CDOT User Mapping 20140319(1)

Oliver Krause v20140318

Cluster-Mode

Understanding Multiprotocol Usermapping for ONTAP NAS

For NetApp internal and authorized partners use only

© 2009 NetApp. All rights reserved. 2 2

¡ Using Name Services

¡ What is User Mapping about?

¡ Some Definitions

Agenda


What is User Mapping about?



Hi, I am Fred the User. I use a Windows™ PC to access my files on IT’s fileserver.

Hi, I am Bob from IT. I manage Fred’s access rights to our IT infrastructure like the fileserver data.

Hi, I am IT’s fileserver. I store the Documents of Fred and protect them from unauthorized access by enforcing the permissions Bob set onto them.

CIFS

Uses



Hi, I am the security auditor here. I require that access to Fred’s files is protected equally, no matter how the files are accessed.

Uses

CIFS NFS

I already manage permission rights to Fred’s documents for Windows. Why should I manage the permissions again for UNIX?

Sometimes I need to use a UNIX system and want to access my documents on the fileserver.



Don’t worry folks, I am here to help!

Fred, you can use Windows or UNIX

on your files.

Bob, simply tell me Fred’s usernames for Windows and

UNIX. I do the rest.

Everything is fine, leave Bob and Fred

alone.



ONTAP enforces access permission by checking the access rights stored with

each file against the Identity of the accessing user

ONTAP uses User Mapping to match the Windows Identity of a user with

his UNIX Identity


Some Definitions


SID has format as follows: S-1-5-12-7623811015-3361044348-030300820-1013 S – The string is a SID. 1 – The revision level. 5 – The identifier authority value. 12-7623811015-3361044348-030300820 – domain or local computer identifier

1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

¡ Windows identifies users by a Security Identifier (SID).

¡ CIFS sends SID to identify user of request ¡ SID stored in Active Directory.

What is a Windows User?

From Wikipedia


What is a UNIX User?

¡ A UNIX users is identified by a user ID (UID) and one or more group ID’s (GID).

¡ NFS v2/v3 sends UID/GIDs to identify user, v4/v4.1 send username as Unicode-String

¡ Historically stored in /etc/passwd:

¡ ONTAP only uses RED fields ¡ Additional groups stored in /etc/groups

root::0:1::/: pcuser::65534:65534::/: nobody::65535:65535::/: okrause:x:500:100:Oliver Krause, SE:/home/okrause:/bin/bash username:pw:uid:gid:GECOS:homedir:shell


Scratch: NFSv4/4.1 owner & owner_group

¡  v4/v4.1 sends username and group names as unicode strings ¡  RFC3530bis allows sending UID/GIDs as numeric decimal unicode

strings, if RPCSEC_GSS is not used ¡  ONTAP setting: set diag; vserver nfs modify –vserver <vsm> -v4-

numeric-ids true (defaults to true) ¡  Client:

–  Linux: nfs.nfs4_disable_idmapping – default is to send numeric if no GSS cat /sys/module/nfs/parameters/nfs4_disable_idmapping


Qtree Security Styles

ONTAP uses Security Styles to define which kind of permissions are enforced for a files:

UNIX – Standard UNIX permission bits and NFSv4 ACLs are used NTFS – Standard NTFS ACLs are used Mixed – Either UNIX permissions or NTFS ACLs are set on file granularity

Security Styles can be set on Volumes or Qtrees


How User Mapping Works


How Does ONTAP User Mapping Work?

¡  Every File or Directory has only one active Permission Set (PermSet)

¡  Active PermSet type controlled by Qtree Security Style ¡  Every PermSet contains either a NTFS Access Control

List (ACL) or UNIX permissions (Owner + mode bits + optional NFSv4 ACL)

¡  Depending on access protocol (NFS or CIFS) we have to distinguish 4 different cases:

1. NFS client accessing file with UNIX PermSet 2. NFS client accessing file with NTFS PermSet 3. CIFS client accessing file with UNIX PermSet 4. CIFS client accessing file with NTFS PermSet


CIFS Client Accessing UNIX PS

Lookup Username in Active Directory

Name-mapping of Username

Lookup User in Name Service (local, NIS, LDAP)

Data with UNIX-Security-Style

User = vserver cifs options -default-unix-user

Lookup User in Name Service

CIFS-Call / SID, e.g. S-1-5-12-7623811015-…

WIN-Username, e.g. EXAMPLE\jdoe

UNIX-Username, e.g. johnd

Not found

Default Username (default “pcuser”)

Found UID / GID

Found UID / GID

Access denied

Not found


NFS Client Accessing NTFS PS

Lookup User in Name Service (local, NIS, LDAP)

Data with NTFS-Security-Style

Lookup Username at AD

NFS-Call / UID+GID’s, e.g. UID=501, GID=20

Name-mapping of Username

Lookup Username at Active Directory

WIN-Username, e.g. EXAMPLE\johnd

Not found

Default Username (default “”)

Found SID

Found SID Not found

UNIX-Username, e.g. johnd

Access denied

User = vserver nfs -default-win-user

Not found Permission denied BURT 751845 Workaround: create local users/groups


NFS Client Accessing NTFS PS

¡ NTFS ACL is too complex to be visually mapped on simple mode bit scheme

¡ ONTAP sends 777 if asked for permissions

¡ But in reality NTFS ACL is enforced in ONTAP

¡ So permissions seen on UNIX are misleading

¡ chmod and chown will fail


Scratch: NFS Client Accessing NTFS PS

¡  set diag; vserver nfs modify -vserver ok-nas -ntfs-unix-security-ops

¡  “fail”: permission denied on chown/chmod ¡  “ignore”: ignores chmod/chown but returns success ¡  “use_export_policy”: export-policy rule modify –vserver

<vsm> -policyname <policyname> -ruleindex <x> -ntfs-unix-security-ops


Common Question – POSIX ACLs

Some customers used UNIX systems with Draft-POSIX ACLs to build fileservers. Clients use NFSv3 but need better ACLs. There are two ways to move them to ONTAP:

1. Use UNIX Qtree. Use NFSv4 ACLs and use v4 client to manage ACLs

2. Use NTFS Qtree. Use Windows client to manage NTFS ACLs

No matter which ACL model you use, ONTAP enforces the ACL, independent of the access protocol (NFSv2/3/4 or CIFS)


Name-mapping of Username ¡ Use vserver name-mapping to map

UNIX<>Windows Users ¡  If you specify no rule, ONTAP automatically

maps Windows usernames to same Unix username

¡ Vserver name-mapping can be done independently for UNIX2WIN and WIN2UNIX, using regular expressions


What About Groups?

¡ ONTAP doesn’t support Group Mapping

¡ While companies today normally have unified User Identities for Windows and UNIX the Groups are normally NOT unified

¡  If Groups are not unified, the same User would have different access on different platforms => Security Gap

¡  If Groups are unified, User Mapping already takes care of everything


Debugging name mapping

¡  SECD does all the lookups, mapping and caching. Use diag secd in set diag mode.

¡  Check AD name resolution: diag secd authentication translate –node <node> -vserver <vserver> -win-name <username>

¡  Check Unix name resolution: diag secd authentication translate –node <node> -vserver <vserver> -unix-user-name <username>

¡  Check Windows to Unix mapping: diag secd name-mapping show –node <node> -vserver <vserver> -direction win-unix <username>

¡  Check Windows to Unix mapping: diag secd name-mapping show –node <node> -vserver <vserver> -direction unix-win <username>


Debugging name mapping

¡ Watch event log for secd error messages. It shows problems with user mapping: event log show -source secd

Example 2/5/2012 17:23:25 steve-01 DEBUG secd.nfsAuth.noUnixCreds: vserver (xxx-nas) Cannot determine UNIX identity. Acquire UNIX Credentials procedure failed!! [ 1 ms] Using a cached connection to dc2.example! [ 2] ID 65534 not found in UNIX authorization source LDAP! [ 2] Could not get credentials for ID 65534 using any NS-SWITCH authorization source!**[ 2] FAILURE: Unable to retrieve credentials for UNIX user with UID 65534!

¡ This vserver got no local user pcuser with id 65534. pcuser is the default user for windows users who cannot be mapped to a unix user.


Best Practices

¡ Never use Security Style “mixed” => Permission Nightmare. Last permission change wins! Hard to maintain and debug

¡ Set default users with lowest possible privileges (UNIX: pcuser, Windows: guest)

¡ Set Qtree style to match the NAS protocol primarily used to access data

¡ The users and groups “pcuser”, “nobody”, “root”, “daemon” are created since 8.2. Check them with vserver services unix-user/unix-group!


Top Links

¡  TR-3580: NFSv4 Enhancements and Best Practices Guide: Data ONTAP Implementation

¡ TR-4073: Secure Unified Authentication with NetApp Storage Systems


Thank You ! Q & A

26