Post on 20-Sep-2019
transcript
Oliver Krause v20140318
Cluster-Mode
Understanding Multiprotocol Usermapping for ONTAP NAS
For NetApp internal and authorized partners use only
© 2009 NetApp. All rights reserved. 2 2
¡ Using Name Services
¡ What is User Mapping about?
¡ Some Definitions
Agenda
© 2009 NetApp. All rights reserved. 3 3
What is User Mapping about?
© 2009 NetApp. All rights reserved. 4 4
What is User Mapping about?
Hi, I am Fred the User. I use a Windows™ PC to access my files on IT’s fileserver.
Hi, I am Bob from IT. I manage Fred’s access rights to our IT infrastructure like the fileserver data.
Hi, I am IT’s fileserver. I store the Documents of Fred and protect them from unauthorized access by enforcing the permissions Bob set onto them.
CIFS
Uses
© 2009 NetApp. All rights reserved. 5 5
What is User Mapping about?
Hi, I am the security auditor here. I require that access to Fred’s files is protected equally, no matter how the files are accessed.
Uses
CIFS NFS
I already manage permission rights to Fred’s documents for Windows. Why should I manage the permissions again for UNIX?
Sometimes I need to use a UNIX system and want to access my documents on the fileserver.
© 2009 NetApp. All rights reserved. 6 6
What is User Mapping about?
Don’t worry folks, I am here to help!
Fred, you can use Windows or UNIX
on your files.
Bob, simply tell me Fred’s usernames for Windows and
UNIX. I do the rest.
Everything is fine, leave Bob and Fred
alone.
© 2009 NetApp. All rights reserved. 7 7
What is User Mapping about?
ONTAP enforces access permission by checking the access rights stored with
each file against the Identity of the accessing user
ONTAP uses User Mapping to match the Windows Identity of a user with
his UNIX Identity
© 2009 NetApp. All rights reserved. 8 8
Some Definitions
© 2009 NetApp. All rights reserved. 9 9
SID has format as follows: S-1-5-12-7623811015-3361044348-030300820-1013 S – The string is a SID. 1 – The revision level. 5 – The identifier authority value. 12-7623811015-3361044348-030300820 – domain or local computer identifier
1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.
¡ Windows identifies users by a Security Identifier (SID).
¡ CIFS sends SID to identify user of request ¡ SID stored in Active Directory.
What is a Windows User?
From Wikipedia
© 2009 NetApp. All rights reserved. 10 10
What is a UNIX User?
¡ A UNIX users is identified by a user ID (UID) and one or more group ID’s (GID).
¡ NFS v2/v3 sends UID/GIDs to identify user, v4/v4.1 send username as Unicode-String
¡ Historically stored in /etc/passwd:
¡ ONTAP only uses RED fields ¡ Additional groups stored in /etc/groups
root::0:1::/: pcuser::65534:65534::/: nobody::65535:65535::/: okrause:x:500:100:Oliver Krause, SE:/home/okrause:/bin/bash username:pw:uid:gid:GECOS:homedir:shell
© 2009 NetApp. All rights reserved. 11 11
Scratch: NFSv4/4.1 owner & owner_group
¡ v4/v4.1 sends username and group names as unicode strings ¡ RFC3530bis allows sending UID/GIDs as numeric decimal unicode
strings, if RPCSEC_GSS is not used ¡ ONTAP setting: set diag; vserver nfs modify –vserver <vsm> -v4-
numeric-ids true (defaults to true) ¡ Client:
– Linux: nfs.nfs4_disable_idmapping – default is to send numeric if no GSS cat /sys/module/nfs/parameters/nfs4_disable_idmapping
© 2009 NetApp. All rights reserved. 12 12
Qtree Security Styles
ONTAP uses Security Styles to define which kind of permissions are enforced for a files:
UNIX – Standard UNIX permission bits and NFSv4 ACLs are used NTFS – Standard NTFS ACLs are used Mixed – Either UNIX permissions or NTFS ACLs are set on file granularity
Security Styles can be set on Volumes or Qtrees
© 2009 NetApp. All rights reserved. 13 13
How User Mapping Works
© 2009 NetApp. All rights reserved. 14 14
How Does ONTAP User Mapping Work?
¡ Every File or Directory has only one active Permission Set (PermSet)
¡ Active PermSet type controlled by Qtree Security Style ¡ Every PermSet contains either a NTFS Access Control
List (ACL) or UNIX permissions (Owner + mode bits + optional NFSv4 ACL)
¡ Depending on access protocol (NFS or CIFS) we have to distinguish 4 different cases:
1. NFS client accessing file with UNIX PermSet 2. NFS client accessing file with NTFS PermSet 3. CIFS client accessing file with UNIX PermSet 4. CIFS client accessing file with NTFS PermSet
© 2009 NetApp. All rights reserved. 15 15
CIFS Client Accessing UNIX PS
Lookup Username in Active Directory
Name-mapping of Username
Lookup User in Name Service (local, NIS, LDAP)
Data with UNIX-Security-Style
User = vserver cifs options -default-unix-user
Lookup User in Name Service
CIFS-Call / SID, e.g. S-1-5-12-7623811015-…
WIN-Username, e.g. EXAMPLE\jdoe
UNIX-Username, e.g. johnd
Not found
Default Username (default “pcuser”)
Found UID / GID
Found UID / GID
Access denied
Not found
© 2009 NetApp. All rights reserved. 16 16
NFS Client Accessing NTFS PS
Lookup User in Name Service (local, NIS, LDAP)
Data with NTFS-Security-Style
Lookup Username at AD
NFS-Call / UID+GID’s, e.g. UID=501, GID=20
Name-mapping of Username
Lookup Username at Active Directory
WIN-Username, e.g. EXAMPLE\johnd
Not found
Default Username (default “”)
Found SID
Found SID Not found
UNIX-Username, e.g. johnd
Access denied
User = vserver nfs -default-win-user
Not found Permission denied BURT 751845 Workaround: create local users/groups
© 2009 NetApp. All rights reserved. 17 17
NFS Client Accessing NTFS PS
¡ NTFS ACL is too complex to be visually mapped on simple mode bit scheme
¡ ONTAP sends 777 if asked for permissions
¡ But in reality NTFS ACL is enforced in ONTAP
¡ So permissions seen on UNIX are misleading
¡ chmod and chown will fail
© 2009 NetApp. All rights reserved. 18 18
Scratch: NFS Client Accessing NTFS PS
¡ set diag; vserver nfs modify -vserver ok-nas -ntfs-unix-security-ops
¡ “fail”: permission denied on chown/chmod ¡ “ignore”: ignores chmod/chown but returns success ¡ “use_export_policy”: export-policy rule modify –vserver
<vsm> -policyname <policyname> -ruleindex <x> -ntfs-unix-security-ops
© 2009 NetApp. All rights reserved. 19 19
Common Question – POSIX ACLs
Some customers used UNIX systems with Draft-POSIX ACLs to build fileservers. Clients use NFSv3 but need better ACLs. There are two ways to move them to ONTAP:
1. Use UNIX Qtree. Use NFSv4 ACLs and use v4 client to manage ACLs
2. Use NTFS Qtree. Use Windows client to manage NTFS ACLs
No matter which ACL model you use, ONTAP enforces the ACL, independent of the access protocol (NFSv2/3/4 or CIFS)
© 2009 NetApp. All rights reserved. 20 20
Name-mapping of Username ¡ Use vserver name-mapping to map
UNIX<>Windows Users ¡ If you specify no rule, ONTAP automatically
maps Windows usernames to same Unix username
¡ Vserver name-mapping can be done independently for UNIX2WIN and WIN2UNIX, using regular expressions
© 2009 NetApp. All rights reserved. 21 21
What About Groups?
¡ ONTAP doesn’t support Group Mapping
¡ While companies today normally have unified User Identities for Windows and UNIX the Groups are normally NOT unified
¡ If Groups are not unified, the same User would have different access on different platforms => Security Gap
¡ If Groups are unified, User Mapping already takes care of everything
© 2009 NetApp. All rights reserved. 22 22
Debugging name mapping
¡ SECD does all the lookups, mapping and caching. Use diag secd in set diag mode.
¡ Check AD name resolution: diag secd authentication translate –node <node> -vserver <vserver> -win-name <username>
¡ Check Unix name resolution: diag secd authentication translate –node <node> -vserver <vserver> -unix-user-name <username>
¡ Check Windows to Unix mapping: diag secd name-mapping show –node <node> -vserver <vserver> -direction win-unix <username>
¡ Check Windows to Unix mapping: diag secd name-mapping show –node <node> -vserver <vserver> -direction unix-win <username>
© 2009 NetApp. All rights reserved. 23 23
Debugging name mapping
¡ Watch event log for secd error messages. It shows problems with user mapping: event log show -source secd
Example 2/5/2012 17:23:25 steve-01 DEBUG secd.nfsAuth.noUnixCreds: vserver (xxx-nas) Cannot determine UNIX identity. Acquire UNIX Credentials procedure failed!! [ 1 ms] Using a cached connection to dc2.example! [ 2] ID 65534 not found in UNIX authorization source LDAP! [ 2] Could not get credentials for ID 65534 using any NS-SWITCH authorization source!**[ 2] FAILURE: Unable to retrieve credentials for UNIX user with UID 65534!
¡ This vserver got no local user pcuser with id 65534. pcuser is the default user for windows users who cannot be mapped to a unix user.
© 2009 NetApp. All rights reserved. 24 24
Best Practices
¡ Never use Security Style “mixed” => Permission Nightmare. Last permission change wins! Hard to maintain and debug
¡ Set default users with lowest possible privileges (UNIX: pcuser, Windows: guest)
¡ Set Qtree style to match the NAS protocol primarily used to access data
¡ The users and groups “pcuser”, “nobody”, “root”, “daemon” are created since 8.2. Check them with vserver services unix-user/unix-group!
© 2009 NetApp. All rights reserved. 25 25
Top Links
¡ TR-3580: NFSv4 Enhancements and Best Practices Guide: Data ONTAP Implementation
¡ TR-4073: Secure Unified Authentication with NetApp Storage Systems
© 2009 NetApp. All rights reserved. 26 26
Thank You ! Q & A
26