beautypg.com

Configuring hp-smb username mapping – HP StoreAll Storage User Manual

Page 108

background image

Allows lists users and members of CIFS groups to be mapped to a single Linux user

Supports Samba status username map files and features

Support Samba dynamic map scripts

Supports remapping of users

Supports mapping of CIFS users configured in Local, LDAP, and AD name services

Ability to map name using a static map file and/or a customer provided dynamic map script
(the order is configurable)

Ability to assign SIDs using a template base and formulating the RID using the UID

The ability to enable username mapping is only available using the CLI. The command to use is
ibrix_usernamemapping

. See the HP StoreAll OS CLI Reference Guide for details about using

the commands.

When using the HP-SMB username mapping feature, be aware of the following:

When username mapping has been enabled and an SMB/CIFS user is connected through a
SMB/CIFS client session, the user is reassigned a session based on a POSIX name. The POSIX
name is not limited by the quota of the SMB/CIFS user since the user no longer has this
SMB/CIFS identity. Therefore, if you attempt to set a quota on a user that has username
mapping enabled, it may fail with the message “Unknown user name”. This is expected
behavior. The username mapping solution is provided for cross-protocol support so users are
managed the same access and controls as they would have if they established a connection
using NFS or ssh.

When using username mapping, the Linux owner and group permissions are still honored
when opening or saving files from other protocols. Access is granted through both primary
group and supplemental group access. Linux services that use the local name service (such
as FTP and NFS) use POSIX ACLs, while HP-SMB uses HP-SMB XATTR ACLs. Therefore, ACLs
are not yet compatible.

Non-CIFS services such as HTTP and FTP have not been enhanced to support the mapping of
SMB/CIFS users to POSIX names. The HP-SMB username mapping feature is intended to be
a cross-protocol solution for SMB/CIFS user access only. When HTTP requires AD CIFS name
resolutions, the AD names required to be resolved through HTTP must not be mapped to POSIX
names using the current solution.

Controlling access of the POSIX user names for those mapped users on SMB/CIFS shares is
not supported. Once the user is mapped to a POSIX user name, the user’s SMB/CIFS identity
no longer exists. Therefore, if the SMB/CIFS user did not have full control access to the share,
that user may now have full control access with the POSIX user name.

Configuring HP-SMB username mapping

To configure HP-SMB username mapping, complete the following steps:

NOTE:

The username mapping solution maps Windows users from any of the providers to a

POSIX name found in the Linux name services. This solution performs a complete identity change,
including the username, the primary group, and all supplemental groups. The identity of the original
Windows user that requested access to a share will be lost.

1.

Set the Domain SID, based on the current Active Directory Domain SID. The new SID must be
different than the Active Directory Domain SID, and its value can range from 1-99.

2.

Configure the username map script (dynamic username mapping) or the username map file
(static username mapping). The path and names of the dynamic script and static map file are
configurable, but a file must exist at the path when the path is configured, and the script
and/or the map must be in place before enabling the solution.

108 Using SMB