If the user names are the same on the Windows side and the Unix side,
regardless of what Domain those users are a part of, you shouldn't have
any issues with the drive mappings. As defined in the "System
Administration - File Access Management Guide for Data ONTAP 6.5" pg.93,
these are the steps taken when a CIFS session is requested:
- It searches the /etc/usermap.cfg to see whether an entry matches the
user's Windows domain name and user name.
- If an entry is found, Data ONTAP uses the UNIX name specified in the
entry to look up the UID and GID from the UNIX password database. If
the UNIX name is a null string, Data ONTAP denies access to the CIFS
user.
- If an entry is not found, Data ONTAP converts the Windows name to
lowercase and considers the UNIX name to be the same as the Windows
name. Data ONTAP uses this UNIX name to look up the UID and GID from
the UNIX password database.
If that doesn't work, you also might want to look into setting up the
usermap.cfg file in such a way that will work in your environment.
Regards,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tim Kazsuk
Unix System Administrator
The Home Depot Supply
Direct: 858-831-2225
Fax: 858-831-2221
NOC: 858-831-2210
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: owner-toasters(a)mathworks.com [mailto:owner-toasters@mathworks.com]
On Behalf Of Steve Losen
Sent: Tuesday, February 01, 2005 5:50 AM
To: toasters(a)mathworks.com
Subject: Switching from NIS auth to Windows Domain
We have been using filers to store users' home directories since 1997.
We started out with NFS on Unix and added CIFS access later. We have
about 30,000 user accounts.
We have always used NIS authentication for CIFS so that folks have the
same password on Unix and CIFS. But we have been unhappy with the
passwords going over the network in clear text. We have finally gotten
funding for enough Windows client licenses to give all our users
accounts in a Windows domain, so we want to switch our filers to Windows
domain auth.
This is going to cause us a serious user education problem. Currently
it does not matter what domain a CIFS user specifies because the domain
name is ignored when mapping a to a NIS user. For example, BOGUS\fred
maps to "fred" and MYDOM\jane maps to "jane", etc. Right now when
"fred"
does a "map network drive" he just enters "fred" for his username.
His PC supplies the windows domain, whatever that may be. Some folks
login to local departmental domains. Some do local Windows logins, etc.
Right now that doesn't matter because the filers ignore the domain name
when mapping to a NIS username.
But that will suddenly change when we switch to Windows domain auth.
Fred will suddenly be required enter "ESERVICES\fred" instead of just
"fred".
Does the filer have any option where it "knows" that no matter what
domain name the user supplies, in his heart of hearts he really means
"ESERVICES" ?
That would save us an awful lot of calls at our help desk when we cut
over.
By the way, we don't know in advance what domain name a user may supply.
Many of them appear to be whatever name the user gave his PC.
Steve Losen scl(a)virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
