Multi-Protocol Concept || Netapp
Security Styles :
What is Security Style ?
Security style determines the type of permission ONTAP uses to control data access and what client type can modify these permission.
There are four type of security styles:
Unix
What is Security Style ?
Security style determines the type of permission ONTAP uses to control data access and what client type can modify these permission.
- Security Styles can be set at the volume and Qtree level
- Qtrees by default inherit the Security style of the containing volume
- Infinite Volumes can have only Unified Security style, You cannot change it
There are four type of security styles:
Unix
Choose if ....
- The file system is managed by a UNIX administrator.
- The majority of users are NFS clients.
- An application accessing the data uses a UNIX user as the service account.
NTFS
- The file system is managed by a Windows administrator.
- The majority of users are SMB clients.
- An application accessing the data uses a Windows user as the service account.
MIXED
The file system is managed by both UNIX and Windows administrators and users consist of both NFS and SMB clients.
- If Security Style is set to UNIX, Then UNIX permissions are always used
- If Security style is set to NTFS, NTFS permissions are always used
- IF Security style is set to Unified or MIXED, whichever type of client last modified the permission, that will always used.
Create SVM -> Multi
Select Protocol > cifs and nfs
CIFS Configure with 172.23.3.25
Cifs server name -> Multi
AD > FlackboxA.lab
skip NFS config
check from windows server -> if Multi is available under users and computer
On root volume make security style as mixed
Create Export policy on root volume with 0.0.0.0/0
Create volume -> unix_vol -> Security style = UNIX
create Share for unix_vol
Go to Unix host
logged in as nbadmin
mount volume by sudo mkdir /mnt/unix_vol
mount 172.23.3.25:/unix_vol /mnt/unix_vol
sudo useradd -m -s /bin/bash johns
sudo passwd johns
enter new unix pass
retype
grep johns /etc/passwd ---------------- to get the information about user like GID and UID
go back to netapp GUI
cluster -> multi svm-> configuration -> UNIX
add group -> johns group : GID 1001
user tab -> add user -> name : Johns -> User ID : 1001-> Select Group name : Johns
Fill name optionally like john rambo
go back to linux -> right click -> Duplicate
Login as : Johns
cd /mnt/unix_vol
vi file1.txt ---------------------for creating a file with name file1.txt
windows to unix test
wq! -----------Write and quite
ls -l -------- for listing file info which are written
---rw(user)---rw(grp)---r(everyone)----
chmod 0700 file1.txt --------------changing the permission to read write and execute permission
ls -1
----rwx-----
go to CLI for Netapp Cluster 2
set advanced say yes
vserver cifs options show -vserver multi -field is-admin-user-mapped-to-root-enabled
By default the windows domain admin will be automatically mapped to Linux root account
we need to modify that
> vserver cifs options modify -vserver multi -field is-admin-user-mapped-to-root-enabled false
Go to windows DC, and create user account johns
set password
add the user to domain admin grp
map the network derive to johns account by logging in to johns account
\\172.23.3.25\unix_vol
check if you can write file1.txt
you should be modify it becuase you are logged in as user name johns
default rule: windows and unix user name are automtically mapped to each other when they are the same name
Create another user with diffrent name to cross check with name johnsmith
login and try to map \\172.23.3.25\unix_vol
you can map but you cannot access
You can able to do that but recently we disabled the setting from cluster CLI that -field is-admin-user-mapped-to-root-enabled false
so we want this to be worked now,
we want to allow johnsmith to access that file
Go to netapp cluster -> multi svm-> configuration -> user and groups -> Name mapping
Add ->
Direction : Windows to UNIX
Position 1
Pattern: FLACKBOXA\\johnsmith
Replacement : Johns
Logout and login
And check again mapping
This should be working now
Unix user to access volume with NTFS style permission:
Create Volume with NTFS Security Style : Win_vol
Create share of the same
Check if you can access it from Johns account from windows : Yes
create file 2
Check from Linux by mounting
cd /mnt/win_vol
cat file2.txt----------------------- for reading the file2.txt
you cannot read the content of the command
Need to perform the mapping.
Go to netapp cluster -> multi svm-> configuration -> user and groups -> Name mapping
Add ->
Direction : Unix to windows
Position 1
Pattern: Johns
Replacement : FLACKBOXA\\johnsmith
now try cat file2,txt
it will work
Select Protocol > cifs and nfs
CIFS Configure with 172.23.3.25
Cifs server name -> Multi
AD > FlackboxA.lab
skip NFS config
check from windows server -> if Multi is available under users and computer
On root volume make security style as mixed
Create Export policy on root volume with 0.0.0.0/0
Create volume -> unix_vol -> Security style = UNIX
create Share for unix_vol
Go to Unix host
logged in as nbadmin
mount volume by sudo mkdir /mnt/unix_vol
mount 172.23.3.25:/unix_vol /mnt/unix_vol
sudo useradd -m -s /bin/bash johns
sudo passwd johns
enter new unix pass
retype
grep johns /etc/passwd ---------------- to get the information about user like GID and UID
go back to netapp GUI
cluster -> multi svm-> configuration -> UNIX
add group -> johns group : GID 1001
user tab -> add user -> name : Johns -> User ID : 1001-> Select Group name : Johns
Fill name optionally like john rambo
go back to linux -> right click -> Duplicate
Login as : Johns
cd /mnt/unix_vol
vi file1.txt ---------------------for creating a file with name file1.txt
windows to unix test
wq! -----------Write and quite
ls -l -------- for listing file info which are written
---rw(user)---rw(grp)---r(everyone)----
chmod 0700 file1.txt --------------changing the permission to read write and execute permission
ls -1
----rwx-----
go to CLI for Netapp Cluster 2
set advanced say yes
vserver cifs options show -vserver multi -field is-admin-user-mapped-to-root-enabled
By default the windows domain admin will be automatically mapped to Linux root account
we need to modify that
> vserver cifs options modify -vserver multi -field is-admin-user-mapped-to-root-enabled false
Go to windows DC, and create user account johns
set password
add the user to domain admin grp
map the network derive to johns account by logging in to johns account
\\172.23.3.25\unix_vol
check if you can write file1.txt
you should be modify it becuase you are logged in as user name johns
default rule: windows and unix user name are automtically mapped to each other when they are the same name
Create another user with diffrent name to cross check with name johnsmith
login and try to map \\172.23.3.25\unix_vol
you can map but you cannot access
You can able to do that but recently we disabled the setting from cluster CLI that -field is-admin-user-mapped-to-root-enabled false
so we want this to be worked now,
we want to allow johnsmith to access that file
Go to netapp cluster -> multi svm-> configuration -> user and groups -> Name mapping
Add ->
Direction : Windows to UNIX
Position 1
Pattern: FLACKBOXA\\johnsmith
Replacement : Johns
Logout and login
And check again mapping
This should be working now
Unix user to access volume with NTFS style permission:
Create Volume with NTFS Security Style : Win_vol
Create share of the same
Check if you can access it from Johns account from windows : Yes
create file 2
Check from Linux by mounting
cd /mnt/win_vol
cat file2.txt----------------------- for reading the file2.txt
you cannot read the content of the command
Need to perform the mapping.
Go to netapp cluster -> multi svm-> configuration -> user and groups -> Name mapping
Add ->
Direction : Unix to windows
Position 1
Pattern: Johns
Replacement : FLACKBOXA\\johnsmith
now try cat file2,txt
it will work
It is very useful thanks
ReplyDelete