celerra usermapper ( SID to UID / GID ) mapping

Hi,

first of all – usermapper isnt really responsible for the usermapping.

Usermapper is a just a process that assigns UID’s in case there is not a specific mapping.

If you want to do specific mapping – like through passwd, NIS, AD then you should turn off usermapper.

For the questions of the SID’s (except for its local users/groups) – the Celerra doesnt generate or assign SID’s

The domain controller does - Check your SID’s from a Windows tool – they should be the same

Thanks Rainer for the kind update.

What I understood is

1/ If we have entries populated in local passwd / group file or NIS then we don't need usermapper

When a Windows user try to acccess CIFS share, DM will look at the local passwd file and get the UID / GID details.

Won't it do the mapping of the UID / GID found in local passwd / group ( or NIS ) to a SID & put an entry in the secmap cache.

something like

I see the SID assigned is different from what I see from the Windows AD for the user KARIMY. Hence I'm bit confused

why Celerra doesn't keep a Unique SID for the user but instead creating a new SID.

2/ What does the origin field ( usermapper, nis, etc ) indicates in the o/p of secmap list

[nasadmin@TOK-VNX-CS-01 ~]$ server_cifssupport tok_vnx_prod_vdm_01  -secmap -list | more

tok_vnx_prod_vdm_01 : done

SECMAP USER MAPPING TABLE

UID         Origin      Date of creation         Name                            SID

32799       usermapper  Fri Oct  5 22:31:35 2012 WMC\IshimS               S-1-5-15-5136cbc-6b866c27-7d550f19-17502

32959       nis  Tue Jan  8 02:55:51 2013     WMC\WilsoEL              S-1-5-15-5136cbc-6b866c27-7d550f19-c702

656         etc         Mon Feb 25 16:52:26 2013 WMC\YasudM               S-1-5-15-5136cbc-6b866c27-7d550f19-170b

Thanks,

Yousuff K.

The origin field means which service did the mapping

In your case it clearly looks like you also have usermapper running.

Using both usermapper and other mapping sources can get pretty confusing - that’s why we don’t recommend it.

Usermapper is really only recommended for configurations that do not have multi-protocol access to the same files.

Any error or omission that you have in the other mapping sources gets “masked” by usermapper

It really goes back to what you want and need in terms of multi-protocol and what you are able and willing to support.

Thanks Rainer for the kind update. Its lot clear now after your input.

I just had a query on the SID.

why are the user SID in the secmap cache different from those seen on the AD. Why doesn't the celerra use the same SID

provided by AD in the secmap for the user.

I observe DM creating SID with fixed pattern with only the last field varying as shown.

SID as provided by Windows Administrator

user : karimy

SID : S-1-5-21-85159100-1803971623-2102726425-79378

SID as seen in the SECMAP CACHE

[nasadmin@wdc-ns120-1278-cs ~]$ server_cifssupport  wdc02_prod_vdm_03 -secmap -list | grep -i karimy

3609        etc         Mon Sep 12 04:34:32 2011 WELLINGTON\KarimY               S-1-5-15-5136cbc-6b866c27-7d550f19-13612

# SID pattern as seen in the secmap cache only last field varying ( dd12 / 1457 / ad8e / ae10 ).

[nasadmin@wdc-ns120-1278-cs ~]$ server_cifssupport  wdc02_prod_vdm_01 -secmap -list | grep -i changl

38702       usermapper  Sat Apr 17 20:27:47 2010 WELLINGTON\ChangL               S-1-5-15-5136cbc-6b866c27-7d550f19-dd12

[nasadmin@wdc-ns120-1278-cs ~]$ server_cifssupport  wdc02_prod_vdm_01 -secmap -list | grep -i chacece

33341       usermapper  Sat Apr 17 09:07:22 2010 WELLINGTON\ChaceCE              S-1-5-15-5136cbc-6b866c27-7d550f19-1457

[nasadmin@wdc-ns120-1278-cs ~]$ server_cifssupport  wdc02_prod_vdm_01 -secmap -list | grep -i partaa

37290       usermapper  Thu Apr 29 14:11:50 2010 WELLINGTON\PartaA               S-1-5-15-5136cbc-6b866c27-7d550f19-ad8e

[nasadmin@wdc-ns120-1278-cs ~]$ server_cifssupport  wdc02_prod_vdm_01 -secmap -list | grep -i VenkaK

37379       usermapper  Sat Apr 24 08:26:15 2010 WELLINGTON\VenkaK               S-1-5-15-5136cbc-6b866c27-7d550f19-ae10

thanks,

Yousuff K.

In the secmap the SIDs are coded in hexadecimal, not in base 10 as in AD

Claude

Thanks a lot Claude for the clarification, I couldn't find this info in any of the doc. Your  input really helped me save lot of time.

Also I had a query on the notes given in the manual. I'm not able to interpret / understand what they mean or trying to say.

Can you please simplify this for easier understanding. I'm bit confused.

# Configuring Celerra User Mapping Manual ( Page 16 )

Note: If a user in a multiprotocol environment uses only a single login (either through Windows or

UNIX/Linux), then you can use Usermapper. If a user has only one account, mapping to an equivalent

identity in the other environment is not necessary.

thanks,

Yousuff K.

The way I read the note is as follows:

In a mixed NFS/CIFS environment EMC does not recommend using usermapper. But if you have only “some” users that need mixed access then you might want to keep usermapper active (as long as you make sure that the mapping for a new mixed user exists before that user accesses the CIFS shares)

Last sentence in the note “If a user has only one account, mapping to an equivalent identity in the other environment is not necessary” says that if a user is purely CIFS then creating a mapping for that user is not necessary

Claude

Thanks a lot Claude for the clarification. Its lot easier to interpret now after your explanation.

my sincere thanks to you also for Rainer for his inputs to this thread.

Cheers,

Yousuff K.