information on page 14
Configuring VNX User Mapping 7.1 11
System requirements
Table 1 on page 12 describes the EMC

VNX

series software, hardware, network, and

storage configurations required for using user mapping as described in this document.
Table 1. System requirements
VNX version 7.0 Software
No specific hardware requirements. Hardware
Windows Server or Windows NT domain. You must configure the domains with the fol-
lowing:
x
Windows Server domains:
x
Active Directory
x
Kerberos or NT Lan Manager (NTLMSSP)
x
DNS
x
NTP
x
Windows NT domains:
x
NT Lan Manager (NTLM)
x
WINS
Network
Verify that sufficient space is available in the root file system. Contact your EMC Customer
Support Representative for assistance with determining size requirements.
Storage
User interface choices
The VNX offers flexibility in managing networked storage based on the support environment
and interface preferences. This document describes how to configure user mapping by using
the command line interface (CLI). You can also perform some of these tasks by using one
of the VNX management applications:
x
EMC Unisphere

software
x
Microsoft Management Console (MMC) snap-ins
x
Active Directory Users and Computers (ADUC) extensions
The Unisphere online help provides additional information about managing VNX.
Installing Management Applications on VNX for File includes instructions on launching
Unisphere, and on installing the MMC snap-ins and the ADUC extensions.
12 Configuring VNX User Mapping 7.1
Introduction
The VNX release notes contain additional, late-breaking information about VNX management
applications.
Using Unisphere
Unisphere can be used to configure a Data Mover to use Usermapper and NIS, as
described in Table 2 on page 13. You cannot use Unisphere to configure the Identity
Management for UNIX feature, or to manage the Active Directory and local files.
Table 2. User mapping configured by using Unisphere
Unisphere procedure Naming service
To configure the Data Mover as an NIS client, select System Network
and click Interfaces.
NIS
To configure Usermapper, select Sharing CIFS and click Usermappers. Usermapper
Unisphere online help provides more information on using Unisphere to configure user
mapping.
Note: You can also use the configuration wizards to set up the use of NIS or basic Usermapper.
User interface choices 13
Introduction
Related information
For specific information related to the features and functionality described in this document:
x
VNX Command Line Interface Reference for File
x
Celerra Network Server Error Messages Guide
x
Parameters Guide for VNX
x
Configuring Events and Notifications on VNX for File
x
Configuring VNX Naming Services
x
Configuring and Managing CIFS on VNX
x
Installing Management Applications on VNX
x
Managing a Multiprotocol Environment on VNX
x
Online VNX for File man pages
x
Using NTMigrate with VNX
x
Using Windows Administrative Tools on VNX
EMC VNX documentation on the EMC Online Support website
The complete set of EMC VNX series customer publications is available on the EMC
Online Support website. To search for technical documentation, go to
http://Support.EMC.com. After logging in to the website, click the VNX Support by Product
page to locate information for the specific feature required.
VNX wizards
Unisphere software provides wizards for performing setup and configuration tasks. The
Unisphere online help provides more details on the wizards.
14 Configuring VNX User Mapping 7.1
Introduction
2
Concepts
The concepts to understand user mapping are:
x
Overview on page 16
x
User mapping in Windows-only environments on page 18
x
User mapping in multiprotocol environments on page 18
x
Secure mapping on page 19
x
User mapping and ntxmap on page 20
x
User mapping database on page 20
x
User mapping process on page 21
x
Usermapper on page 22
x
LDAP-based directory services on page 25
x
Local files on page 25
x
NIS on page 26
x
Active Directory on page 26
x
User account migration tools on page 28
Configuring VNX User Mapping 7.1 15
Overview
Every VNX user must be assigned a unique numeric UID and GID to indicate the ownership
of directories and files. The VNX uses directory and file ownership to apply and enforce
access permissions and quota limits.
Note: For connections from Windows users, file access checking is performed by using SIDs only.
This is done to prevent errors due to UID mismatches and to reduce dependency on the Usermapper
database.
Like the VNX, UNIX/Linux systems use UIDs and GIDs to identify users and groups.
Consequently, the VNX can use the UIDs and GIDs supplied by UNIX/Linux clients without
requiring any additional mappings. Windows, however, does not use numeric IDs to identify
users. Instead, it uses strings called security identifiers (SIDs). Therefore, before you configure
the Windows file-sharing service (referred to as CIFS) on the VNX, you must select a method
of mapping Windows SIDs to UIDs and GIDs. You select a mapping method based on
whether you have a Windows-only or UNIX/Linux and Windows (multiprotocol) environment.
16 Configuring VNX User Mapping 7.1
Concepts
Figure 1 on page 17 identifies the factors that determine the user mapping technique best
suited for the environment.
* cifs resolver parameter must be set to 1
+ cifs useADMap parameter must be set to 1 VNX-000023
Do users have
both UNIX and
Windows
accounts?
Start
LDAP-based directory server
(Active Directory with SFU/IdMU) *
NIS * or LDAP-based directory
server (OpenLDAP or iPlanet)
Active Directory with VNX
CIFS MMC snap-ins
+
Does your
environment
consist primarily
of UNIX or
Windows
users?
Are the
Windows users
in a single domain or
are usernames unique
across multiple
domains?
Are the
Windows users
in a single domain or
are usernames unique
across multiple
domains?
Usermapper
Local files
No, only
Windows
Windows No
Yes
UNIX
No
Yes
Yes
Figure 1. Flowchart of user mapping techniques
Overview 17
Concepts
User mapping in Windows-only environments
The VNX Usermapper feature automatically assigns UIDs and GIDs to Windows users and
groups. Usermapper is part of the Data Mover's software. It does not require separate
installation and, in the case of a new VNX, requires no additional configuration procedures.
EMC recommends that you use Usermapper in Windows-only environments.
Note: Before you configure and run Usermapper, include only one primary Usermapper in a VNX
environment.
User mapping in multiprotocol environments
In multiprotocol environments, file systems can be accessed by UNIX/Linux and Windows
users. File access is determined by the permissions on the file or directory, specifically by
one or both of the following:
x
UNIX/Linux permissions
x
Windows access control lists (ACLs)
Therefore, if a user has UNIX/Linux and Windows user accounts, you should choose a
mapping method that allows you to indicate that the two accounts represent the same user.
The mapping methods that enable you to control the mappings used, and ensure that specific
Windows SIDs are mapped to the corresponding UIDs or GIDs and that the opposite is also
true, include:
x
LDAP-based directory services, such as the Active Directory (that uses Microsoft Windows
Services for UNIX [SFU] or Identity Management for UNIX [IdMU])
x
A Data Movers local user and group files
x
Network Information Service (NIS)
x
Active Directory (by using VNX CIFS Microsoft Management Console [MMC] snap-ins)
Note: If a user in a multiprotocol environment uses only a single login (either through Windows or
UNIX/Linux), then you can use Usermapper. If a user has only one account, mapping to an equivalent
identity in the other environment is not necessary.
18 Configuring VNX User Mapping 7.1
Concepts
Secure mapping
Secure mapping (secmap) is a cache that contains all mappings between SIDs, and UID or
GIDs used by a Data Mover or Virtual Data Mover (VDM). Secmap only caches mappings
that are generated by mapping mechanisms used by VNX; secmap does not generate
mappings. Normally, mappings are persistent and are never updated.
The secmap database stores two kinds of information:
x
SID to UID or GID mappings
x
UID or GID to SID reverse mappings
The Data Mover permanently caches all mappings it receives from any source (Usermapper,
LDAP-based directory services, local files, NIS, and Active Directory) in the secmap database,
making the response to subsequent mapping requests faster and less susceptible to network
problems. Reverse mapping provides better quota support.
Note: Secmap caching is enabled by default and does not require any special setup. EMC recommends
that you use secmap, although it can be disabled if necessary.
Chapter 6 describes the tasks to manage secmap.
Creating secmap mapping entries
To add a new mapping for a user or group to the secmap database, VNX first checks whether
there is enough space to insert a new entry. VNX can only store mappings if there is more
than 5 percent of inodes and blocks available on the secmap file system. This check is made
only at the beginning of the operation. If the threshold is reached during the operation, VNX
continues. An error is returned only if something abnormal occurs. If that occurs, VNX
determines in which domain table the mapping should be put. Before adding the SID mapping,
VNX first adds the corresponding reverse mapping in the required table. Then VNX adds
the main mapping to the corresponding domain table. If a reverse mapping already exists
for the SID, VNX appends a new SID to it.
If there is not enough space to store the new mapping or if a new domain table is needed
and cannot be created, VNX returns an error. If for any reason the main mapping cannot be
added, VNX rolls back the reverse mapping modifications made previously. Create secmap
mapping entries on page 50 describes this task. Report secmap status on page 54 describes
how to display the current secmap status, including database state, domains handled by
secmap, and resource usage (number of inodes and blocks used).
Secure mapping 19
Concepts
Checking and updating secmap mapping entries
To check or update a mapping, VNX first looks for an existing mapping. It then resolves the
mapping again by getting the SID name from the domain controller and creating the mapping
through the available user mapping mechanisms. Finally, VNX compares what it gets by
re-creating the mapping with what had been stored. If the values are different, VNX replaces
the existing value with the new value.
An error is returned if the mapping:
x
Does not exist in the secmap database
x
Could not be resolved
x
Could not be changed
Note: After an update is performed, an update of the ACLs of all file systems should be forced to take
account of the new mappings.
Check secmap mapping entries on page 51 and Update secmap mapping entries on page
52 describe these tasks.
User mapping and ntxmap
In a multiprotocol VNX environment, when a Windows user wants to access a UNIX resource,
or a UNIX user wants to access a Windows resource, the username must be mapped in the
same way in each environment; otherwise, the mapping cannot occur and the user is denied
access to the resource.
However, you might want to map Windows and UNIX users who are identified differently in
each environment. The ntxmap feature allows you to define explicit mappings between such
Windows and UNIX usernames.
Using ntxmap for CIFS User Mapping on VNX provides more information
User mapping database
Earlier versions of the VNX relied on a basic database, nameDB, to maintain Usermapper
and secmap mapping information. In version 5.6, DBMS replaces the basic database. This
solves the inode consumption issue and provides better consistency and recoverability with
the support of database transactions. It also provides better atomicity, isolation, and durability
in database management.
20 Configuring VNX User Mapping 7.1
Concepts
User mapping process
When a user logs in to a Windows domain and requests access to a Data Movers resources:
1. When logging into a Windows NT domain, or when accessing a Data Mover that was
declared as a pre-Windows 2000 computer, the user is authenticated by using NT LAN
Manager (NTLM). If the Data Mover is using a computer name and is joined to a Windows
Server domain, the user is authenticated through Kerberos or NT LAN Manager
secure-socket provider (NTLMSSP).
2. The users identification is forwarded to the Data Mover.
3. The Data Mover follows the default search order and searches these sources for an
existing mapping of the users SID to a UID or GID:
Note: If an nsswitch.conf file has been created on the Data Mover, the order in which the UNIX or
Linux-based sources (local files, NIS, and LDAP-based directory servers) are queried is determined
by that file. Configuring VNX Naming Services provides information on using the nsswitch.conf
file.
a. The Data Mover first checks its secmap database for an existing SID to UID or GID
mapping.
b. If no mapping is found, the Windows domain controller is queried for the user or group
name associated with the SID, and then the Data Mover checks its local passwd and
group files for a UID or GID to associate with the name.
c. If no mapping is found, and NIS is configured, the Data Mover queries NIS for a UID
or GID to associate with the name.
d. If no mapping is found, and LDAP-based directory services are configured (including
Active Directory with SFU or IdMU), the Data Mover queries the LDAP-based directory
services for a UID or GID to associate with the name.
e. If no mapping is found, and queries to the Active Directory (by using VNX CIFS MMC
snap-ins) are configured, the Data Mover queries the Active Directory for an SID to
UID or GID mapping.
f. If no mapping is found, the Data Mover queries Usermapper for an SID to UID or GID
mapping.
g. The primary Usermapper service checks its database to determine if this user or group
has already been assigned a UID or GID. If not, the primary Usermapper generates
a new UID or GID and adds the new user or group and the mapping to its database.
It then returns the mapping to the Data Mover.
h. The Data Mover permanently caches all mappings it receives from any source
(Usermapper, LDAP-based directory services including Active Directory with SFU or
IdMU, local files, NIS, and Active Directory by using MMC snap-ins) in the secmap
database, making the response to subsequent SID to UID or GID mapping requests
faster and less susceptible to network problems.
i. The user is then authenticated and given access to the CIFS share (network drive).
User mapping process 21
Concepts
j. If a user ID mapping cannot be resolved through one of these methods, an error is
logged in the server log and the user is unable to access the CIFS share (network
drive).
Usermapper
Usermapper is a VNX service that automatically generates and maintains a database that
maps SIDs to UIDs and GIDs for users or groups accessing file systems from a Windows
domain. Usermapper performs these functions:
x
One instance of the Usermapper service serves as the primary Usermapper, meaning
that it assigns UIDs and GIDs to Windows users and groups. By default, this instance is
configured on the Data Mover in slot 2 (server_2).
x
The other Data Movers in a single VNX environment are configured as clients of the
primary Usermapper service, meaning that they send mapping requests to the primary
service when they do not find a mapping for a user or group in their local cache. By
default, all the client Data Movers automatically relay a broadcast over the VNX systems
internal interfaces to discover the location of the primary Usermapper service. Using the
default single-VNX Usermapper configuration on page 24 provides information on
Usermapper services in a single VNX environment.
x
In a multi-VNX environment, only a single primary Usermapper service is configured on
one of the VNX platforms, and all the Data Movers on that platform will use the primary
Usermapper service. Each additional VNX platform will have its own secondary
Usermapper service, and all their respective Data Movers would point to its secondary
Usermapper. Like a primary Usermapper service, a secondary Usermapper service
checks its database to determine if a user or group has already been assigned a UID or
GID. If not, it forwards the mapping request to the primary Usermapper service. The
primary Usermapper service checks its database and, if necessary, generates a new
UID or GID, and returns the mapping to the secondary Usermapper service.
The secondary Usermapper service then adds the new user or group and the mapping to
its database, and returns the mapping to the Data Mover. If the secondary Usermapper
service is unavailable, new users cannot access files. Existing users can access files only
if a user has used the Data Mover before and the Data Movers local cache contains the
previous mapping.
Configure a multi-VNX Usermapper environment on page 30 provides information on
configuring Usermapper services in an environment with more than one VNX sharing the
same domain space.
Restrictions
Before you configure and run Usermapper, note these restrictions:
x
Designate only one primary Usermapper service in a given VNX environment, and only
on one of the VNX platforms, in case of a multi-VNX environment. Otherwise, the same
22 Configuring VNX User Mapping 7.1
Concepts
user can be assigned different mappings. Additional VNX platforms should run a secondary
Usermapper service and point to the primary Usermapper service to obtain their mappings.
A primary Usermapper service and a secondary Usermapper service should not be run
on the same VNX cabinet.
x
In a single VNX, ensure that there is only one instance of the Usermapper service, either
primary or secondary. All the other Data Movers in that VNX are clients of the primary
or secondary service.
x
In a multi-VNX environment, ensure that the primary Usermapper service is enabled
before you configure any secondary Usermapper services.
x
By default, Usermapper runs on the Data Mover in slot 2 (server_2). This is the preferred
location from which to run the primary or secondary Usermapper service.
x
You cannot configure a primary or secondary Usermapper service on a Virtual Data
Mover (VDM).
Planning considerations
Before you begin using Usermapper, consider these situations:
x
Usermapper stops mapping new UIDs and GIDs when the root file system of the Data
Mover on which the Usermapper database is stored becomes full. In this situation, new
users will not be allowed access to system objects. The size of the root file system that
is required is based on the number of users in the Windows environment. Contact your
EMC Customer Support Representative for assistance with determining size requirements.
x
If you are replicating a Windows environment that uses Usermapper or if you are using
the EMC Symmetrix

Remote Data Facility (SRDF

), special Usermapper restrictions

might apply. Contact your EMC Customer Support Representative for more information.
x
In Usermapper, the UID and GID ranges are fixed in the Usermapper database, and
Usermapper automatically assigns new UIDs and GIDs based on the next available
value. Therefore, it does not need to use a Usermapper configuration file to define UID
and GID ranges. However, it is possible to import an existing usrmap.cfg and use this
file to define UID and GID ranges. This is referred to as the manual mapping method.
After the ranges defined in the usrmap.cfg file are enabled, Usermappers automatic
mapping method maintains this information and prevents duplicate mappings.
Note: If there is no special reason to use particular UID and GID ranges for the environments
domains, EMC encourages you to use the automatic mapping method and let Usermapper
automatically assign new UIDs and GIDs based on the next available values. If a future revision
to the usrmap.cfg file cannot be avoided, contact your EMC Customer Support Representative for
assistance.
x
Usermapper supports the SID History functionality introduced in Windows 2000. This
aids the migration of users from Windows NT domains to Windows 2000 native mode
domains. To use the SID History, it must be enabled in Windows 2000 and on the VNX
system. Windows 2000 documentation provides the correct procedure for enabling SID
Usermapper 23
Concepts
History on the Windows 2000 systems. With SID History enabled, when you migrate
users from a Windows NT domain or a Windows 2000 domain in mixed mode to a
Windows 2000 domain in native mode, the Security Access Token contains the SID
History from the Windows NT domain and a new SID from the Windows 2000 domain.
Usermapper automatically assigns UID and GID mappings, including SID History, by
default.
Using the default single-VNX Usermapper configuration
Note: When a new system running software version 5.3 or later is started for the first time, it is
automatically configured with the default single VNX Usermapper configuration. In this situation,
Usermapper is automatically enabled as a VNX for file service and no additional installation or
configuration procedures are required.
The default Usermapper configuration consists of a single VNX in which the Data Mover in
slot 2 (server_2) is configured with the primary Usermapper service. Each of the remaining
Data Movers in the VNX system cache all the SID to UID or GID mappings it has used.
However, if one of these Data Movers is accessed by a user for whom it does not have a
mapping, it queries the primary Usermapper service. These Data Movers are clients of the
primary Usermapper service. By default, all the Data Movers in the VNX system automatically
relay a broadcast over the VNX internal interfaces to discover the location of the primary
Usermapper service.
Certain UID and GID values are reserved and cannot be mapped to SIDs. For example, 0
is reserved for the UNIX root account. Additional numbers are reserved for maintenance.
UID and GID values can start at 32 KB. The maximum possible value for UIDs and GIDs is
imposed by the underlying file system. All domain users and groups accessing this file
system are assigned UIDs and GIDs based on these definitions.
Note: As in a standard VNX configuration, you can configure another Data Mover to serve as a failover
Data Mover, providing a backup for the primary Usermapper service.
Display Usermapper status on page 40 describes how to verify the Usermapper configuration
and display its current status. In case the primary Usermapper service is not automatically
enabled, Chapter 7 provides information that can help resolve the issue. Chapter 5 provides
information on managing the Usermapper environment.
Using a multi-VNX Usermapper environment
If you have a VNX environment in which there is more than one VNX that shares the same
Windows domain space, the default Usermapper configuration is not suitable. In this situation,
you must modify the default Usermapper configuration on all the additional VNX systems
to use one primary Usermapper service. In this situation, use a configuration in which the
Data Mover located in slot 2 (server_2) of each of the additional VNX servers is configured
as a secondary Usermapper service. The remaining Data Movers in each VNX server then
24 Configuring VNX User Mapping 7.1
Concepts
send mapping requests to their local secondary Usermapper service, and each secondary
Usermapper service then forwards these requests to the single primary Usermapper service.
The secondary Usermapper service sends mapping requests to the primary Usermapper
service one at a time and only when needed. Therefore, all the secondary Usermapper
services in an environment might not have the same entries in their databases.
Note: If there is any possibility of file systems ever being replicated, then the VNX servers involved
should share a single primary Usermapper service.
Configure a multi-VNX Usermapper environment on page 30 describes this task. Chapter
5 provides information on managing the Usermapper environment.
LDAP-based directory services
If the multiprotocol environment consists primarily of UNIX users and has only one Windows
domain, or usernames that are unique across multiple Windows domains, you can use
LDAP-based directory services, including Active Directory with SFU or IdMU, to manage
user and group mapping.
Note: EMC recommends that you use the Active Directory with SFU or IdMU for user mapping in
multiprotocol environments.
Configuring VNX Naming Services provides information on configuring a Data Mover as a
client of an LDAP-based directory server.
After you have configured LDAP-based directory services, the Data Mover automatically
checks the LDAP-based directory server for a user and group name. By default, it checks
for a username in the form username.domain and a group name in the form
groupname.domain. If you have added usernames and group names to the LDAP-based
directories without a domain association, you can set the cifs resolver parameter so that the
Data Mover looks for the names without appending the domain. Retrieve user and group
names without a domain association on page 34 provides a description of using the cifs
resolver parameter.
Note: User account migration tools on page 28 provides information about migrating user information
from one environment to another.
Local files
If the multiprotocol environment consists primarily of UNIX users and has more than one
Windows domain, or usernames that are not unique across the Windows domains, you can
manually edit the Data Movers local passwd and group files. Copy local files from the Data
Mover on page 35 describes how to manually add Windows users and groups to the passwd
and group files on the Data Mover.
LDAP-based directory services 25
Concepts
By default, the Data Mover checks for a username in the form username.domain and a
groupname in the form groupname.domain. If the usernames and group names do not have
a domain association, you must add the Windows domain name and verify that the Windows
user is assigned the UID and GID of the existing UNIX account.
If you have added usernames and group names to the local files without a domain association,
you can set the cifs resolver parameter so the Data Mover looks for the names without
appending the domain. Retrieve user and group names without a domain association on
page 34 provides a description of using the cifs resolver parameter.
Note: User account migration tools on page 28 provides information about migrating user information
from one environment to another.
NIS
If the multiprotocol environment consists primarily of UNIX users and has only one Windows
domain, or usernames that are unique across multiple Windows domains, you can use NIS
to manage user and group mapping.
Configuring VNX Naming Services provides information on configuring a Data Mover to
access a NIS server. NIS server documentation provides information about manually updating
the NIS passwd and group maps.
Note: All of the entries (Windows names, usernames, domain names, and global group names) in the
passwd and group maps must be typed in lowercase ASCII only.
After you have configured NIS, the Data Mover automatically checks NIS for a user and
group name. By default, it checks for a username in the form username.domain and a group
name in the form groupname.domain. If you have added usernames and group names to
NIS without a domain association (which reflects the use of NIS files without any
modifications), you can set the cifs resolver parameter so the Data Mover looks for the
names without appending the domain. Retrieve user and group names without a domain
association on page 34 provides a description of using the cifs resolver parameter.
Note: User account migration tools on page 28 provides information about migrating user information
from one environment to another.
Active Directory
Before the introduction of Microsoft software that provides a UNIX environment on Windows
(Active Directory with SFU or IdMU), Active Directory was primarily used in Windows Server
environments to provide authentication and authorization for Windows users.
26 Configuring VNX User Mapping 7.1
Concepts
Note: EMC recommends that you use Active Directory with SFU or IdMU instead of Active Directory
with Celerra CIFS MMC snap-ins. Do not use the ADmap parameter. LDAP-based directory services
on page 25 provides more information on using Active Directory with SFU or IdMU.
However, if the Active Directory schema was extended with an EMC proprietary schema to
include UNIX attributes for Windows users and groups, you could configure a Data Mover
to query the Active Directory to determine if a user and the group of which the user is a
member have UNIX attributes assigned. If so, information stored in these attributes could
be used for file access authorization.
To configure a Data Mover to query the Active Directory for UNIX attributes, you must install
the UNIX user management component of the Celerra CIFS management MMC snap-ins.
You must also set the cifs useADMap parameter. Configure a Data Mover to query the Active
Directory on page 38 describes this task.
Installing Management Applications on VNX for File and the Celerra UNIX User Management
and Celerra UNIX Attribute Migration online help systems provide more information. User
account migration tools on page 28 provides information about migrating user information
from one environment to another.
UNIX user management snap-in
UNIX User Management is an MMC snap-in to the VNX Management view that you can use
to assign, remove, or modify the UNIX UID or GIDs for a single Windows user or group on
the local domain and on remote domains.
You also use this snap-in to select the location of the attribute database. This location can
either be in a local or a remote domain. You would choose to store the attribute database
in the Active Directory of a local domain when:
x
You have only one domain.
x
Trusts are not allowed.
x
You do not need to centralize the UNIX user management information.
You would choose a remote domain when:
x
You have multiple domains.
x
Bidirectional trusts between domains that need to access the attribute database already
exist.
x
You want to centralize the UNIX user management information.
Active Directory 27
Concepts
VNX UNIX users and groups property page extension
VNX UNIX Users and Groups property pages are extensions to Active Directory Users and
Computers view.You can use these property pages to assign, remove, or modify UNIX UIDs
or GIDs for a single Windows user or group on the local domain.
Note: You cannot use this extension to manage users or groups on a remote domain.
User account migration tools
If you currently have a single protocol environment (either pure CIFS or pure NFS), and you
want to convert to a multiprotocol environment (supporting Windows and UNIX clients), you
can use these tools to migrate the user accounts from one environment to the other:
x
VNX UNIX Attributes Migration Tool
x
NTMigrate
VNX UNIX Attributes Migration tool
VNX UNIX Attributes Migration is a tool that enables you to migrate existing UNIX users
from the VNX (local files) or NIS to the Active Directory. You can select the UNIX attributes
(UIDs and GIDs) to add to the Active Directory. However, you cannot add new users or
groups, nor can you modify existing UNIX UIDs or GIDs. To add new users or groups, or to
modify existing UNIX attributes, see Active Directory on page 26 for information on using
the Active Directory for user mapping.
Note: Using this tool extends the Active Directory schema. After the schema is extended, you cannot
revert to the original Active Directory schema.
Installing Management Applications on VNX provides more information on installing this
tool. The VNX UNIX Attributes Migration Tool online help provides more information on using
this tool.
NTMigrate
NTMigrate is a tool that migrates Windows users to an existing UNIX UID or GID database
(local passwd file or NIS). NTMigrate collects user information from the Windows domain
and merges it with UNIX passwd and group files.
NTMigrate is best suited for mapping large Windows domains into UNIX UIDs and GIDs.
Using NTMigrate with VNX provides more information.
28 Configuring VNX User Mapping 7.1
Concepts
3
Configuring in Windows
Environments
EMC recommends that you use Usermapper in Windows-only
environments. User mapping in Windows-only environments on page 18
provides general information.
A new VNX is automatically configured with the default single VNX
Usermapper configuration. Using the default single-VNX Usermapper
configuration on page 24 provides general information on single-VNX
Usermapper environments.
If you have a VNX environment in which there is more than one VNX that
shares the same Windows domain space, you must modify the default
Usermapper configuration on all the additional VNX systems to use one
primary Usermapper service. Configure a multi-VNX Usermapper
environment on page 30 describes this task.
The task to configure user mapping in Windows-only environments is:
x
Configure a multi-VNX Usermapper environment on page 30
Configuring VNX User Mapping 7.1 29
Configure a multi-VNX Usermapper environment
To configure a multi-VNX Usermapper environment:
1. Verify the status of the primary Usermapper service on page 30
2. Disable the primary Usermapper service on page 31
3. Configure the secondary Usermapper service on page 31
4. Verify the status of the secondary Usermapper service on page 32
Using a multi-VNX Usermapper environment on page 24 provides general information on
multi-VNX Usermapper environments.
Note: In this procedure, the VNX that supports the primary Usermapper service is referred to as VNX
1 and the VNX that runs the secondary Usermapper service is referred to as VNX 2.
Verify the status of the primary Usermapper service
On VNX 1, verify that the primary Usermapper service is enabled on server_2, which is the
default configuration.
Action
To verify that the primary Usermapper service is enabled, use this command syntax:
$ server_usermapper <movername>
where:
<movername> = name of the Data Mover
Example:
To verify that the primary Usermapper service is enabled on server_2 of VNX 1, type:
$ server_usermapper server_2
Output
server_2 : Usrmapper service: Enabled
Service Class: Primary
30 Configuring VNX User Mapping 7.1
Configuring in Windows Environments
Disable the primary Usermapper service
The default Usermapper configuration always designates the Data Mover in slot 2 (server_2)
as supporting the primary Usermapper service. You must explicitly configure a Data Mover
on VNX 2 to support a secondary Usermapper service. On VNX 2, disable the primary
Usermapper service that is enabled by default.
No user mapping requests should be sent to the primary Usermapper service on VNX 2
before you have reconfigured it. Consequently, you should not configure CIFS on the VNX
2 Data Movers until the Usermapper service is reconfigured as a secondary service.
Action
To disable the primary Usermapper service, use this command syntax:
$ server_usermapper <movername> -disable
where:
<movername>= name of the Data Mover
Example:
To disable the primary Usermapper service on server_2 of VNX 2, type:
$ server_usermapper server_2 -disable
Output
server_2 : done
Configure the secondary Usermapper service
After you have disabled the primary Usermapper service on VNX 2, you can configure
server_2 to run as a secondary Usermapper service.
When you enable a secondary Usermapper service, you also indicate the location of the
primary Usermapper service to which the secondary service will send mapping requests.
To do this, specify the IP address of the Data Mover on which the primary service is located.
Note: The primary Usermapper service must be enabled before you configure a secondary service.
Action
To enable a secondary Usermapper service, use this command syntax:
$ server_usermapper <movername> -enable primary=<ip addr>
where:
<movername> = name of the Data Mover
Configure a multi-VNX Usermapper environment 31
Configuring in Windows Environments
Action
<ip addr> = network IP address of the Data Mover on which the primary Usermapper service is running
Example:
To enable a secondary Usermapper service on server_2 of VNX 2, type:
$ server_usermapper server_2 -enable primary=192.168.21.1
Output
server_2 : done
Verify the status of the secondary Usermapper service
Verify that the secondary Usermapper service has been enabled on server_2 of VNX 2.
Action
To verify that the secondary Usermapper service is enabled, use this command syntax:
$ server_usermapper <movername>
where:
movername = name of the Data Mover
Example:
To verify that the secondary Usermapper service is enabled on server_2 of VNX 2, type:
$ server_usermapper server_2
Output
server_2 : Usrmapper service: Enabled
Service Class: Secondary
Primary = 192.168.21.1(c)
32 Configuring VNX User Mapping 7.1
Configuring in Windows Environments
4
Configuring in Multiprotocol
Environments
In multiprotocol environments, file systems can be accessed by UNIX/Linux
and Windows users. If a user has both UNIX/Linux and Windows user
accounts, you should choose a mapping method that allows you to indicate
that the two accounts represent the same user. User mapping in
multiprotocol environments on page 18 provides conceptual information:
The tasks to configure user mapping in a multiprotocol environment are:
x
Retrieve user and group names without a domain association on
page 34
x
Configure a Data Mover to query local files on page 34
x
Configure a Data Mover to query the Active Directory on page 38
Configuring VNX User Mapping 7.1 33
Retrieve user and group names without a domain association
By default, VNX checks for a username in the form username.domain and a group name in
the form groupname.domain. If you have added usernames and group names without a
domain association to local files, NIS, or Active Directory (that uses Microsoft Windows
Services for UNIX [SFU] or Identity Management for UNIX [IdMU]), you can set the cifs
resolver parameter so the Data Mover looks for names without appending the domain
extension.
Note: Active Directory with SFU or IdMU requires that cifs resolver be set so that user and group names
are retrieved with a domain extension.
Action
To change the default format of username and group name so that they can be retrieved without a domain extension, use
this command syntax:
$ server_param <movername> -facility cifs -modify resolver -value 1
where:
<movername> = name of the Data Mover
Example:
To change the default format of username and group name so they can be retrieved without a domain extension, type:
$ server_param server_2 -facility cifs -modify resolver -value 1
Output
server_2 : done
Configure a Data Mover to query local files
Before you begin
When editing the passwd and group files:
x
All the entries (Windows names, usernames, domain names, and global group names)
in the passwd and group files must be typed in lowercase ASCII only.
x
Any spaces in Windows domain or group names should be replaced with =20 so that
they become legal in a UNIX-style passwd or group file.
x
If UNIX user authentication is used, run the server_user command to generate an
encrypted password in the password field, but do not include the domain as part of the
username.
Note: Configuring VNX Naming Services provides additional information on using local files for naming
services.
34 Configuring VNX User Mapping 7.1
Configuring in Multiprotocol Environments
Procedure
To manually add Windows users and groups to the passwd and group files on the Data
Mover:
1. Copy local files from the Data Mover on page 35
2. Add the Windows domain name as a group name on page 36
3. Add Windows usernames on page 37
4. Copy edited local files to the Data Mover on page 38
Local files on page 25 provides conceptual information.
Copy local files from the Data Mover
Before editing the local files, you must copy them from the Data Mover.
Copy the passwd and group files from the Data Mover to the Control Station for editing. If
the local files do not exist, create them with an ASCII editor such as vi or Emacs.
CAUTION This command overwrites existing files of the same name without notification. Be
careful when copying files.
Action
To copy the passwd or group file, use this command syntax for each file:
$ server_file <movername> -get <src_file> <dst_file>
where:
<movername> = name of the Data Mover
<src_file> = name of the source file
<dst_file> = name of the destination file
Example:
To copy the passwd file to /home/nasadmin/passwd, type:
$ server_file server_2 -get passwd /home/nasadmin/passwd
Output
server_2 : done
Configure a Data Mover to query local files 35
Configuring in Multiprotocol Environments
Add the Windows domain name as a group name
Use this procedure to add the Windows domain name to the copy of the UNIX group file on
the Data Mover.
Use the UNIX text editors vi, Emacs, or Windows Notepad to manually modify the
configuration file.
Action
Using a text editor, add the Windows domain name as a group name in the group file. Assign a GID for the newly created
group name. The group file entries are in the following format:
<groupname.domain>:*:<GID>:
where:
<groupname.domain> = group name and Windows domain name
* = UNIX password for the group; this field should contain an asterisk (*) because the password is not used on the VNX.
<GID> = unique numeric group ID that you assign to the group name
Example 1:
To add the Windows domain galaxy to the group file, add the following line:
galaxy:*:100
The Windows domain galaxy is the group name. The GID is 100.
Example 2:
Here is an example of a group file, including the galaxy example and the default Windows global groups:
.(numerous UNIX groups skipped)
galaxy:*:100:
domain=20admins.galaxy:*:101: domain=20users.galaxy:*:102:
domain=20guests.galaxy:*:103:
36 Configuring VNX User Mapping 7.1
Configuring in Multiprotocol Environments
Add Windows usernames
Use this procedure to add usernames to the copy of the UNIX passwd file on the Data Mover.
Action
Add the Windows usernames from the Windows domain to the passwd file and assign each user a unique UID and the
GID specified for the Windows domain in Add the Windows domain name as a group name on page 36.
Password file entries are in the following format:
<user.domain>:*:<UID>:<GID> :<name>:<path>:<shell>
where:
<user.domain> = Windows username and domain name, which is appended to preclude accidental mapping to existing
UNIX or Windows clients of the same name
* = UNIX password for the user; if the user authentication mode on the Data Mover is set to NT or SHARE, this field
should contain an asterisk (*); if the Data Mover uses UNIX user authentication, the field should contain the encrypted
password for the user
<UID> = unique user ID that you assign
<GID> = GID assigned to the domain
<name>, <path>, and <shell> are optional informational fields and are ignored during processing
Example:
The following is an example of a password file entry of user, glenn, in the domain galaxy. This requires an entry in passwd
as:
glenn.galaxy:*:530:100:J.GLENN:/usr/home/jdir:/bin/csh
Configure a Data Mover to query local files 37
Configuring in Multiprotocol Environments
Copy edited local files to the Data Mover
Use this procedure to copy the edited local files (passwd or group file) back to the Data
Mover.
CAUTION This command overwrites existing files of the same name without notification. Be
careful when copying files.
Action
To copy the edited local files back to the Data Mover, use this command for each file:
$ server_file <movername> -put <src_file> <dst_file>
where:
<movername> = name of the Data Mover
<src_file> = name of the source file
<dst_file> = name of the destination file
Examples:
$ server_file server_2 -put passwd passwd
$ server_file server_2 -put group group
Output
server_2 : done
Configure a Data Mover to query the Active Directory
Active Directory on page 26 provides conceptual information.
1. Install the UNIX user management component of the CIFS Microsoft Management Console
(MMC) snap-ins for managing VNX users from a Windows computer. These snap-ins
provide a manual mapping method that enables you to assign specific UIDs and GIDs
to Windows users. The CIFS MMC snap-ins are not required if you are using SFU/IdMU
with the Active Directory.
2. Set the cifs useADMap parameter to 1 to enable the snap-ins to interact with the Data
Mover. Installing Management Applications on VNX for File describes how to enable the
CIFS management snap-ins and tools.
38 Configuring VNX User Mapping 7.1
Configuring in Multiprotocol Environments
5
Managing Usermapper
The tasks to manage Usermapper are:
x
Display Usermapper status on page 40
x
Import and export database information on page 42
x
Maintain the Usermapper database on page 43
x
Back up Usermapper on page 44
x
Change Usermapper default configuration settings on page 45
Configuring VNX User Mapping 7.1 39
Display Usermapper status
You can display Usermapper status on the VNX by using two commands:
x
The server_usermapper command displays the status of Usermapper services running
on a Data Mover.
x
The server_cifs command displays a Data Movers CIFS configuration, including the
Usermapper service it is using.
Display Usermapper service information
The server_usermapper command displays the status of Usermapper services running on
a Data Mover, including:
x
Whether Usermapper is configured as a primary or secondary service
x
The IP address of the primary Usermapper service used by the secondary service
x
The operational status of the service
Action
To display the status of the Usermapper service, use this command syntax:
$ server_usermapper <movername>
where:
<movername> = name of the Data Mover
Example:
To display the status of the Usermapper service on server_2, type:
$ server_usermapper server_2
Note Output
Usermapper has three operational states:
x
Uninitialized When Usermapper is not available on
the Data Mover
x
Initialized When Usermapper has been created on
the Data Mover, but has been disabled for some reason
x
Enabled When Usermapper is running
You should have only one instance of the Usermapper ser-
vice, either primary or secondary, in a single VNX server.
All the other Data Movers in that environment are clients of
the primary or secondary service.
server_2 : Usrmapper service: Enabled
Service Class: Secondary Primary =
192.168.21.1(c)
40 Configuring VNX User Mapping 7.1
Managing Usermapper
Display the Data Movers Usermapper service
The server_cifs command displays a Data Movers CIFS configuration, including the
Usermapper service it is using.
If you run the server_cifs command for the Data Mover on which the Usermapper service
is running (typically server_2), the Usermapper service listed displays the Data Movers
loopback address (127.0.0.1) as the IP address of its Usermapper service.
Action
To display the Usermapper service used by a Data Mover, use this command syntax:
$ server_cifs <movername>
where:
<movername> = name of the Data Mover
Example:
To display the Usermapper service used by server_3, type:
$ server_cifs server_3
Output
server_3 :
96 Cifs threads started
Security mode = NT
Max protocol = NT1
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled
Usermapper[0]=[128.221.252.2] state:active (auto discovered)
Usermapper[1]=[128.221.253.2] state:active (auto discovered)
Default WINS servers = 192.168.4.230
Enabled interfaces: (All interfaces are enabled)
Disabled interfaces: (No interface disabled)
Note
This example shows that server_3 is using the Usermapper service located on server_2 at internal IP addresses
128.221.252.2 and 128.221.253.2; the service is available, and the service was located using the autodiscovery broadcast.
Display Usermapper status 41
Managing Usermapper
Import and export database information
You can import and export user and group information to and from the Usermapper database.
Import database information
Typically, you import information into the Usermapper database from a user and group file
to reimport an edited Usermapper database, migrate the primary Usermapper service from
one Data Mover to another, or upgrade or migrate the Usermapper configuration. Contact
your EMC Customer Support Representative for assistance if you are migrating the primary
Usermapper service from one Data Mover to another.
Use the import option of the server_usermapper command to import a user or group file.
Usermapper can import files in either of two formats: a standard UNIX format that corresponds
to the passwd and group file formats, or a format that includes the SID in the first field.
Example of a user file entry in standard UNIX format (Format 1):
rob.hilder.dir:*:26831:903:rob.hilder.dir:/usr/rob.hilder.dir:/bin/sh
Example of a user file entry in SID-based format (Format 3):
S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder
from domain
dir:/usr/S-1-5-15-139d2e78-56b177fd-5475b975-3323d:/bin/sh
Example of a group file entry in standard UNIX format (Format 1):
people.mass.subscribers.db.dir:*:58362:people.mass.subscribers.db.dir:
Example of a group file entry in SID-based format (Format 3):
S-1-5-15-139d2e78-56b177fd-5475b975-2c3d6:*:58362:people.mass.subscribers.db.dir:
Action
To import user and group information into the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Import {-user | -group} <pathname>
where:
<movername> = name of the Data Mover
<pathname> = name and location of the user file to be imported
Examples:
To import user information into the Usermapper database on server_2, type:
$ server_usermapper server_2 -Import -user /nas/cifs/usrmapperV3/linux/usrmap.passwd
To import group information into the Usermapper database on server_2, type:
$ server_usermapper server_2 -Import -group /nas/cifs/usrmapperV3/linux/usrmap.group
42 Configuring VNX User Mapping 7.1
Managing Usermapper
Output
server_2 : done
Export database information
Typically, you would export user and group information from the Usermapper database to
migrate the primary Usermapper service, back up the Usermapper database, or collect
information for troubleshooting.
Use the export option of the server_usermapper command to export a user or group file.
Usermapper exports files in a format that includes the SID in the first field.
Example of a user file entry in SID-based format (Format 3):
S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder
from domain
dir:/usr/S-1-5-15-139d2e78-56b177fd-5475b975-3323d:/bin/sh
Example of a group file entry in SID-based format (Format 3):
S-1-5-15-139d2e78-56b177fd-5475b975-2c3d6:*:58362:people.mass.subscribers.db.dir:
Action
To export user and group information from the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Export {-user | -group} <pathname>
where:
<movername> = name of the Data Mover
<pathname> = name and location of the file to which information is to be exported
Examples:
To export user information from the Usermapper database on server_2, type:
$ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd
To export group information from the Usermapper database on server_2, type:
$ server_usermapper server_2 -Export -group /home/nasadmin/backup.group
Output
server_2 : done
Maintain the Usermapper database
Do not modify the Usermapper database files. Windows users might have problems accessing
files if you modify the Usermapper database files.
Import and export database information 43
Managing Usermapper
If an issue seems to require a change to a Usermapper mapping entry, consult your EMC
Customer Support Representative to determine the best course of action.
Note: Changes made to the Usermapper database are not reflected by a client Data Mover, if the client
Data Mover has already cached the existing Usermapper information in its local cache. If the files and
folders have already been created by using the existing UIDs and GIDs, just changing the UID or GID
map will make file objects inaccessible.
Back up Usermapper
1. As root, dump the password and group files to a specified directory by typing:
$ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd
$ server_usermapper server_2 -Export -group /home/nasadmin/backup.group
2. Make a backup copy of the current usrmap.cfg file (if one is in use) by typing:
$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.cfg /home/nasadmin/usrmap.cfg
3. Make a backup copy of the usrmap.settings file by typing:
$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.settings
/home/nasadmin/usrmap.settings
44 Configuring VNX User Mapping 7.1
Managing Usermapper
Change Usermapper default configuration settings
Usermapper has default configuration settings, but you can change them by modifying these
parameters:
x
usrmap minuid
x
usrmap maxuid
x
usrmap mingid
x
usrmap maxgid
If you have imported an existing configuration file, these UID and GID range limits only apply
when a new Usermapper database entry is created.
Note: Parameter and facility names are case-sensitive.
Action
To change the default Usermapper UID or GID values, use this command syntax:
$ server_param <movername> -facility usrmap -modify <param_name> -value
<new_value>
where:
<movername> = name of the Data Mover
<param_name> = name of the parameter
<new_value> = value you want to set for the specified parameter
Example:
To change the minimum UID value, type:
$ server_param server_2 -facility usrmap -modify minuid -value 32
To change the maximum UID value, type:
$ server_param server_2 -facility usrmap -modify maxuid -value 2147483647
Output
server_2 : done
Change Usermapper default configuration settings 45
Managing Usermapper
46 Configuring VNX User Mapping 7.1
Managing Usermapper
6
Managing secmap
Secure mapping on page 19 provides conceptual information. The tasks
to manage secmap are:
x
Disable secmap on page 48
x
Display secmap mapping entries on page 48
x
Display secmap reverse mapping entries on page 49
x
Create secmap mapping entries on page 50
x
Check secmap mapping entries on page 51
x
Update secmap mapping entries on page 52
x
Remove secmap mapping entries on page 53
x
Export secmap mapping entries on page 53
x
Import secmap mapping entries from a file on page 54
x
Report secmap status on page 54
Configuring VNX User Mapping 7.1 47
Disable secmap
Secmap caching is enabled by default when CIFS service starts. It is automatically disabled
when CIFS service stops. It can also be disabled by using the parameter cifs secmap.enable.
This parameter is only taken into account at CIFS startup.
Action
To disable secmap caching, use this command syntax:
$ server_param <movername> -facility cifs -modify secmap.enable -value 0
where:
<movername> = name of the Data Mover
Example:
To disable secmap caching, type:
$ server_param server_2 -facility cifs -modify secmap.enable -value 0
Output
server_2 : done
Display secmap mapping entries
Action
To display secmap mapping entries for a user, group, domain, or SID, or for all existing entries, use this command syntax:
$ server_cifssupport <movername> -secmap -list [ -name <name> -domain <do
main_name> | -domain <domain_name> | -sid <SID> | -uid <user_id> | -gid
<group_id>]
where:
<movername> = name of the Data Mover
<name> = name of the user or group
<domain_name> = the fully qualified domain name
<SID> = SID
<user_id> = UID
<group_id> = GID
Example:
To display all the secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -list
To display the secmap mapping entry on server_2 for the user user1 in domain NASDOCS, type:
$ server_cifssupport server_2 -secmap -list -name user1 -domain NASDOCS
48 Configuring VNX User Mapping 7.1
Managing secmap
Note Output
The output includes the SID, type (user or group), ID (UID
or GID according to type), origin, domain, and account names
(optional).
If a mapping is not found, the message, mapping not found,
is returned.
server_2 : done
Display secmap reverse mapping entries
Action
To display secmap reverse mapping entries (SIDs) for a UID or GID, use this command syntax:
$ server_cifssupport <movername> -secmap -list -uid <user_id> | -gid <group_id>
where:
<movername> = name of the Data Mover
<user_id> = UID
<group_id> = GID
Example:
To display the secmap reverse mapping entry on server_2 for UID 32771, type:
$ server_cifssupport server_2 -secmap -list -uid 32771
Note Output
The output might include multiple SIDs if more than one SID
has been mapped to the specified ID. The output displays
all information associated with the SID.
server_2 : done
Display secmap reverse mapping entries 49
Managing secmap
Create secmap mapping entries
Creating secmap mapping entries on page 19 provides conceptual information.
Action
To create secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -create{ -name <name> -domain <do
main_name> | -sid <SID> }
where:
<movername> = name of the Data Mover
<name> = name of the user or group
<domain_name> = the fully qualified domain name
<SID> = SID
Example:
To create a secmap mapping entry on server_2 for the user user3 in domain NASDOCS, type:
$ server_cifssupport server_2 -secmap -create -name user3 -domain NASDOCS
Note Output
The output displays all mappings that have changed after
they were introduced to the database.
server_2 : done
50 Configuring VNX User Mapping 7.1
Managing secmap
Check secmap mapping entries
Checking and updating secmap mapping entries on page 20 provides conceptual information.
Action
To check all the secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -verify {-name <name> -domain <do
main_name> | -sid <SID>}
where:
<movername> = name of the Data Mover
<name> = name of the user or group
<domain_name> = fully qualified domain name
<SID> = SID
Example:
To check all the secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -verify -user user3 -domain NASDOCS
Note Output
The output displays all mappings that have changed after
they were introduced to the database.
server_2 : done
Check secmap mapping entries 51
Managing secmap
Update secmap mapping entries
Checking and updating secmap mapping entries on page 20 provides conceptual information.
Action
To update all the secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -update { -name <name> -domain
<domain_name> | -sid <SID>}
where:
<movername> = name of the Data Mover
<name> = name of the user or group
<domain_name> = the fully qualified domain name
<SID> = SID
Example:
To update all the secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -update -user user3 -domain NASDOCS
Note Output
The output displays all mappings that have been updated. server_2 : done
52 Configuring VNX User Mapping 7.1
Managing secmap
Remove secmap mapping entries
To remove a mapping, VNX first removes the corresponding reverse mapping and then
removes the main mapping. If the reverse mapping contains several SIDs, VNX removes
the specified SID.
Action
To remove secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -delete { -name <name> -domain
<domain_name> | -sid <SID>}
where:
<movername> = name of the Data Mover
<name> = name of the user or group
<domain_name> = fully qualified domain name
<SID> = SID
Example:
To remove a secmap mapping entry on server_2 for the user user3 in domain NASDOCS, type:
$ server_cifssupport server_2 -secmap -delete -name user3 -domain NASDOCS
Output
server_2 : done
Export secmap mapping entries
Action
To export secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -export [ -file <filename> ]
where:
<movername> = name of the Data Mover
<filename> = name of the file where the mappings should be saved
Example:
To export secmap mapping entries on server_2, type:
$ server_secmap server_2 -secmap -export -file exportfile.txt
Note Output
If you do not specify a filename, the secmap database is
displayed on the screen.
server_2 : done
Remove secmap mapping entries 53
Managing secmap
Import secmap mapping entries from a file
Action
To import secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap - import -file <filename>
where:
<movername> = name of the Data Mover
<filename> = name of the file that contains the mappings to be imported
Example:
To import secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -import -file importfile.txt
Note Output
If imported mappings conflict with existing mappings, they
are rejected and an error is returned.
server_2 :
Report secmap status
Action
To display current secmap status, including database state, domains handled by secmap, and resource usage (number
of inodes and blocks used), use this command syntax:
$ server_cifssupport <movername> -secmap -report
where:
<movername> = name of the Data Mover
Example:
To display current secmap status on server_2, type:
$ server_cifssupport server_2 -secmap -report
54 Configuring VNX User Mapping 7.1
Managing secmap
Output
server_2 : done
SECMAP GENERAL INFORMATIONS
Name :server_2
State :Enabled
Fs : /
Used nodes : 27
Used blocks : 0
SECMAP MAPPED DOMAIN
Name SID
INTGW2K3 S-1-5-15-56db7d78-9b661160-9e19279b-ffffffff
Report secmap status 55
Managing secmap
56 Configuring VNX User Mapping 7.1
Managing secmap
7
Troubleshooting
As part of an effort to continuously improve and enhance the performance
and capabilities of its product lines, EMC periodically releases new versions
of its hardware and software. Therefore, some functions described in this
document may not be supported by all versions of the software or hardware
currently in use. For the most up-to-date information on product features,
refer to your product release notes.
If a product does not function properly or does not function as described
in this document, contact your EMC Customer Support Representative.
Topics included are:
x
EMC E-Lab Interoperability Navigator on page 58
x
Known problems and limitations on page 58
x
Usermapper events and notifications on page 59
x
Error messages on page 60
x
EMC Training and Professional Services on page 61
Configuring VNX User Mapping 7.1 57
EMC E-Lab Interoperability Navigator
The EMC E-Lab

Interoperability Navigator is a searchable, web-based application that

provides access to EMC interoperability support matrices. It is available on the EMC Online
Support website at http://Support.EMC.com. After logging in, locate the applicable Support
by Product page, find Tools, and click E-Lab Interoperability Navigator.
Known problems and limitations
Table 3 on page 58 describes known problems that might occur when using Usermapper
and presents workarounds.
Table 3. Usermapper known problems and workarounds
Workaround Symptom Known problem
Check the operational state of the prima-
ry service and enable it by using the
server_usermapper <movername> -
enable command.
When you run the server_usermapper
<movername> -enable primary= com-
mand, you receive the following error:
Error 4020: <movername>:failed to
complete command
The primary Usermapper service must
be enabled before secondary services
can be configured.
Determine the required size of the root
file system based on the number of
users in the Windows environment.
Contact your EMC Customer Support
Representative for assistance in deter-
mining size requirements.
The following errors are entered repeat-
edly in the server log for any additional
mapping requests after the root file
system reaches capacity:
error: -20 for user uid request
error: -20 for group gid request
Usermapper stops mapping new UIDs
and GIDs after the root file system of
the Data Mover (where the Usermapper
database is stored) becomes full. New
users will be denied access to system
objects.
Known problems and limitations in using secmap
Table 4 on page 59 describes known problems that might occur when using secmap and
presents workarounds.
58 Configuring VNX User Mapping 7.1
Troubleshooting
Table 4. Secmap known problems and workarounds
Workaround Symptom Known problem
Secmap will work in a degraded mode
until the file system where it resides is
cleaned or extended.
If the secmap file system is nearly full,
the secmap database might reach a
point where it cannot store new map-
pings although it can continue to return
existing mappings.
No new mappings created
Use the secmap commands to check
database consistency and possibly fix
mapping inconsistencies.
CAUTION After modifying
mappings,you must update the
ACLs to ensure that they use
the new mappings. Otherwise,
access rights issues might arise
due to inconsistencies between
secmap mappings and map-
pings stored in ACLs.
By default, secmap is a write-once,
read-many cache to avoid accidental
mapping modifications. However, when
mappings are purposely changed, the
new mapping is not automatically made
in secmap. The new mapping has to be
enforced manually in secmap before
resetting the ACL. Consequently,
secmap can be out of sync if mappings
are changed in mapping services.
Synchronization required with mapping
services
Usermapper events and notifications
Table 5 on page 60 lists the Usermapper events. Configuring Events and Notifications on
VNX for File provides a description of how to configure the Celerra Network Server to record
and display these events.
Usermapper events and notifications 59
Troubleshooting
Table 5. USRMAP events
Event description Event ID Facility description Facility ID Facility name
Usermapper OK 0 Monitors Usermapper events 93 USRMAP
Usermapper database
created
1
Usermapper service
enabled
2
Usermapper service
stopped
3
Usermapper database
destroyed
4
Usermapper available 5
Usermapper unreach-
able
6
Usermapper file sys-
tem quota exceeded
7
Error messages
All event, alert, and status messages provide detailed information and recommended actions
to help you troubleshoot the situation.
To view message details, use any of these methods:
x Unisphere software:

Right-click an event, alert, or status message and select to view Event Details, Alert
Details, or Status Details.
x CLI:

Type nas_message -info <MessageID>, where <MessageID> is the message

identification number.
x Celerra Error Messages Guide:

Use this guide to locate information about messages that are in the earlier-release
message format.
60 Configuring VNX User Mapping 7.1
Troubleshooting
x EMC Online Support website:

Use the text from the error message's brief description or the message's ID to search
the Knowledgebase on the EMC Online Support website. After logging in to EMC
Online Support, locate the applicable Support by Product page, and search for the
error message.
EMC Training and Professional Services
EMC Customer Education courses help you learn how EMC storage products work together
within your environment to maximize your entire infrastructure investment. EMC Customer
Education features online and hands-on training in state-of-the-art labs conveniently located
throughout the world. EMC customer training courses are developed and delivered by EMC
experts. Go to the EMC Online Support website at http://Support.EMC.com for course and
registration information.
EMC Professional Services can help you implement your system efficiently. Consultants
evaluate your business, IT processes, and technology, and recommend ways that you can
leverage your information for the most benefit. From business plan to implementation, you
get the experience and expertise that you need without straining your IT staff or hiring and
training new personnel. Contact your EMC Customer Support Representative for more
information.
EMC Training and Professional Services 61
Troubleshooting
62 Configuring VNX User Mapping 7.1
Troubleshooting
Glossary
A
access control list (ACL)
Ll ae nl enle (ACI) lhal de nmalnabul lhe ue andgu aved
ae l an b|el.
Active Directory (AD)
Adaned dely ee nuded vlh Wndv ealng ylem. Il le nmaln
abul b|el n a nelv and mae lh nmaln aaabe l ue and nelv
admnlal lhugh a l uh a Lghlveghl Dely Ae Il (LDAI).
authentication
Ie eyng lhe denlly a ue lyng l ae a eue, b|el, ee, uh
a a e a dely.
C
CIFS server
Lga ee lhal ue lhe CIIS l l lane e. ADala Me an hl many nlane
a CIIS ee. Iah nlane eeed l a a CIIS ee.
CIFS service
CIIS ee e lhal unnng n lhe Dala Me and eenl hae n a nelv a
ve a n Ml Wndv-baed mule.
Control Station
Hadvae and lvae mnenl VNX e lhal manage lhe ylem and de lhe
ue nleae l a VNX e mnenl.
D
Data Mover
In VNX e, a abnel mnenl lhal unnng l vn ealng ylem lhal elee
dala m a lage dee and mae l aaabe l a nelv enl. Th a eeed l a
a bade.
Configuring VNX User Mapping 7.1 63
database management system (DBMS)
Slvae degned l manage dalabae. Dala Me ue DMS l eale and manage
Uemae and ema mang nmaln.
domain
Lga gung Ml Wndv See and lhe mule lhal hae mmn
euly and ue aunl nmaln. A eue uh a mule and ue ae dman
membe and hae an aunl n lhe dman lhal unuey denle lhem. The dman
admnlal eale ne ue aunl eah ue n lhe dman, and lhe ue g n l lhe
dman ne. Ue d nl g n l eah nddua ee.
domain controller
See lhal aulhenlale ue gn and manlan lhe euly y and lhe euly aunl'
male dalabae a Wndv dman. Dman nle manage ue ae l a nelv,
vhh nude ggng n, aulhenlaln, and ae l lhe dely and haed eue.
See also Windows domain.
Domain Name System (DNS)
Name euln lvae lhal av ue l ale mule n a UNIX nelv TCI/II
nelv by dman name. The DNS ee manlan a dalabae dman name, hlname,
and lhe endng II addee, and ee ded by lhe aaln ee.
See also ntxmap.
G
group identifier (GID)
Nume denle agned l a alua gu ue.
I
Identity Management for UNIX (IdMU)
Ml lvae lhal de a UNIXennmenl n Wndv, eay UNIXdenlly
and euly ee.
K
Kerberos
Aulhenlaln, dala nlegly, and dala ay enyln mehanm ued l ende
aulhenlaln nmaln. Kebe exl vlh NTLM (Nelgn ee) and, ung
eel-ey ylgahy, de aulhenlaln enl/ee aaln.
L
LDAP-based directory
Delyee lhal ul LDAI, nudng Ale DelyvlhIdMU, SIU, OenLDAI,
Ianel (a nvn a Sun }aa Sylem Dely See and Sun ONI Dely See).
Lightweight Directory Access Protocol (LDAP)
Induly-landad nmaln ae l lhal un dely e TCI/II. Il lhe may
ae l Ale Dely and LDAI-baed dely ee. LDAI en 3
64 Configuring VNX User Mapping 7.1
Glossary
dened by a el Ied Slandad dumenl n Inlenel Ingneeng Ta Ie (IITI)
RIC 2251.
M
Microsoft Windows Services for UNIX (SFU)
Ml lvae lhal de a UNIX ennmenl n Wndv.
N
network file system (NFS)
Nelv e ylem (NIS) a nelv e ylem l lhal av a ue n a enl
mule l ae e e a nelv a eay a lhe nelv dee vee allahed l l
a d.
Network Information Service (NIS)
Dlbuled dala u ee lhal hae ue and ylem nmaln a a nelv,
nudng uename, avd, hme dele, gu, hlname, II addee, and
nelgu denln.
Network Time Protocol (NTP)
Il ued l ynhnze lhe ealme n a mule vlh a nelv lme ue.
ntxmap
Culmzed lvae ued l ul mang euemenl n a mull ennmenl.
P
primary Usermapper service
Inlane lhe Uemae ee lhal agn ue ID (UID) and GID l Wndv ue
and gu by ang VNX e ae l ylem b|el.
Q
quota
Lml n lhe amunl aaled d ae and lhe numbe e (nde) lhal a ue gu
ue an eale n a Iduln Ie Sylem. Qula nl lhe amunl d ae lhe
numbe e lhal a ue gu ue an nume blh.
S
secondary Usermapper service
In a mul-VNX e ennmenl, an nlane lhe Uemae ee lhal vad
euel ue mang l lhe may Uemae ee and elun lhe mang l
lhe Dala Me n addln l lng lhe mang l ee.
security identifier (SID)
Unue denle lhal dene a ue gu n a Ml Wndv ennmenl. Iah ue
gu ha l vn SID.
Configuring VNX User Mapping 7.1 65
Glossary
SFU
See Microsoft Windows Services for UNIX.
U
user file
Ree l lhe avd e lhal ede n eah Dala Me.
User ID (UID)
Nume denle lhal end l a alua ue.
Usermapper
See lhal aulmalay ma dlnl Wndv ue and gu l dlnl UNIX-lye
UID and GID.
W
Windows domain
Ml Wndv dman nled and managed by a Ml Wndv See by ung
lhe Ale Dely l manage a ylemeue and by ung lhe DNS name euln.
Windows Internet Naming Service (WINS)
Slvae ee lhal dynamay ma II addee l mule name (NelIOS name).
Th av ue l ae eue by name nlead eung lhem l ue II addee
lhal ae dul l egnze and emembe. WINS ee ul enl by unnng
Wndv NT 4.0 and eae en Ml ealng ylem.
Windows NT domain
Ml Wndv dman nled and managed by a Ml Wndv NT ee by
ung a SAM dalabae l manage ue and gu aunl and a NelIOS nameae. In a
Wndv NT dman, lhee ne may dman nle (IDC) vlh a ead/vle y
lhe SAM, and by eea bau dman nle (DC) vlh ead-ny e lhe
SAM.
See also domain and domain controller.
66 Configuring VNX User Mapping 7.1
Glossary
Index
A
Active Directory
Windows only 26
C
configuration
default 24
multicabinet 25
secondary 25
settings, modifying 45
D
database, modifying 44
E
EMC E-Lab Navigator 58
error messages 60
events, list of USRMAP 59
exporting database information 43
I
Identity Management for UNIX (IdMU) 18, 34
IdMU 18, 34
importing database information 42
installation 24
Internal Usermapper 22
L
local files 26
M
mapping
user IDs, resolution order 21
messages, error 60
Microsoft Windows Services for UNIX (SFU) SFU
(Microsoft Windows Services for UNIX) 18, 34
multiprotocol environments 18
N
NIS 25, 26
P
parameters 45
password and group files 25, 26
S
secondary configuration 25
SID history 24
snap-ins, UNIX User Management 27
T
tools
UNIX Attribute Migration 28
UNIX User Management 27
Configuring VNX User Mapping 7.1 67
tools (continued)
UNIX Users and Groups property page
extension 28
U
UNIX Attributes Migration tool 28
UNIX User and Groups property page extenion 28
UNIX User Manager snap-in 27
user ID resolution
local files 25
NIS 25, 26
UNIX Attributes Migration tool 28
UNIX User and Groups property page extension
28
user ID resolution (continued)
UNIX User Manager snap-in 27
user IDs, look-up order 21
Usermapper
default configuration 24
exporting database information 43
external 18
importing database information 42
internal 18
modifying
database 44
default settings 45
multicabinet configuration 25
restrictions 22
secondary configuration 25
using secondary service 25
68 Configuring VNX User Mapping 7.1
Index