Configure UserMapper to use LDAP on VNX

Hi Darin,

LDAP config for user mapping can get a bit complicated due to the different LDAP configs.

Also LDAP is not very forgiving or easy to troubleshoot - one typo or uppercase vs. lowercase paths and it doesnt work.

Besides the VNX user mapping manual I would suggest to also look at the other manuals like the VNX multi-protocol, VNX naming services, ....

Also the knowledgebase on support.emc.com has a number of articles for this.

Getting to know troubleshooting commands like server_cifssupport also helps

I would suggest to setup a simulator to work out the config before changing production.

Rainer

P.S.: technically its not usermapper that does this - despite its name usermapper itself is only responsible for the "automatic" mapping when no real mapping is available. Or said differently - not all user mapping is done by usermapper.

For true multi-protocol environments its recommended to turn off usermapper - however that would mean that you need to have a mapping for each user connecting to the system

Hi Rainer,

     The file portion of our VNX is as of yet unused, so it is not in production.. That is what I'm trying to accomplish right now.  I've read the VNX Multi-Protocol manual.  I will look at the VNX Naming Services document.  I've also familiarized myself with ntxmap.conf and the usermapper tab in the CIFS Shared Folders in Unisphere, and Configuring VNX User Mapping, Configuring and Managing CIFS on VNX, Using ntxmap for CIFS User Mapping, and a few others besides. 

I've been reading for days now.  I've watched EMC videos on YouTube as well.  Everything that I've read has said that this is possible.  I've gone so far as to install the Centrify LDAP Proxy and it can search and get results back from our Active Directory domain.

The VNX documentation says that "If the multiprotocol environment consists primarily of UNIX users and has only one Windows domain, or usernames that are unique across multiple Windows domains, you can use LDAP-based directory services".   Well, that's our environment. In addition, we have taken steps over the years to make sure that IDs and groups in both Unix and Windows are identical.  We currently have many Samba filesystems shared from Solaris and mounted in Windows that handle the multiprotocol environment just fine.    I would like to make this happen on the VNX.  And again according to the documentation, it can be done.  I'd just like to find the document that shows how it's done.  I've read the ntxmap document and it shows how that works just fine.  However, ntxmap requires regular manual intervention.  I'm trying to find a solution that will be more maintenance-free.  Also, the problem with using Active Directory is that they have deprecated RFC2307 IDMU in Windows Server 2012 and have removed it entirely is Windows Server 2016. 

Anyhow, I'll look at Configuring VNX Naming Services and check back here if I have more questions.

yes its absolutely possible - it just can be a bit of work to setup

I think I heard about customers using Centrify

and the more user mapping methods you use the trickier it gets to troubleshoot

Dont forget that secmap never updates - so if you test different configs delete secmap

which method works for you really depends on where you manage your accounts and where the info is available.

For example using just LDAP from Windows domain controller AD does provide fields for user mapping but they arent filled in by default when you create a new account.

ntxmap / NIS on the other side can be a good solution if your Windows and user name is literally the same - as it often is with companies from a Unix background

By default we will always try if the same literal user name exists - i.e. if you login as Windows user domain\joe then we check the configured naming sources have a Unix user named joe

As it stands right now, *some* mapping is happening, just not the right data.

Here's a list from a directory I have set up for testing:

-rw-r--r--   1 root     root           0 Mar 13 14:17 anewfile.txt

-rw-r--r--   1 dwm    devel       0 Mar 13 14:17 newfile2.txt

-rw-r--r--   1 32791    32770          0 Mar 13 14:18 newfile3.txt

All 3 files were created by me.  One while I'm root.  The next while I was on as myself from the Solaris NFS mount and the last was created by me from the CIFS share in Windows.  The UID/GID shown there is my AD account UID/GID but it's not the right one.  Centrify assigns another separate UID/GID combo to each ID. 

If I do an ldapquery from the Centrify LDAP Proxy, it gives me that separate UID/GID combo. 

I'm going to continue reading this VNX naming services document and see if I can make this work, but I think I'm on the right path.

you really need to look at the mapping using server_cifssupport

otherwise secmap could fool you

It should also tell you where a mapping is coming from

For the beginning I really suggest to start with *one* mapping method and disabling the others

Only if that work add others that you may need

that includes disabling usermapper

OK.. I have studied the documentation, including documentation about server_cifssupport.  I can see what the secmap has.  Using server_ldap, I have assigned the control station to the Centrify LDAP Proxy:

[nasadmin@vnx5500-cs0 ~]$ server_ldap server_2 -service -status

server_2 :

LDAP domain "xxx.xxx" is active - Configured with RFC-2307 defaults

I also see this:

[nasadmin@vnx5500-cs0 ~]$ server_ldap server_2 -info

server_2 :

LDAP domain:      xxx.xxx

State:            Configured - Connected

Schema:           OpenLDAP

Base dn:          dc=xxx,dc=xxx

Bind dn:         

Configuration:    RFC-2307 defaults

LDAP server:      10.0.x.x - Port: 389 - Active

I have also pushed an nsswitch.conf out to the datamover usiing this:

server_file server_2 -put /nas/site/nsswitch.conf.server_2 nsswitch.conf

This is the nsswitch.conf I pushed out:

passwd:         files nis ldap

group:          files nis ldap

hosts:          files nis dns ldap

netgroup:       files nis ldap

I have removed usermapper maps and disabled the usermapper service:

server_usermapper server_2 -remove -all

server_usermapper server_2 -disable

So, I still can't get proper mappings from CIFS users.

When I do this:   'server_cifssupport server_2 -secmap -list ' I still get a secmap that shows nothing but AD info with 5 digit UID/GID.

What am I missing?????

EDIT - Also, when querying the secmap using server_cifssupport the secmap table shows the origin as usermapper.  I believe this is the problem.  I would imagine that it should say LDAP.  But I cannot figure out why.

server_checkup server_2 -test CIFS gives this error:

Error 13158449198: server_2 :  The Data Mover issued a LDAP search request on LDAP server 10.0.7.159 that resulted in the following error: No such object.

--> Check the server_ldap configuration command usage and LDAP server connectivity and binding requirements.

So, something still isn't right.  Can't figure out what or why

EDIT - ./ldapsearch -h localhost -p 389 -x -b "dc=xxx,dc=xxx"  command dumps out all info from LDAP proxy as it should.  Firewalling is disabled on the LDAP Proxy system.   

most likely cause is that your LDAP config isnt 100% correct

I remember that the containers need to created even if they arent used

disable usermapper via param

then at least you should feel immediately if a user cannot be mapped - it will be denied tree connect when trying to access the share. If you still can connect with an account that cant be mapped then you are tricked by something cached like secmap

Remember that secmap is a persistent cache where an individual entry never gets updated.

so if there is a change you need to delete the entries or the complete secmap

Otherwise look at the knowledgebase - I think there are some articles there about LDAP troubleshooting

It isnt fun though

Also search for ldap and ldapsearch here on the forum

sorry - but this is really beyond free help in the spare time on a forum

you may want to consider to engage professional service

--I remember that the containers need to created even if they arent used

Where is this documented?

--Remember that secmap is a persistent cache where an individual entry never gets updated so if there is a change you need to delete the entries or the complete secmap

Tried that already

-- sorry - but this is really beyond free help in the spare time on a forum you may want to consider to engage professional service

I've opened an SR.  I have 20+ years Unix experience.  I understand the technologies involved.  There should be no reason, barring proper documentation, that I would not be able to do this on my own.  EMC is making it hard for me to recommend EMC for our next storage device that we purchase next year.

sorry - I am at the end of what I can do remotely via forum

I am pretty sure that there is a reason and that it can be made to work.

But IMHO it requires more than copy&paste info on a fourm

For anyone else that has this issue, this is a barely documented function that must be enabled for Multiprotocol to work:

server_param server_2 -f usrmap -m autobroadcast -v 1

You can find more info in this post:

https://community.emc.com/thread/188181?start=15&tstart=0