Mapper File

EMC VNX Series
Release 7.0
Configuring VNX User Mapping

P/N 300-011-856
REV A01
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
" 2009 - 2011 $," ".
/ % 2011
$," . 3
.
3'$ (-%.1, 3(.- (- 3'(2 /4!+(" 3(.- (2 /1.5(#$# " 2 (2." $," ".1/.1 3(., *$2 -. 1$/1$2$-3 3(.-2 .1 6 11 -3($2 .% -8 *(-# 6(3' 1$2/$"3 3.
3'$ (-%.1, 3(.- (- 3'(2 /4!+(" 3(.-, -# 2/$"(%(" ++8 #(2"+ (,2 (,/+($#
6 11 -3($2 .% ,$1"' -3 !(+(38 .1 %(3-$22 %.1 / 13("4+ 1 /41/.2$.
4, , $,"
.
% -- , 3
# $," /.
% -- $," , $," " 3
$,"..
.
" ': ', ,
Configuring VNX User Mapping 7.0
01748-9103
Contents
Preface.....................................................................................................7
Chapter 1: Introduction.........................................................................11
2 .............................................................................................12
4 ...........................................................................................12
1 ..............................................................................................14
Chapter 2: Concepts.............................................................................15
.................................................................................................................16
4 6- ...............................................18
4 .................................................18
2 .....................................................................................................19
" ............................................................19
" ..................................20
4 ..................................................................................20
4 ........................................................................................20
4 ..........................................................................................21
4............................................................................................................22
1...................................................................................................22
/ .............................................................................23
4 -5-7 4 ...................24
4 -5-7 4 .......................................24
+# /- ...........................................................................25
+ ................................................................................................................25
-(2...........................................................................................................................26
#.....................................................................................................26
4-(7 -...............................................................27
Contents
5-7 4-(7 ........................28

4 ...............................................................................28
5-7 4-(7 , ......................................................28
-3,....................................................................................................28
Chapter 3: Configuring in Windows Environments..............................31

" -5-7 4 .........................................32
5 4 ............................32
# 4 ................................................33
" 4 ........................................33
5 4 .........................34
Chapter 4: Configuring in Multiprotocol Environments......................35

1 .....................36
" # , .....................................................36
" # ,......................................................37
6 ................................38
6 ..........................................................................39
" # ,...............................................40
" # , #..................................40
Chapter 5: Managing Usermapper.....................................................41

# 4 ..................................................................................42
# 4 ................................................42
# # , 4 .......................................43
( ...........................................................44
( .....................................................................44
$ .....................................................................45
, 4 ....................................................................45
! 4.............................................................................................46
" 4 ........................................47
Chapter 6: Managing secmap............................................................49

# ......................................................................................................50
# ........................................................................50
# ..........................................................51
" ..........................................................................52
" ...........................................................................53
4 ........................................................................54
Contents
1 .......................................................................55
$ ..........................................................................55
( ......................................................56
1 ............................................................................................56
Chapter 7: Troubleshooting..................................................................59
$," $-+ ( -..............................................................60
* .......................................................................60
* ................................60
4 .................................................................61
$ .......................................................................................................62
$," 3 / 2...........................................................63
Glossary..................................................................................................65
Index.......................................................................................................69
Contents
Preface
,
$," . 3,
.
% -- , .
( ,
$," .
Preface
Special notice conventions

$," :
CAUTION:
.
Important:
Note:
, -.
Hint: , -
.
Where to get help

$," , , :
/ % , , ,
$," , , , $," . 2
( ) ://2.$,"..
3 & $," . 2 .
2 / .
3 % , $," "
2 $," . 2 . ,
2 / , Live Chat Create a service request. 3
$," . 2,
. " $,"
.
Note: #
.
Your comments
8 , ,
.
/ :
Preface
techpubcomments@EMC.com
Preface
10
1
Introduction
$ $," 5-7, , 6
4-(7/+ ,
(4(#) (&(#). 6, ,
(# . (,
(2(#). 3, 6 - ,
" ( % 2 ("(%2), 5-7,
6 2(# 4(# &(#. 3
6- 4-(7/+
6 () . 3 :
+# /- ( #
, 6 2 4-(7 [2%4] ( ,
4-(7 [(,4])
- ( 2 (-(2)
# ( "(%2 , , " [,,"]

-)
" 2 .
3 5-7

6 (# .
3 :
2 12
4 12
1 14
11
Introduction
System requirements
3 1 12 $," 5-7 , , ,
.
Table 1. System requirements
Software
VNX version 7.0
Hardware
No specific hardware requirements.
Network
Windows Server or Windows NT domain. You must configure the domains with the following:
Storage
Windows Server domains:
Active Directory
Kerberos or NT Lan Manager (NTLMSSP)
DNS
NTP
Windows NT domains:
NT Lan Manager (NTLM)
WINS
Verify that sufficient space is available in the root file system. Contact your EMC Customer
Support Representative for assistance with determining size requirements.
User interface choices

3 5-7
. 3
("+(). 8
5-7 :
$," 4
, , " (,,") -
# 4 " ( #4")
3 4 5-7.
( , 5-7 %
4, ,," - #4" .
12
Introduction
3 5-7 , - 5-7
.
Using Unisphere
4 # , 4 -(2,
3 2 13. 8 4 (
, 4-(7 , # .
Table 2. User mapping configured by using Unisphere
Naming service
Unisphere procedure
NIS
To configure the Data Mover as an NIS client, select System Network

and click Interfaces.
Usermapper
To configure Usermapper, select Sharing CIFS and click Usermappers.
4 4
.
Note: 8 -(2 4.
User interface choices
13
Introduction
Related information
% :
5-7 " + ( 1 %
" - 2 $ , &
/ & 5-7
" $ - 5-7 %
" 5-7 - 2
" , "(%2 5-7
( , 5-7
, , $ 5-7
. 5-7 %
4 -3, 5-7
4 6 3 5-7
EMC VNX documentation on the EMC Online Support website

3 $," 5-7 $,"
. 2 . 3 ,
://2.$,".. , 5-7 2
/ .
VNX wizards
4 . 3
4 .
14
2
Concepts
3 :
. 16
4 6- 18
4 18
2 19
4 20
4 20
4 21
4 22
+# /- 25
+ 25
-(2 26
# 26
4 28
15
Concepts
Overview
$ 5-7 4(# &(#
. 3 5-7
.
Note: % 6 , 2(# . 3
4(# 4
.
+ 5-7, 4-(7/+ 4(# &(# .

", 5-7 4(# &(# 4-(7/+
. 6, , (#
. (, (2(#). 3,
6 - ( "(%2) 5-7,
6 2(# 4(# &(#. 8
6- 4-(7/+ 6 ()
.
16
Concepts
% 1 17
.
Start
Do users have
both UNIX and
Windows
accounts?
No, only
Windows
Usermapper
Yes
Does your
environment
consist primarily
of UNIX or
Windows
users?
Windows
UNIX
Are the
Windows users
in a single domain or
are usernames unique
across multiple
domains?
Are the
Windows users
in a single domain or
are usernames unique
across multiple
domains?
No
Active Directory with VNX

CIFS MMC snap-ins +
Yes
LDAP-based directory server

(Active Directory with SFU/IdMU) *
Yes
NIS * or LDAP-based directory

server (OpenLDAP or iPlanet)
No
* cifs resolver parameter must be set to 1

Local files
+ cifs useADMap parameter must be set to 1
VNX-000023
Figure 1. Flowchart of user mapping techniques
Overview
17
Concepts
User mapping in Windows-only environments

3 5-7 4 4(# &(# 6
. 4 # ,' . (
, 5-7, .
$," 4 6- .
Note: ! 4, 4 5-7
.
User mapping in multiprotocol environments

( , 4-(7/+ 6
. % ,
:
4-(7/+
6 ( "+)
3, 4-(7/+ 6 ,
.
3 ,
6 2(# 4(# &(#
, :
+# /- , # ( , 6
2 4-(7 [2%4] ( , 4-(7 [(,4])
# ,
- ( 2 (-(2)
# ( 5-7 "(%2 , , " [,,"] -)
Note: ( ( 6
4-(7/+), 4. ( ,
.
18
Concepts
Secure mapping
2 () 2(#, 4(#
&(# # , 5 # , (5#,). 2
5-7;
. -, .
3 :
2(# 4(# &(#
4(# &(# 2(#
3 # , (4,
+# /- , , -(2, #) ,

. 1 .
Note: 2 . $,"
, .
" 6 .
Creating secmap mapping entries

3 , 5-7
. 5-7
5 . 3
. ( , 5-7
. . ( , 5-7
. ! 2(#
, 5-7 . 3
5-7 . (
2(#, 5-7 2(# .
(
, 5-7 . (
, 5-7 . "
52 . 1 56
, ,
, ( ).
Secure mapping
19
Concepts
Checking and updating secmap mapping entries

3 , 5-7 . (
2(#
. %, 5-7
- . ( , 5-7
.
:
"
"
Note: ,
.
"+
" 53 4
54 .
User mapping and ntxmap

( 5-7 , 6 4-(7 ,
4-(7 6 ,
; ,
.
', 6 4-(7
. 3
6 4-(7 .
4 "(%2 4 , 5-7
User mapping database

$ 5-7 , #!, 4
. ( 5.6, #!,2 . 3

. ( , ,
.
20
Concepts
User mapping process

6 6 # , :
1. 6 6 -3 , # ,
-6 2000 , -3 + , (-3+,). ( # , 6
2 , * -3 + - ,
- (-3+,22/).
2. 3 # ,.
3. 3 # ,
2(# 4(# &(#:
Note: ( . # ,, 4-(7
+- ( , -(2, +# /- )
. " 5-7 - 2 . .
. 3 # , 2(# 4(# &(#

.
. ( , 6
2(#, # ,
4(# &(# .
. ( , -(2 , # , -(2 4(#
&(# .
. ( , +# /- (
# 2%4 (,4), # , +# /-
4(# &(# .
. ( , # ( 5-7 "(%2 ,,"
-) , # , # 2(#
4(# &(# .
. ( , # , 4 2(# 4(#
&(# .
. 3 4
4(# &(#. ( , 4
4(# &(# .
( # ,.
. 3 # ,
(4, +# /- # 2%4
(,4, , -(2, # ,," -)
, 2(# 4(# &(#
.
. 3 "(%2 ( ).
User mapping process
21
Concepts
. ( (# ,
"(%2 (
).
Usermapper
4 5-7
2(# 4(# &(# 6
. 4 :
. 4 4,
4(# &(# 6 . ! ,
# , 2 (_2).
3 # , 5-7
4 ,
. !
, # , 5-7
4 . 4
-5-7 4 24
4 5-7 .
( -5-7 , 4
5-7 , # ,
4 . $ 5-7
4 , # ,
4. + 4 , 4
4(# &(#. (
, 4 . 3
4 , , 4(# &(#,
4 .
3 4
, # ,. ( 4
, . $
# , # ,
.
" -5-7 4 32
4 5-7
.
Restrictions
! 4, :
22
# 4 5-7 ,
5-7 , -5-7 . .,
Concepts
. 5-7
4 4
. 4 4
5-7 .
( 5-7, 4 ,
. # , 5-7
.
( -5-7 , 4
4 .
! , 4 # , 2 (_2). 3
4 .
8 4 5 #
, (5#,).
Planning considerations
! 4, :
4 4(# &(# #
, 4 . ( ,
. 3
6 . "
$," " 2 1 .
( 6 4
$," 2 1 # % (21#%), 4
. " $," " 2 1 .
( 4, 4(# &(# 4 ,
4 4(# &(# .
3, 4 4(#
&(# . ', .
4(# &(# . 3 .
. , 4
.
Note: ( 4(# &(#
, $," 4
4(# &(# . (
. , $," " 2 1
.
4 2(# ' 6 2000. 3

6 -3 6 2000
. 3 2(# ', 6 2000 5-7
. 6 2000 2(#
Usermapper
23
Concepts
' 6 2000 . 6 2(# ' ,

6 -3 6 2000
6 2000 , 2 3 2(#
' 6 -3 2(# 6 2000 .
4 4(# &(# , 2(# ',
.
Using the default single-VNX Usermapper configuration

Note: 6 5.3 ,
5-7 4 . ( ,
4 5-7
.
3 4 5-7 # ,
2 (_2) 4 . $
# , 5-7 2(# 4(# &(# .
', # ,
, 4 . 3 # ,
4 . ! , # , 5-7
5-7
4 .
" 4(# &(# 2(#. % , 0
4-(7 . . 4(#
&(# 32 *!. 3 4(# &(#
.
4(# &(# .
Note: 5-7 , # ,
# ,, 4 .
# 4 42 4
. ( 4
, " 7 . " 5
4 .
Using a multi-VNX Usermapper environment

( 5-7 5-7
6 , 4 . (
, 4 5-7
4 . ( ,
# , 2 (_2) 5-7
4 . 3 # , 5-7
24
Concepts
4 ,
4
4 .
3 4 4
. 3, 4
.
Note: ( , 5-7
4 .
" -5-7 4 32 . "

5 4 .
LDAP-based directory services

( 4-(7 6
, 6 ,
+# /- , # 2%4 (,4,
.
Note: $,"
.
# 2%4 (,4
" 5-7 - 2 # ,
+# /- .
+# /- , # ,
+# /- . ! ,
.
.. ( +# /-
,
# , . 1
36
.
Note: 4 28
.
Local files
( 4-(7
6 , 6 ,
# , . " #
LDAP-based directory services
25
Concepts
, 37 6
# ,.
! , # , .
.. (
, 6 6
4(# &(# 4-(7 .
( ,
# ,
. 1
36 .
Note: 4 28
.
NIS
( 4-(7 6
, 6 , -(2
.
" 5-7 - 2 # ,
-(2 . -(2
-(2 .
Note: (6 , , , )
2"(( .
-(2, # , -(2
. ! , .
.. (
-(2 ( -(2
), # ,
. 1
36 .
Note: 4 28
.
Active Directory
! , 4-(7 6
( # 2%4 (,4), # 6
2 6 .
26
Concepts
Note: $," # 2%4 (,4 #

" "(%2 ,," -. # # . +# /-
25 # 2%4 (,4.
', # $,"
4-(7 6 , #
, #
4-(7 . ( ,
.
3 # , # 4-(7 ,
4-(7 " "(%2 ,,"
-. 8 #, . " # ,
# 40 .
( , 5-7 % " 4-(7 4 ,
" 4-(7 , . 4
28
.
UNIX user management snap-in

4-(7 4 , ,," - 5-7 ,
, , 4-(7 4(# &(# 6
.
8 - . 3
. 8
# :
8 .
3 .
8 4-(7 .
8 :
8 .
!
.
8 4-(7 .
Active Directory
27
Concepts
VNX UNIX users and groups property page extension

5-7 4-(7 4 & # 4
" . 8 , , 4-(7
4(# &(# 6 .
Note: 8 .
User account migration tools

( ( "(%2 -%2),
( 6 4-(7
),
:
5-7 4-(7
-3,
, 3
VNX UNIX Attributes Migration tool

5-7 4-(7 , 4-(7
5-7 ( ) -(2 #. 8 4-(7
(4(# &(#) #. ',
, 4-(7 4(# &(#. 3 ,
4-(7 , # 26
# .
Note: 4 # .
# .
( , 5-7 .
3 5-7 4-(7 , 3
.
NTMigrate
-3, 6 4-(7 4(# &(#
( -(2). -3, 6
4-(7 .
28
Concepts
-3, 6 4-(7 4(# &(#.

4 -3, 5-7 .
User account migration tools
29
Concepts
30
3
Configuring in Windows
Environments
$," 4 6-
. 4 6- 18
.
5-7 5-7
4 . 4 -5-7 4
24 -5-7
4 .
( 5-7 5-7
6 ,
4 5-7
4 . " -5-7 4
32 .
3 6- :
" -5-7 4 32
31
Configuring in Windows Environments
Configure a multi-VNX Usermapper environment

3 -5-7 4 :
1. 5 4 32
2. # 4 33
3. " 4 33
4. 5 4 34
4 -5-7 4 24
-5-7 4 .
Note: ( , 5-7 4 5-7
1 5-7 4 5-7 2.
Verify the status of the primary Usermapper service

. 5-7 1, 4 _2,
.
Action
To verify that the primary Usermapper service is enabled, use this command syntax:
$ server_usermapper
<movername>
where:
<movername> = name of the Data Mover
Example:
To verify that the primary Usermapper service is enabled on server_2 of VNX 1, type:
$ server_usermapper server_2
Output
server_2 : Usrmapper service: Enabled
Service Class: Primary
32
Disable the primary Usermapper service

3 4 # , 2 (_2)
4 . 8 # ,
5-7 2 4 . . 5-7 2,
4 .
- 4 5-7 2
. ", "(%2 5-7
2 # , 4 .
Action
To disable the primary Usermapper service, use this command syntax:
$ server_usermapper <movername> -disable
where:
<movername>= name of the Data Mover
Example:
To disable the primary Usermapper service on server_2 of VNX 2, type:
$ server_usermapper server_2 -disable
Output
server_2 : done
Configure the secondary Usermapper service

4 5-7 2,
_2 4 .
6 4 ,
4 .
3 , (/ # , .
Note: 3 4 .
Action
To enable a secondary Usermapper service, use this command syntax:
$ server_usermapper <movername> -enable primary=<ip addr>
where:
Configure a multi-VNX Usermapper environment
33
Action
<ip addr> = network IP address of the Data Mover on which the primary Usermapper service is running
Example:
To enable a secondary Usermapper service on server_2 of VNX 2, type:
$ server_usermapper server_2 -enable primary=192.168.21.1
Output
server_2 : done
Verify the status of the secondary Usermapper service

5 4 _2 5-7 2.
Action
To verify that the secondary Usermapper service is enabled, use this command syntax:
$ server_usermapper <movername>
where:
movername = name of the Data Mover
Example:
To verify that the secondary Usermapper service is enabled on server_2 of VNX 2, type:
Output
server_2 : Usrmapper service: Enabled
Service Class: Secondary
Primary = 192.168.21.1(c)
34
4
Configuring in Multiprotocol
Environments
( , 4-(7/+
6 . ( 4-(7/+ 6
,
. 4
18 :
3 :
1
36
" # , 36
" # , # 40
35
Configuring in Multiprotocol Environments
Retrieve user and group names without a domain association

! , 5-7 .
.. (
, -(2, # ( , 6
2 4-(7 [2%4] ( , 4-(7 [(,4]),
# ,
.
Note: # 2%4 (,4
.
Action
To change the default format of username and group name so that they can be retrieved without a domain extension, use
this command syntax:
$ server_param <movername> -facility cifs -modify resolver -value 1
where:
Example:
To change the default format of username and group name so they can be retrieved without a domain extension, type:
$ server_param server_2 -facility cifs -modify resolver -value 1
Output
server_2 : done
Configure a Data Mover to query local files

Before you begin
6 :
(6 , , , )
2"(( .
6 =20
4-(7- .
( 4-(7 , _
,
.
Note: " 5-7 - 2

.
36
Procedure
3 6 #
,:
1. " # , 37
2.
6 38
3.
6 39
4. " # , 40
+ 25 .
Copy local files from the Data Mover

! , # ,.
" # , " 2 . (
, 2"(( $.
CAUTION: 3 . !
.
Action
To copy the passwd or group file, use this command syntax for each file:
$ server_file <movername> -get <src_file> <dst_file>
where:
<src_file> = name of the source file
<dst_file> = name of the destination file
Example:
To copy the passwd file to /home/nasadmin/passwd, type:
$ server_file server_2 -get passwd /home/nasadmin/passwd
Output
server_2 : done
37
Add the Windows domain name as a group name

4 6 4-(7
# ,.
4 4-(7 , $, 6 -
.
Action
Using a text editor, add the Windows domain name as a group name in the group file. Assign a GID for the newly created
group name. The group file entries are in the following format:
<groupname.domain>:*:<GID>:
where:
<groupname.domain> = group name and Windows domain name
* = UNIX password for the group; this field should contain an asterisk (*) because the password is not used on the VNX.
<GID> = unique numeric group ID that you assign to the group name
Example 1:
To add the Windows domain galaxy to the group file, add the following line:
galaxy:*:100
The Windows domain galaxy is the group name. The GID is 100.
Example 2:
Here is an example of a group file, including the galaxy example and the default Windows global groups:
.(numerous UNIX groups skipped)
galaxy:*:100:
domain=20admins.galaxy:*:101: domain=20users.galaxy:*:102:
domain=20guests.galaxy:*:103:
38
Add Windows usernames

4 4-(7 # ,.
Action
Add the Windows usernames from the Windows domain to the passwd file and assign each user a unique UID and the
GID specified for the Windows domain in Add the Windows domain name as a group name on page 38.
Password file entries are in the following format:
<user.domain>:*:<UID>:<GID> :<name>:<path>:<shell>
where:
<user.domain> = Windows username and domain name, which is appended to preclude accidental mapping to existing
UNIX or Windows clients of the same name

* = UNIX password for the user; if the user authentication mode on the Data Mover is set to NT or SHARE, this field
should contain an asterisk (*); if the Data Mover uses UNIX user authentication, the field should contain the encrypted
password for the user
<UID> = unique user ID that you assign
<GID> = GID assigned to the domain
<name>, <path>, and <shell> are optional informational fields and are ignored during processing
Example:
The following is an example of a password file entry of user, glenn, in the domain galaxy. This requires an entry in passwd
as:
glenn.galaxy:*:530:100:J.GLENN:/usr/home/jdir:/bin/csh
39
Copy edited local files to the Data Mover

4 ( ) #
,.
CAUTION: 3 . !
.
Action
To copy the edited local files back to the Data Mover, use this command for each file:
$ server_file <movername> -put <src_file> <dst_file>
where:
<src_file> = name of the source file
<dst_file> = name of the destination file
Examples:
$ server_file server_2 -put passwd passwd
$ server_file server_2 -put group group
Output
server_2 : done
Configure a Data Mover to query the Active Directory

# 26 .
40
Step
Action
1.
Install the UNIX user management component of the CIFS Microsoft Management Console (MMC)
snap-ins for managing VNX users from a Windows computer. These snap-ins provide a manual
mapping method that enables you to assign specific UIDs and GIDs to Windows users. The CIFS
MMC snap-ins are not required if you are using SFU/IdMU with the Active Directory.
2.
Set the cifs useADMap parameter to 1 to enable the snap-ins to interact with the Data Mover. Installing
Management Applications on VNX for File describes how to enable the CIFS management snap-ins
and tools.
5
Managing Usermapper
3 4 :
# 4 42
( 44
, 4 45
! 4 46
" 4 47
41
Managing Usermapper
Display Usermapper status

8 4 5-7 :
3 _ 4
# ,.
3 _ # , "(%2 ,
4 .
Display Usermapper service information

3 _ 4
# ,, :
6 4
3 (/ 4
Action
To display the status of the Usermapper service, use this command syntax:
$ server_usermapper <movername>
where:
Example:
To display the status of the Usermapper service on server_2, type:
Output
Note
server_2 : Usrmapper service: Enabled Usermapper has three operational states:

Service Class: Secondary Primary =
Uninitialized When Usermapper is not available on

192.168.21.1(c)
the Data Mover
Initialized When Usermapper has been created on

the Data Mover, but has been disabled for some reason
Enabled When Usermapper is running
You should have only one instance of the Usermapper service, either primary or secondary, in a single VNX server.
All the other Data Movers in that environment are clients of
the primary or secondary service.
42
Managing Usermapper
Display the Data Movers Usermapper service

3 _ # , "(%2 ,
4 .
( _ # , 4
( _2), 4 # ,
(127.0.0.1) (/ 4 .
Action
To display the Usermapper service used by a Data Mover, use this command syntax:
$ server_cifs <movername>
where:
Example:
To display the Usermapper service used by server_3, type:
$ server_cifs server_3
Output
server_3 :
96 Cifs threads started
Security mode = NT
Max protocol = NT1
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled
Usermapper[0]=[128.221.252.2] state:active (auto discovered)
Usermapper[1]=[128.221.253.2] state:active (auto discovered)
Default WINS servers = 192.168.4.230
Enabled interfaces: (All interfaces are enabled)
Disabled interfaces: (No interface disabled)
Note
This example shows that server_3 is using the Usermapper service located on server_2 at internal IP addresses
128.221.252.2 and 128.221.253.2; the service is available, and the service was located using the autodiscovery broadcast.
Display Usermapper status
43
Managing Usermapper
Import and export database information

8 4 .
Import database information

3, 4
4 , 4
# , , 4 . "
$," " 2 1
4 # , .
4 _ .
4 : 4-(7
, 2(#
.
$ 4-(7 (% 1):
rob.hilder.dir:*:26831:903:rob.hilder.dir:/usr/rob.hilder.dir:/bin/sh
$ 2(#- (% 3):
S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder
from domain
dir:/usr/S-1-5-15-139d2e78-56b177fd-5475b975-3323d:/bin/sh
$ 4-(7 (% 1):
eople.mass.subscribers.db.dir:*:58362:people.mass.subscribers.db.dir:
$ 2(#- (% 3):
S-1-5-15-139d2e78-56b177fd-5475b975-2c3d6:*:58362:people.mass.subscribers.db.dir:
Action
To import user and group information into the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Import {-user | -group} <pathname>
where:
<pathname> = name and location of the user file to be imported
Examples:
To import user information into the Usermapper database on server_2, type:
$ server_usermapper server_2 -Import -user /nas/cifs/usrmapperV3/linux/usrmap.passwd
To import group information into the Usermapper database on server_2, type:

$ server_usermapper server_2 -Import -group /nas/cifs/usrmapperV3/linux/usrmap.group
44
Managing Usermapper
Output
server_2 : done
Export database information

3, 4
4 , 4 ,
.
4 _ .
4 2(# .
$ 2(#- (% 3):
S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder
from domain
dir:/usr/S-1-5-15-139d2e78-56b177fd-5475b975-3323d:/bin/sh
$ 2(#- (% 3):
S-1-5-15-139d2e78-56b177fd-5475b975-2c3d6:*:58362:people.mass.subscribers.db.dir:
Action
To export user and group information from the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Export {-user | -group} <pathname>
where:
<pathname> = name and location of the file to which information is to be exported
Examples:
To export user information from the Usermapper database on server_2, type:
$ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd
To export group information from the Usermapper database on server_2, type:

$ server_usermapper server_2 -Export -group /home/nasadmin/backup.group
Output
server_2 : done
Maintain the Usermapper database

# 4 . 6
4 .
Import and export database information
45
Managing Usermapper
( 4 , $,"
" 2 1 .
Note: " 4 # ,,
# , 4 . (
4(# &(#, 4(# &(#
.
Back up Usermapper
Step
Action
1.
As root, dump the password and group files to a specified directory by typing:
$ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd
$ server_usermapper server_2 -Export -group /home/nasadmin/backup.group
2.
Make a backup copy of the current usrmap.cfg file (if one is in use) by typing:
$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.cfg /home/nasadmin/usrmap.cfg
3.
Make a backup copy of the usrmap.settings file by typing:

$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.settings
/home/nasadmin/usrmap.settings
46
Managing Usermapper
Change Usermapper default configuration settings

4 ,
:
( , 4(# &(#
4 .
Note: / -.
Action
To change the default Usermapper UID or GID values, use this command syntax:
$ server_param <movername> -facility usrmap -modify <param_name> -value
<new_value>
where:
<param_name> = name of the parameter
<new_value> = value you want to set for the specified parameter
Example:
To change the minimum UID value, type:
$ server_param server_2 -facility usrmap -modify minuid -value 32
To change the maximum UID value, type:
$ server_param server_2 -facility usrmap -modify maxuid -value 2147483647
Output
server_2 : done
Change Usermapper default configuration settings
47
Managing Usermapper
48
6
Managing secmap
2 19 . 3
:
# 50
# 50
# 51
" 52
" 53
4 54
1 55
$ 55
( 56
1 56
49
Managing secmap
Disable secmap
2 "(%2 . (
"(%2 . ( ..
3 "(%2 .
Action
To disable secmap caching, use this command syntax:
$ server_param <movername> -facility cifs -modify secmap.enable -value 0
where:
Example:
To disable secmap caching, type:
$ server_param server_2 -facility cifs -modify secmap.enable -value 0
Output
server_2 : done
Display secmap mapping entries

Action
To display secmap mapping entries for a user, group, domain, or SID, or for all existing entries, use this command syntax:
$ server_cifssupport <movername> -secmap -list [ -name <name> -domain <do
main_name> | -domain <domain_name> | -sid <SID> | -uid <user_id> | -gid
<group_id>]
where:
<name> = name of the user or group
<domain_name> = the fully qualified domain name
<SID> = SID
<user_id> = UID
<group_id> = GID
Example:
To display all the secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -list
To display the secmap mapping entry on server_2 for the user user1 in domain NASDOCS, type:
$ server_cifssupport server_2 -secmap -list -name user1 -domain NASDOCS
50
Managing secmap
Output
Note
server_2 : done
The output includes the SID, type (user or group), ID (UID

or GID according to type), origin, domain, and account names
(optional).
If a mapping is not found, the message, mapping not found,
is returned.
Display secmap reverse mapping entries

Action
To display secmap reverse mapping entries (SIDs) for a UID or GID, use this command syntax:
$ server_cifssupport <movername> -secmap -list -uid <user_id> | -gid <group_id>
where:
<user_id> = UID
<group_id> = GID
Example:
To display the secmap reverse mapping entry on server_2 for UID 32771, type:
$ server_cifssupport server_2 -secmap -list -uid 32771
Output
Note
server_2 : done
The output might include multiple SIDs if more than one SID
has been mapped to the specified ID. The output displays
all information associated with the SID.
Display secmap reverse mapping entries
51
Managing secmap
Create secmap mapping entries

" 19 .
Action
To create secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -create{ -name <name> -domain <do
main_name> | -sid <SID> }
where:
<SID> = SID
Example:
To create a secmap mapping entry on server_2 for the user user3 in domain NASDOCS, type:
$ server_cifssupport server_2 -secmap -create -name user3 -domain NASDOCS
52
Output
Note
server_2 : done
The output displays all mappings that have changed after

they were introduced to the database.
Managing secmap
Check secmap mapping entries

" 20 .
Action
To check all the secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -verify {-name <name> -domain <do
main_name> | -sid <SID>}
where:
<domain_name> = fully qualified domain name
<SID> = SID
Example:
To check all the secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -verify -user user3 -domain NASDOCS
Output
Note
server_2 : done
The output displays all mappings that have changed after

they were introduced to the database.
Check secmap mapping entries
53
Managing secmap
Update secmap mapping entries

" 20 .
Action
To update all the secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -update { -name <name> -domain
<domain_name> | -sid <SID>}
where:
<SID> = SID
Example:
To update all the secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -update -user user3 -domain NASDOCS
54
Output
Note
server_2 : done
The output displays all mappings that have been updated.
Managing secmap
Remove secmap mapping entries

3 , 5-7
. ( 2(#, 5-7
2(#.
Action
To remove secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -delete { -name <name> -domain
<domain_name> | -sid <SID>}
where:
<domain_name> = fully qualified domain name
<SID> = SID
Example:
To remove a secmap mapping entry on server_2 for the user user3 in domain NASDOCS, type:
$ server_cifssupport server_2 -secmap -delete -name user3 -domain NASDOCS
Output
server_2 : done
Export secmap mapping entries

Action
To export secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap -export [ -file <filename> ]
where:
<filename> = name of the file where the mappings should be saved
Example:
To export secmap mapping entries on server_2, type:
$ server_secmap server_2 -secmap -export -file exportfile.txt
Output
Note
server_2 : done
If you do not specify a filename, the secmap database is

displayed on the screen.
Remove secmap mapping entries
55
Managing secmap
Import secmap mapping entries from a file

Action
To import secmap mapping entries, use this command syntax:
$ server_cifssupport <movername> -secmap - import -file <filename>
where:
<filename> = name of the file that contains the mappings to be imported
Example:
To import secmap mapping entries on server_2, type:
$ server_cifssupport server_2 -secmap -import -file importfile.txt
Output
Note
server_2 :
If imported mappings conflict with existing mappings, they

are rejected and an error is returned.
Report secmap status

Action
To display current secmap status, including database state, domains handled by secmap, and resource usage (number
of inodes and blocks used), use this command syntax:
$ server_cifssupport <movername> -secmap -report
where:
Example:
To display current secmap status on server_2, type:
$ server_cifssupport server_2 -secmap -report
56
Managing secmap
Output
server_2 : done
SECMAP GENERAL INFORMATIONS
Name
State
Fs
Used nodes
Used blocks
:server_2
:Enabled
: /
: 27
: 0
SECMAP MAPPED DOMAIN

Name
INTGW2K3
SID
S-1-5-15-56db7d78-9b661160-9e19279b-ffffffff
Report secmap status
57
Managing secmap
58
7
Troubleshooting

, $,"
. 3,

. % --
, .
(
, $," " 2 1.
3 :
$," $-+ ( - 60
* 60
4 61
$ 62
$," 3 / 2 63
59
Troubleshooting
EMC E-Lab Interoperability Navigator

3 $," $-+ ( - , -
$," . (
://2.$,".. $," . 2 ,
2 / , Tools, E-Lab Interoperability Navigator.
Known problems and limitations

3 3 60 4
.
Table 3. Usermapper known problems and workarounds
Known problem
Symptom
Workaround
The primary Usermapper service must When you run the server_usermapper Check the operational state of the primabe enabled before secondary services <movername> -enable primary= com- ry service and enable it by using the
can be configured.
mand, you receive the following error: server_usermapper <movername> enable command.
Error 4020: <movername>:failed to
complete command
Usermapper stops mapping new UIDs
and GIDs after the root file system of
the Data Mover (where the Usermapper
database is stored) becomes full. New
users will be denied access to system
objects.
The following errors are entered repeatedly in the server log for any additional
mapping requests after the root file
system reaches capacity:
error: -20 for user uid request
Determine the required size of the root

file system based on the number of
users in the Windows environment.
Contact your EMC Customer Support
Representative for assistance in determining size requirements.
error: -20 for group gid request
Known problems and limitations in using secmap

3 4 61
.
60
Troubleshooting
Table 4. Secmap known problems and workarounds

Known problem
Symptom
Workaround
No new mappings created
If the secmap file system is nearly full, Secmap will work in a degraded mode
the secmap database might reach a
until the file system where it resides is
point where it cannot store new map- cleaned or extended.
pings although it can continue to return
existing mappings.
Synchronization required with mapping By default, secmap is a write-once,

Use the secmap commands to check
services
read-many cache to avoid accidental database consistency and possibly fix
mapping modifications. However, when mapping inconsistencies.
mappings are purposely changed, the
new mapping is not automatically made
CAUTION: After modifying
in secmap. The new mapping has to be
mappings,you must update the
enforced manually in secmap before
ACLs to ensure that they use
resetting the ACL. Consequently,
the new mappings. Otherwise,
secmap can be out of sync if mappings
access rights issues might arise
are changed in mapping services.
due to inconsistencies between
secmap mappings and mappings stored in ACLs.
Usermapper events and notifications

3 5 62 4 . " $ - 5-7
% " - 2
.
Usermapper events and notifications
61
Troubleshooting
Table 5. USRMAP events

Facility name
Facility ID
Facility description
Event ID
USRMAP
93
Monitors Usermapper events 0
Event description
Usermapper OK
Usermapper database
created
Usermapper service
enabled
Usermapper service
stopped
Usermapper database
destroyed
Usermapper available
Usermapper unreachable
Usermapper file system quota exceeded
Error messages
, ,
.
3 , :
4 :
3 _ - <,(#>, <,(#>
.
" $ , &:
62
"+(:
1- , , $ #,
#, 2 #.
4 -
.
Troubleshooting
$," . 2:
4 ' ' (#
* $," . 2 . $,"
. 2, Support by Product ,
.
EMC Training and Professional Services

$," " $ $,"
. $," "
$ - ---
. $," $,"
. & $," . 2 ://2.$,".
.
$," / 2 5-7 . "
, (3 , ,
. % ,
(3
. " $," " 2 1
.
EMC Training and Professional Services
63
Troubleshooting
64
Glossary
A
access control list (ACL)
+ ( "$)
.
Active Directory (AD)
6 . (

+ # / (+# /).
authentication
/ , , ,
.
C
CIFS server
+ "(%2 . # ,
"(%2 . $ "(%2 .
CIFS service
"(%2 # ,
, 6- .
Control Station
' 5-7
5-7 .
D
Data Mover
( 5-7 ,
. 3
.
65
Glossary
database management system (DBMS)

2 . # , #!,2
4 .
domain
+ , 6 2
.
. 3
,
. 4 .
domain controller
2
6 . # ,
, , .
2 6 .
Domain Name System (DNS)
- 4-(7 3"//(/
. 3 #-2 , ,
(/ , .
2 .
G
group identifier (GID)
- .
I
Identity Management for UNIX (IdMU)
, 4-(7 6, 4-(7
.
K
Kerberos
, ,
. * -3+, (- ) ,
- , / .
L
LDAP-based directory
# +# /, # (,4, 2%4, .+# /,
/ ( 2 ) 2 # 2 2 .-$ # 2).
Lightweight Directory Access Protocol (LDAP)
(- 3"//(/. (
# +# /- . +# / 3
66
Glossary
/ 2 ( $ 3 % (($3%)
1%" 2251.
M
Microsoft Windows Services for UNIX (SFU)
, 4-(7 6.
N
network file system (NFS)
- (-%2)

.
Network Information Service (NIS)
# ,
, , , , , (/ ,
.
Network Time Protocol (NTP)
/ .
ntxmap
" .
P
primary Usermapper service
( 4 (# (4(#) &(# 6
5-7 .
Q
quota
+ ()
/ % 2. 0
.
S
secondary Usermapper service
( -5-7 , 4
4
# , .
security identifier (SID)
4 , 6 . $
2(#.
67
Glossary
SFU
2 , 6 2 4-(7.
U
user file
1 # ,.
User ID (UID)
- .
Usermapper
2 6 4-(7-
4(# &(#.
W
Windows domain
, 6 , 6 2
# #-2 .
Windows Internet Naming Service (WINS)
2 (/ (-!(.2 ).
3 (/
. 6(-2
6 -3 4.0 , .
Windows NT domain
, 6 , 6 -3
2 , -!(.2 . (
6 -3 , (/#") /
2 ,, (!#") -
2 ,.
2 .
68
Index
A
#
6 26
( 4 22
L
26
24
25
25
, 47
(#, 21
, 62
, 6 2 4-(7 (2%4) 2%4
(, 6 2 4-(7) 18, 36
18
, 46
-(2 25, 26
$," $-+ - 60
62
, 421, / 61
45
( , 4-(7 ((,4) 18, 36

(,4 18, 36
44
24
25
2(# 24
-, 4-(7 4 , 27
47
25, 26
4-(7 , 28
4-(7 4 , 27
69
Index
()
4-(7 4 &
28
U
4-(7 , 28
4-(7 4 & 28
4-(7 4 , - 27
(#
26
-(2 25, 26
4-(7 , 28
4-(7 4 &
28
70
(# ()
4-(7 4 , - 27
(#, - 21
4
24
45
18
44
18
46
47
25
22
25
25

Mapper File

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mapper File

Uploaded by

Copyright:

Available Formats

EMC VNX Series

Configuring VNX User Mapping

" 2009 - 2011 $," ".

Configuring VNX User Mapping 7.0

Configuring VNX User Mapping 7.0

5-7 4-(7 ........................28

Chapter 3: Configuring in Windows Environments..............................31

Chapter 4: Configuring in Multiprotocol Environments......................35

Chapter 5: Managing Usermapper.....................................................41

Chapter 6: Managing secmap............................................................49

Configuring VNX User Mapping 7.0

Configuring VNX User Mapping 7.0

Configuring VNX User Mapping 7.0

Configuring VNX User Mapping 7.0

Special notice conventions

Where to get help

Configuring VNX User Mapping 7.0

Configuring VNX User Mapping 7.0

Configuring VNX User Mapping 7.0

# ( "(%2 , , " [,,"]

Configuring VNX User Mapping 7.0

VNX version 7.0

No specific hardware requirements.

Windows Server domains:

Kerberos or NT Lan Manager (NTLMSSP)

NT Lan Manager (NTLM)

User interface choices

Configuring VNX User Mapping 7.0

To configure the Data Mover as an NIS client, select System Network

To configure Usermapper, select Sharing CIFS and click Usermappers.

User interface choices

" , "(%2 5-7

EMC VNX documentation on the EMC Online Support website

Configuring VNX User Mapping 7.0

Configuring VNX User Mapping 7.0

+ 5-7, 4-(7/+ 4(# &(# .

Configuring VNX User Mapping 7.0

Active Directory with VNX

LDAP-based directory server

NIS * or LDAP-based directory

* cifs resolver parameter must be set to 1

+ cifs useADMap parameter must be set to 1

Figure 1. Flowchart of user mapping techniques

User mapping in Windows-only environments

User mapping in multiprotocol environments

Configuring VNX User Mapping 7.0

2(# 4(# &(#

4(# &(# 2(#

Creating secmap mapping entries

Checking and updating secmap mapping entries

User mapping and ntxmap

User mapping database

Configuring VNX User Mapping 7.0

User mapping process

. 3 # , 2(# 4(# &(#

User mapping process

Configuring VNX User Mapping 7.0

4 2(# ' 6 2000. 3

' 6 2000 . 6 2(# ' ,

Using the default single-VNX Usermapper configuration

Using a multi-VNX Usermapper environment

Configuring VNX User Mapping 7.0

" -5-7 4 32 . "