Docu5414 - Configuring Celerra User Mapping PDF

Configuring Celerra User Mapping
P/N 300-002-715
Rev A01
Version 5.5
March 2006
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
User mapping concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Configuring user mapping in Windows-only environments . . . . . . . .7
Configuring user mapping in multiprotocol environments . . . . . . . .8
How user mapping works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
EMC NAS Interoperability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
User interface choices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Using Celerra Manager to configure user mapping . . . . . . . . . . . . .11
User mapping roadmap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Using Internal Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Planning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Using the default single-Celerra Usermapper configuration . . . . . .16
Configuring a multi-Celerra Usermapper environment. . . . . . . . . . .16
Managing Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Changing Usermapper default configuration settings . . . . . . . . . . .25
Using External Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Using the Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Celerra UNIX user management snap-in . . . . . . . . . . . . . . . . . . . . . .28
Celerra UNIX users and groups property page extension . . . . . . . .29
Using local files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Task 1: Copy files from the Data Mover . . . . . . . . . . . . . . . . . . . . . . .31
Task 2: Add Windows domain name as a group name . . . . . . . . . . .32
Task 3: Add Windows usernames. . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Task 4: Copy files to the Data Mover . . . . . . . . . . . . . . . . . . . . . . . . .34
Using NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Using user account migration tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Celerra UNIX Attributes Migration tool . . . . . . . . . . . . . . . . . . . . . . .37
NTMigrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Configuring the primary group mapping for file system objects . . . . . .38
Using user UNIX GIDs for file system objects . . . . . . . . . . . . . . . . . .38
Determining the GIDs on copied file system objects . . . . . . . . . . . .39
Troubleshooting user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Known problems and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
1 of 48
Events and notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Customer training programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
2 of 48
Version 5.5
Introduction
Every user of the Celerra Network Server, either a Windows user or a UNIX user,
must be identified by a unique numeric user identifier (UID) and group identifier
(GID). Windows, however, does not use numeric IDs to identify users. Instead, it
uses strings called security identifiers (SIDs). Therefore, before you configure the
Windows file-sharing service (referred to as CIFS) on your Celerra Network Server,
you must select a method of mapping Windows SIDs to UIDs and GIDs. The
method you use depends on whether you have a Windows-only or UNIX and
Windows (multiprotocol) environment. These methods include:
Usermapper (Internal or External)
Active Directory
Local files
Network Information Service (NIS)
This technical module is part of the Celerra Network Server information set and is
intended for system administrators responsible for configuring and managing
Windows user ID mapping.
Terminology
This section defines terms important to understanding user mapping capabilities on
the Celerra Network Server. The Celerra Network Server User Information
Glossary provides a complete list of Celerra terminology.
ACL (Access control list): A list of access control entries (ACEs) that provide
information about the users and groups that are allowed access to an object.
Active Directory: An advanced directory service included with Windows 2000
Servers. It stores information about objects on a network and makes this

information available to users and network administrators through a protocol such
as LDAP.
authentication: The process for verifying the identity of a user who is trying to
access a resource or object, such as a file or a directory.

CIFS (Common Internet File System): A file-sharing protocol based on the Microsoft
Server Message Block (SMB). It allows users to share file systems over the Internet
and intranets.
CIFS server: A logical server that uses the CIFS protocol to transfer files. A Data
Mover can host many instances of a CIFS server. Each instance is referred to as a
CIFS server.
CIFS service: A CIFS server process that runs on the Data Mover and presents
shares on a network as well as on Windows-based computers.
Control Station: A hardware and software component of the Celerra Network Server
that manages the system and provides the user interface to all Celerra
components.
Version 5.5
3 of 48
Data Mover: A Celerra Network Server cabinet component running the DART
operating system that retrieves files from a storage device and makes the files
available to a network client.
DNS (Domain Name System): A name resolution software that allows users to locate
computers and services on a UNIX network or TCP/IP network by name. The DNS
server maintains a database of domain names, hostnames and their corresponding
IP addresses, and services provided by these hosts.
domain: A logical grouping of Microsoft Windows servers and other computers that
share common security and user account information. All resources such as
computers and users are members of the domain and have an account in the
domain that uniquely identifies them. The domain administrator creates one user
account for each user in the domain, and the users log in to the domain once. Users
do not log in to each individual server.
GID (group identifier): A number assigned to a particular group of users.
Kerberos: An authentication, data integrity, and data privacy encryption mechanism
used in Windows 2000 to encode authentication information. Kerberos coexists

with NTLM (Netlogon services) and, using secret-key cryptography, provides
authentication for client/server applications.
NFS (Network File System): A distributed file system that provides transparent
access to a remote storage system. NFS allows all systems on the network to share
a single copy of a file system.
NIS (Network Information System): A distributed data lookup service that shares
user and system information across a network, including usernames, passwords,
home directories, groups, hostnames, IP addresses, and netgroup definitions.
NTP (Network Time Protocol): A protocol used to synchronize the real-time clock in
a computer with a network time source.

primary Usermapper service: The instance of the Usermapper service that assigns
UIDs and GIDs to Windows users and groups asking the Celerra Network Server
for access to system objects.
quota: A limit on the amount of allocated disk space as well as the number of files
(inodes) that a user or group of users can create in a production file system. Quotas
control the amount of disk space and the number of files that a user or group of
users can consume.
secondary Usermapper service: In a multi-Celerra environment, an instance of the
Usermapper service that forwards requests for user mappings to the primary
Usermapper service and returns those mappings to the Data Movers in addition to
storing the mappings it processes.
SID (security identifier): A unique identifier that defines a user or group in a
Microsoft Windows environment. Each user or group has its own SID.
UID (user identifier): A number that corresponds to a particular user.
user file: Refers to the passwd file that resides on each Data Mover.
Usermapper: A service that automatically maps distinct Windows users and groups
to distinct UNIX-style UIDs and GIDs.
Usermapper host: A machine that runs an External Usermapper daemon or service.
4 of 48 Version 5.5
Windows 2000/Windows Server 2003 domain: A Microsoft Windows domain
controlled and managed by a Microsoft Windows server/Windows 2003 server

using the Active Directory to manage all system resources and using the DNS for
name resolution.
Windows NT domain: A Microsoft Windows domain controlled and managed by a
Microsoft Windows NT server using a SAM database to manage user and group
accounts and a NetBIOS namespace. In a Windows NT domain, there is one
primary domain controller (PDC) that has a read/write copy of the SAM, and
possibly several backup domain controllers (BDCs) with read-only copies of the
SAM.
WINS (Windows Internet Naming Service): A Microsoft name resolution system that
determines the IP address associated with a particular network node. WINS

provides the mapping between the machine name and the Internet address,
allowing Microsoft networking to function over TCP/IP networks.
Version 5.5
5 of 48
User mapping concepts

Every Celerra Network Server user must be assigned a unique numeric UID and
GID to indicate the ownership of directories and files. The Celerra Network Server
uses directory and file ownership to apply and enforce access permissions and
quota limits.
Note: For connections from Windows users, file access checking is performed using SIDs
only. This is done to prevent errors due to UID mismatches and to reduce dependency on
the Usermapper database.
Like the Celerra Network Server, UNIX versions 2 and 3 use UIDs and GIDs to
identify users and groups. Consequently, the Celerra Network Server can use the
UIDs and GIDs supplied by UNIX without requiring any additional mappings.
Windows, however, does not use numeric IDs to identify users. Instead, it uses
strings called security identifiers (SIDs). Therefore, before you configure the
Windows file-sharing service (referred to a CIFS) on your Celerra Network Server,
you must select a method of mapping Windows SIDs to UIDs and GIDs. You select
a mapping method based on whether you have a Windows-only or UNIX and
Windows (multiprotocol) environment.
Figure 1 identifies the factors that determine the user mapping technique best
suited for your environment.
6 of 48 Version 5.5
Start
Do users have
both UNIX and
Windows
accounts?
No, Windows-only
Usermapper
Yes
Is Active Directory
Active Directory
or UNIX your primary user
mapping management
environment?
Active Directory and

cifs.useADMap parameter
UNIX
Do you have
only one Windows
domain or user names
that are unique across
all your Windows
domains?
Yes
NIS and
cifs.resolver parameter
No
Local files
CNS-000598
Figure 1 Flow Chart of User Mapping Techniques
Configuring user mapping in Windows-only environments

The Celerra Network Servers Usermapper feature automatically assigns UIDs and
GIDs to Windows users and groups. Beginning with Celerra Network Server
Version 5.2, there are two types of Usermapper.
Internal Usermapper is part of the Data Mover's software. It does not require a
separate installation and, in the case of a new Celerra Network Server, requires
no additional configuration procedures.
External Usermapper runs as a daemon on a Celerra Control Station. It requires
a separate installation as well as additional configuration and management
procedures.
EMC recommends that you use Internal Usermapper in Windows-only

environments. Celerra Network Server installations after version 5.2 use Internal
Version 5.5
7 of 48
Usermapper by default. External Usermapper Version 3.1 and earlier versions are
maintained only for existing customers until they can transition to Internal
Usermapper.
Note: Before you configure and run Usermapper, note these restrictions:
- You should have only one primary Usermapper in a Celerra Network Server environment.
- You should not run External Usermapper and Internal Usermapper simultaneously in the
same Celerra environment.
Configuring user mapping in multiprotocol environments

In multiprotocol environments, file systems can be accessed by both UNIX and
Windows users. File access is determined by the permissions on the file or
directory, either the UNIX permissions, Windows access control lists (ACLs), or
both permissions and ACLs. Therefore, if a user has both UNIX and Windows user
accounts, you should choose a mapping method that allows you to indicate that the
two accounts represent the same user. The mapping methods that enable you to
control the mappings used and ensure that specific Windows SIDs are mapped to
the corresponding UNIX UIDs/GIDs and vice versa include the following:
Active Directory (using Microsoft Management Console snap-ins)
A Data Movers local user and group files
Network Information Service (NIS)
Note: If a user in a multiprotocol environment will only use a single logon (either through
Windows or UNIX), then it is acceptable to use Usermapper. If a user has only one account,
mapping to an equivalent identity in the other environment is not necessary.
8 of 48 Version 5.5
How user mapping works

When a user logs in to a Windows domain and requests access to a Data Movers
resources, the following sequence of events occurs:
1. When logging into a Windows NT domain or when accessing a Data Mover that
was declared as a pre-Windows 2000 computer, the user is authenticated using
NTLM (NT LAN Manager). If the Data Mover is using a computer name and is
joined to a Windows 2000 or Windows Server 2003 domain, the user is
authenticated through Kerberos or NTLMSSP (NT LAN Manager secure-socket
provider).
2. The users identification is forwarded to the Data Mover.
3. The Data Mover searches the following sources for an existing mapping of the
users SID to a UID/GID:
a. The Data Mover first checks its local resources (its local cache and then its
local passwd and group files) for an existing SID to UID/GID mapping.
b. If no mapping is found, and NIS is configured, the Windows domain
controller is queried for the user or group name associated with the SID, and
then NIS is queried for a UID/GID to associate with the name.
c. If no mapping is found, and queries to the Active Directory are configured (in
Windows 2000 and Windows Server 2003 environments), the Data Mover
queries the Active Directory for a SID to UID/GID mapping.
d. If no mapping is found, the Data Mover queries Usermapper for a SID to
UID/GID mapping.
e. The primary Usermapper service checks its database to determine if this
user or group has already been assigned a UID/GID. If not, the primary
Usermapper generates a new UID or GID and adds the new user or group to
its database along with the mapping. It then returns the mapping to the Data
Mover.
f. The Data Mover permanently caches all mappings it receives from any
source (local files, NIS, Active Directory, and Usermapper), making the
response to subsequent SID to UID/GID mapping requests faster and less
susceptible to network problems.
g. The user is then authenticated and given access to the CIFS share (network
drive).
h. If a user ID mapping cannot be resolved through one of these methods, an
error is logged in the server log and the user is unable to access the CIFS
share (network drive).
Note: If an nsswitch.conf file has been created on the Data Mover, the Data Mover will
query the sources defined in that file for users and groups in the order defined after it
checks its local cache. The Configuring Celerra Naming Services technical module provides
information on using the nsswitch.conf file.
Version 5.5
9 of 48
System requirements
This section describes the Celerra Network Server software, hardware, network,
and storage configurations required for using user mapping as described in this
technical module.
Table 1
System requirements for user mapping
Software
Celerra Network Server Version 5.5.
Hardware
No specific hardware requirements.
Network
Windows 2000, Windows Server 2003, or WIndows NT domain.

You must configure the domains with the following:
Windows 2000 or Windows Server 2003 domains:
Active Directory
Kerberos or NT Lan Manager (NTLMSSP)
DNS
NTP
Windows NT domains:
NT Lan Manager (NTLM)
WINS
Storage
Verify that sufficient space is available in the root file system. Contact your EMC
Customer Support Representative for assistance with determining size
requirements.
EMC NAS Interoperability Matrix

The EMC NAS Interoperability Matrix is available on Powerlink. It contains
definitive information on supported software and hardware, such as backup
software, Fibre Channel switches, and application support for Celerra networkattached storage (NAS) products.
10 of 48 Version 5.5
User interface choices

The Celerra Network Server offers flexibility in managing networked storage based
on your support environment and interface preferences. This technical module
describes how to configure user mapping using the command line interface (CLI).
You can also perform some of these tasks using one of the Celerra management
applications:
Celerra Manager - Basic Edition
Celerra Manager - Advanced Edition
Celerra Monitor
Microsoft Management Console (MMC) snap-ins
Active Directory Users and Computers (ADUC) extensions
For additional information about managing your Celerra, refer to:
Learning about Celerra
Celerra Manager Online Help
Monitoring Celerra
Applications online help system on the Celerra Network Server Documentation

CD
The Installing Celerra Management Applications technical module includes

instructions on launching Celerra Manager, and on installing the MMC snap-ins and
the ADUC extensions.
Using Celerra Manager to configure user mapping

Celerra Manager can be used to configure a Data Mover to use Usermapper and
NIS, as described in Table 2. You cannot use Celerra Manager to manage the
Active Directory or local files.
Table 2
User mapping configured using Celerra Manager
Naming
service
Celerra Manager procedure
NIS
To configure the Data Mover as an NIS client, select Celerras > [Celerra_name] >
Network and click the NIS Settings tab.
Usermapper
To configure Usermapper, select Celerras > [Celerra_name] > CIFS and click the
Usermappers tab.
Note: Celerra Manager can be used to configure Internal Usermapper services as
well as upgrade or migrate an existing External Usermapper by transferring the
primary Usermapper service from the Control Station to the Data Mover.
Version 5.5
11 of 48
For more information on using Celerra Manager to configure user mapping, refer to
the Celerra Manager online help.
Note: You can also use the configuration wizards to set up the use of NIS or basic Internal
Usermapper.
User mapping roadmap

Table 3 lists the user mapping methods described in this technical module.
Table 3
User mapping roadmap
Task
Procedure
Use Internal Usermapper.
"Using Internal Usermapper" on page 14
Use External Usermapper.
"Using External Usermapper" on page 27
Use the Active Directory with MMC snap-ins.
"Using the Active Directory" on page 28
Use local files.
"Using local files" on page 30
Use NIS.
"Using NIS" on page 35
Use migration tools to move user accounts

between Windows and UNIX environments.
"Using user account migration tools" on

page 37
Configure primary group mapping.
"Configuring the primary group mapping for file

system objects" on page 38
Version 5.5
13 of 48
Using Internal Usermapper

Internal Usermapper is a Celerra service that automatically generates and
maintains a database that maps SIDs to UIDs and GIDs for users or groups
accessing file systems from a Windows domain.
One instance of the Usermapper service serves as the primary Usermapper

service, meaning that it assigns UIDs and GIDs to Windows users and groups.
By default, this instance is configured on the Data Mover in slot 2 (server_2).
The other Data Movers in a single Celerra environment are configured as
clients of the primary Usermapper service, meaning that they send mapping
requests to the primary service when they do not find a mapping for a user or
group in their local cache. By default, all the client Data Movers automatically
issue a broadcast over the Celerra systems internal interfaces to discover the
location of the primary Usermapper service.
In a multi-Celerra environment, other instances of the Usermapper service can
serve as secondary Usermapper services. Like a primary Usermapper service,
a secondary Usermapper service checks its database to determine if a user or
group has already been assigned a UID/GID. If not, it forwards the mapping
request to the primary Usermapper service. The primary Usermapper service
checks its database and, if necessary, generates a new UID or GID, returning
the mapping to the secondary Usermapper service. The secondary
Usermapper service then adds the new user or group to its database along with
the mapping and returns the mapping to the Data Mover. Secondary
Usermapper services provide high availability by allowing mappings to be
collected and stored on each Celerra server in a multi-Celerra environment. If
the secondary Usermapper service is unavailable, new users are not able to
access files and existing users are only able to access files if a user has used
the Data Mover before and the Data Movers local cache contains the previous
mapping.
Restrictions
Before you configure and run Usermapper, note these restrictions:
Designate only one primary Usermapper service in a Celerra Network Server

environment. Otherwise, the same user can be assigned different mappings.
In a single Celerra, make sure that there is only one instance of the Usermapper
service, either primary or secondary. All the other Data Movers in that Celerra
are clients of the primary or secondary service.
In a multi-Celerra environment, make sure that the primary Usermapper service
is enabled before you configure any secondary Usermapper services.
By default, Usermapper runs on the Data Mover in slot 2 (server_2). This is
the preferred location from which to run the primary or secondary Usermapper
service.
You cannot configure a primary or secondary Usermapper service on a virtual
Data Mover (VDM).
Do not run Internal Usermapper and External Usermapper simultaneously in the

same Celerra environment.
Planning considerations
Before you begin using Internal Usermapper, consider the following situations:
Usermapper stops mapping new UIDs and GIDs once the root file system of the
Data Mover on which the Usermapper database is stored becomes 95 percent
full. In this situation, new users will not be allowed access to system objects.
The size of the root file system that is required is based on the number of users
in your Windows environment. Contact your EMC Customer Support
Representative for assistance with determining size requirements.
If you are replicating a Windows environment that uses Usermapper or if you
are using the Symmetrix Remote Data Facility (SRDF), special Usermapper
restrictions may apply. Contact your EMC Customer Support Representative for
more information.
In Internal Usermapper, the UID and GID ranges are fixed in the Usermapper
database and Usermapper automatically assigns new UIDs and GIDs based on
the next available value. Therefore, it does not need to use a Usermapper
configuration file to define UID and GID ranges. However, it is possible to import
an existing usrmap.cfg and use this file to define UID and GID ranges. This is
referred to as the manual mapping method. Once the ranges defined in the
usrmap.cfg file are enabled, Internal Usermappers automatic mapping
method maintains this information and prevents duplicate mappings.
Note: If there is no special reason to use particular UID and GID ranges for your
environments domains, EMC encourages you to use the automatic mapping method
and let Internal Usermapper automatically assign new UIDs and GIDs based on the
next available values. If a future revision to the usrmap.cfg file cannot be avoided,
contact your EMC Customer Support Representative for assistance.
Usermapper supports the SID (security identifier) history functionality

introduced in Windows 2000. This aids the migration of users from Windows NT
domains to Windows 2000 native mode domains. To use the SID History, it
must be enabled in Windows 2000 and on your Celerra system. Refer to your
Windows 2000 documentation for the correct procedure for enabling SID
History on your Windows 2000 systems. With SID History enabled, when you
are migrating users from a Windows NT domain or a Windows 2000 domain in
mixed mode to a Windows 2000 domain in native mode, the Security Access
Token contains the SID History from the Windows NT domain and a new SID
from the Windows 2000 domain. Internal Usermapper automatically assigns
UID and GID mappings, including SID history, by default.
Version 5.5
15 of 48
Using the default single-Celerra Usermapper configuration

When a new Celerra Network Server running software Version 5.3 or later is
started for the first time, it is automatically configured with the default singleCelerra Usermapper configuration. In this situation, Usermapper is
automatically enabled as a NAS service and no additional installation or
configuration procedures are required.
The default Usermapper configuration consists of a single Celerra Network Server
in which the Data Mover in slot 2 (server_2) is configured with the primary
Usermapper service. The remaining Data Movers in the Celerra system each cache
all the SID-to-UID/GID mappings it has used. However, if one of these Data Movers
is accessed by a user for whom it does not have a mapping, it queries the primary
Usermapper service. These Data Movers are clients of the primary Usermapper
service. By default, all the Data Movers in the Celerra system automatically issue a
broadcast over the Celerras internal interfaces to discover the location of the
primary Usermapper service.
Certain UID and GID values are reserved and cannot be mapped to SIDs. For
example, 0 is reserved for the UNIX root account. Additional numbers are
reserved for maintenance. UID and GID values can start at 32K. The maximum
possible value for UIDs and GIDs is imposed by the underlying file system. All
domain users and groups accessing this file system are assigned UIDs and GIDs
based on these definitions.
Note: As in a standard Celerra configuration, you can configure another Data Mover to
serve as a failover Data Mover, providing a backup for the primary Usermapper service.
"Displaying Usermapper status" on page 20 describes how to verify the

Usermapper configuration and display its current status. If the primary Usermapper
service is not automatically enabled, refer to "Troubleshooting user mapping" on
page 41. "Managing Usermapper" on page 20 provides information on managing
your Usermapper environment.
Configuring a multi-Celerra Usermapper environment

If you have a Celerra Network Server environment in which there is more than one
Celerra Network Server that shares the same Windows domain space, the default
Usermapper configuration is not suitable. In this situation, you must modify the
default Usermapper configuration on all the additional Celerra Network Servers to
use one primary Usermapper service. In this situation, EMC recommends a
configuration in which the Data Mover located in slot 2 (server_2) of each of the
additional Celerra servers is configured as a secondary Usermapper service. The
remaining Data Movers in each Celerra server then send mapping requests to their
local secondary Usermapper service, and each secondary Usermapper service
then forwards these requests to the single primary Usermapper service.
Note: The secondary Usermapper service sends mapping requests to the primary
Usermapper service one at a time and only when needed. Therefore, all the secondary
Usermapper services in an environment may not have the same entries in their databases.
Note: If you have a Celerra Network Server environment in which there multiple Celerra
Network Servers that do not share the same Windows domain, each domain should be
configured with its own primary Usermapper service.
The online Celerra man pages or the Celerra Network Server Command Reference
Manual provide a detailed synopsis of the commands and syntax conventions
presented in this section.
Table 4
Task
Tasks for configuring a multi-Celerra Usermapper environment
Action
Procedure
1.
On the first Celerra, verify that the primary

Usermapper service is enabled.
"Task 1: Verify the status of the primary

Usermapper service" on page 17
2.
On the second Celerra, disable the default

primary Usermapper service.
"Task 2: Disable the primary Usermapper

service" on page 18
3.
On the second Celerra, configure a

secondary Usermapper service.
"Task 3: Configure the secondary

4.
On the second Celerra, verify that the

secondary Usermapper service is enabled.
"Task 4: Verify the status of the secondary

Note: In the following description, the Celerra Network Server that supports the primary
Usermapper service is referred to as Celerra 1 and the Celerra Network Server that runs the
secondary Usermapper service is referred to as Celerra 2.
Task 1: Verify the status of the primary Usermapper service

On Celerra 1, verify that the primary Usermapper service is enabled on server_2.
This is the default configuration.
Action
To verify that the primary Usermapper service is enabled, use this command syntax:
$ server_usermapper <movername>
Where:
<movername> = name of the specified Data Mover
Example:
To verify that the primary Usermapper service is enabled on server_2 of Celerra 1, type:
$ server_usermapper server_2
Output
server_2 : Usrmapper service: Enabled
Service Class: Primary
Version 5.5
17 of 48
Task 2: Disable the primary Usermapper service

Since the default Usermapper configuration always designates the Data Mover in
slot 2 (server_2) as supporting the primary Usermapper service, you must
explicitly configure a Data Mover on Celerra 2 to support a secondary Usermapper
service.
On Celerra 2, disable the primary Usermapper service that is enabled by default.
Action
To disable the primary Usermapper service, use this command syntax:
$ server_usermapper <movername> -disable
Where:
Example:
To disable the primary Usermapper service on server_2 of Celerra 2, type:
$ server_usermapper server_2 -disable
Output
server_2 : done
Note: No user mapping requests should be sent to the primary Usermapper service on
Celerra 2 before you have reconfigured it. Consequently, you should not configure CIFS on
the Celerra 2 Data Movers until the Usermapper service is reconfigured as a secondary
service.
Task 3: Configure the secondary Usermapper service

Once you have disabled the primary Usermapper service on Celerra 2, you can
configure server_2 to run as a secondary Usermapper service.
When you enable a secondary Usermapper service, you also indicate the location
of the primary Usermapper service to which the secondary service will send
mapping requests. To do this, you specify the IP address of the Data Mover on
which the primary service is located.
Note: The primary Usermapper service must be enabled before you can configure a
secondary service.
Action
To enable a secondary Usermapper service, use this command syntax:
$ server_usermapper <movername> -enable primary=<ip addr>
Where:
<ip addr> = network IP address of the Data Mover on which the primary Usermapper service is
runnning
Example:
To enable a secondary Usermapper service on server_2 of Celerra 2, type:
$ server_usermapper server_2 -enable primary=192.168.21.1
Output
server_2 : done
Task 4: Verify the status of the secondary Usermapper service

Verify that the secondary Usermapper service has been enabled on server_2 of
Celerra 2.
Action
To verify that the secondary Usermapper service is enabled, use this command syntax:
Where:
Example:
To verify that the secondary Usermapper service is enabled on server_2 of Celerra 2, type:
Output
Service Class: Secondary
Primary = 192.168.21.1
Version 5.5
19 of 48
Managing Usermapper
This section describes the tasks you perform to manage Usermapper.
Table 5
Usermapper management tasks
Management task
Procedure
Display Usermapper status.
"Displaying Usermapper status" on page 20.
Import and export user and group information.
"Importing and exporting database information"

on page 22.
Maintain the Usermapper database.
"Maintaining the Usermapper database" on

page 24.
Back up Usermapper.
"Backing up Usermapper" on page 25.
Displaying Usermapper status

You can display Usermapper status on your Celerra Network Server using two
commands:
The server_usermapper command displays the status of Internal

Usermapper services running on a Data Mover.
The server_cifs command displays a Data Movers CIFS configuration,
including the Usermapper service it is using.
Displaying Usermapper service information

The server_usermapper command displays the status of Internal Usermapper
services running on a Data Mover, including:
Whether the Usermapper is configured as a primary or secondary service.
The IP address of the primary Usermapper service used by the secondary.
The operational status of the service.
Action
To display the status of the Usermapper service, use this command syntax:
Where:
Example:
To display the status of the Usermapper service on server_2, type:
Output
Note

Service Class: Secondary
Primary = 192.168.21.1
Usermapper has three operational states:

Uninitialized When Usermapper is not
available on the Data Mover
Initialized When Usermapper has
been created on the Data Mover but
disabled for some reason
Enabled When Usermapper is running
You should have only one instance of the
Usermapper service, either primary or
secondary, in a single Celerra server. All the
other Data Movers in that environment are
clients of the primary or secondary service.
Displaying the Data Movers Usermapper service

The server_cifs command displays a Data Movers CIFS configuration,
including the Usermapper service it is using.
Note: If you issue a server_cifs command for the Data Mover on which the Usermapper
service is running (typically server_2), the Usermapper service listed displays the Data
Movers loopback address (127.0.0.1) as the IP address of its Usermapper service.
Action
To display the Usermapper service used by a Data Mover, use this command syntax:
$ server_cifs <movername>
Where:
Example:
To display the Usermapper service used by server_3, type:
$ server_cifs server_3
Output
server_3 :
96 Cifs threads started
Security mode = NT
Max protocol = NT1
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled
Usermapper[0]=[192.168.1.2] state:active (auto discovered)
Usermapper[1]=[192.168.2.2] state:active (auto discovered)
Default WINS servers = 192.168.4.230
Enabled interfaces: (All interfaces are enabled)
Disabled interfaces: (No interface disabled)
Note
This example shows that server_3 is using the Usermapper service located on server_2 at
internal IP addresses 192.168.1.2 and 192.168.2.2, the service is available, and the service was
located using the auto-discovery broadcast.
Version 5.5
21 of 48
Importing and exporting database information

You can import and export user and group information to and from the Usermapper
database.
Importing database information
Typically, you import information into the Usermapper database from a user and
group file in order to reimport an edited Usermapper database, migrate the primary
Usermapper service from one Data Mover to another, or upgrade or migrate your
Usermapper configuration. Contact your EMC Customer Support Representative
for assistance if you are migrating the primary Usermapper service from one Data
Mover to another or if you are upgrading or migrating from External Usermapper to
an Internal Usermapper configuration.
Use the -Import option to the server_usermapper command to import a user
or group file. Usermapper can import files in either of two formats: a standard UNIX
format that corresponds to the passwd and group file formats, or a format that
includes the SID in the first field, as shown in the following examples.
Note: These two file formats were referred to as Format 1 and Format 3 in External
Usermapper.
Example of a user file entry in standard UNIX format (Format 1):

rob.hilder.dir:*:26831:903:rob.hilder.dir:/usr/
rob.hilder.dir:/bin/sh
Example of a user file entry in SID-based format (Format 3):
S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user
rob.hilder from domain dir:/usr/S-1-5-15-139d2e78-56b177fd5475b975-3323d:/bin/sh
Example of a group file entry in standard UNIX format (Format 1):
people.mass.subscribers.db.dir:*:58362:people.mass.subscriber
s.db.dir:
Example of a group file entry in SID-based format (Format 3):
S-1-5-15-139d2e78-56b177fd-5475b9752c3d6:*:58362:people.mass.subscribers.db.dir:
To import user information into the Usermapper database, use the following
command syntax.
Action
To import user information into the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Import -user <pathname>
Where:
<pathname> = name and location of the user file to be imported
Example:
To import user information into the Usermapper database on server_2, type:
$ server_usermapper server_2 -Import -user /nas/cifs/usrmapperV3/linux/
usrmap.passwd
Output
server_2 : done
To import group information into the Usermapper database, use the following
command syntax.
Action
To import group information into the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Import -group <pathname>
Where:
<pathname> = name and location of the user file to be imported
Example:
To import group information into the Usermapper database on server_2, type:
$ server_usermapper server_2 -Import -group /nas/cifs/usrmapperV3/linux/
usrmap.group
Output
server_2 : done
Exporting database information

Typically, you would export user and group information from the Usermapper
database in order to migrate the primary Usermapper service, back up the
Usermapper database, or collect information for troubleshooting.
Use the -Export option to the server_usermapper command to export a user
or group file. Usermapper exports files in a format that includes the SID in the first
field, as shown in the following examples.
Note: This file format was referred to as Format 3 in External Usermapper.
Example of a user file entry in SID-based format (Format 3):

S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user
rob.hilder from domain dir:/usr/S-1-5-15-139d2e78-56b177fd5475b975-3323d:/bin/sh
Example of a group file entry in SID-based format (Format 3):
S-1-5-15-139d2e78-56b177fd-5475b9752c3d6:*:58362:people.mass.subscribers.db.dir:
Version 5.5
23 of 48
To export user information from the Usermapper database, use the following
command syntax.
Action
To export user information from the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Export -user <pathname>
Where:
<pathname> = name and location of the file to which information is to be exported
Example:
To export user information from the Usermapper database on server_2, type:
$ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd
Output
server_2 : done
To export group information from the Usermapper database, use the following
command syntax.
Action
To export group information from the Usermapper database, use this command syntax:
$ server_usermapper <movername> -Export -group <pathname>
Where:
<pathname> = name and location of the file to which information is to be exported
Example:
To export group information from the Usermapper database on server_2, type:
$ server_usermapper server_2 -Export -group /home/nasadmin/backup.group
Output
server_2 : done
Maintaining the Usermapper database

Do not modify the Usermapper database files. Windows users may have problems
accessing files if you modify the Usermapper database files.
If an issue seems to require a change to a Usermapper mapping entry, you must
consult your EMC Customer Support Representative to determine the best course
of action.
Note: Changes made to the Usermapper database are not reflected by a client Data Mover
if the client Data Mover has already cached the existing Usermapper information in its local
cache. If files and folders have already been created using the existing UIDs and GIDs,
simply changing the UID or GID map will make file objects inaccessible.
Backing up Usermapper
Use the following procedure to back up your Internal Usermapper configuration.
Step
Action
1.
As root, dump the password and group files to a specified directory by typing:
$ server_usermapper server_2 -Export -user /home/nasadmin/
backup.passwd
$ server_usermapper server_2 -Export -group /home/nasadmin/
backup.group
2.
Make a backup copy of the current usrmap.cfg file (if one is in use) by typing:
$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.cfg /home/nasadmin/
usrmap.cfg
3.
Also make a backup copy of the usrmap.settings file by typing:

$ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.settings /home/
nasadmin/usrmap.settings
Changing Usermapper default configuration settings

Usermapper has default configuration settings, but you can change them by
modifying the following parameters:
usrmap minuid
usrmap maxuid
usrmap mingid
usrmap maxgid
You can view and dynamically modify parameter values using the server_param
command or the Celerra Manager graphical user interface. This technical module
describes only the command-line procedures. The Celerra Manager Online Help
explains how to use the graphical user interface to modify parameter values. The
Celerra Network Server Parameters Guide describes all Celerra Network Server
parameters.
Version 5.5
25 of 48
To change one of the default Usermapper UID or GID minimum or maximum values
(refer to Table 6), use the following command syntax.
Action
To change one of the default Usermapper UID or GID minimum or maximum values, use this
command syntax:
$ server_parameter <movername> -facility <facility_name> -modify
<param_name> -value <new_value>
Where:
<facility_name> = name of the facility to which the parameter belongs
<param_name> = name of the parameter
<new_value> = value you want to set for the specified parameter
Example:
To change the minimum UID value, type:
$ server_param server_2 -facility usrmap -modify minuid -value 32
Note: Parameter and facility names are case-sensitive.
Output
server_2 : done
Table 6 shows the Usermapper parameters and their values.

Table 6
Usermapper parameters
Module
Parameter
Value
Comment/Description
usrmap
minuid
16 - 2^31-1
Default 16
Minimum UID value.
16 - 2^31-1
Default 2^31-1
Maximum UID value.
16 - 2^31-1
Default 16
Minimum GID value.
16 - 2^31-1
Default 2^31-1
Maximum GID value.
usrmap
usrmap
usrmap
maxuid
mingid
maxgid
minuid must be less than maxuid.
maxuid must be greater than minuid.
mingid must be less than maxgid.
maxgid must be greater than mingid.
Note: If you have imported a preexisting configuration file, these UID and GID range limits
only apply when a new Usermapper database entry is created. Once the database is
created, you cannot change maximum UID and GID values.
Using External Usermapper

External Usermapper runs as a daemon on a Celerra Control Station. Typically, this
Usermapper daemon serves as the primary Usermapper service (the instance of
Usermapper that assigns UIDs and GIDs) for the Data Movers within a Celerra
Network Server environment. The Data Movers function as clients of the primary
Usermapper, meaning they send mapping requests to the primary Usermapper
when they cannot determine file access locally.
Other instances of Usermapper can serve as secondary Usermappers, meaning
they collect requests for mappings and forward them to the primary Usermapper.
Typically, you would only configure a secondary Usermapper in a distributed
environment in which remote locations communicate with the primary Usermapper
over a wide area network (WAN).
Note: The recommended Usermapper configuration runs the Usermapper daemon,
functioning as the primary Usermapper, on Control Station CS_0. Consult with EMC
Customer Service to determine whether the use of secondary Usermappers will be
advantageous.
The Configuring External Usermapper for Celerra technical module provides

information on configuring and managing External Usermapper.
Version 5.5
27 of 48
Using the Active Directory

If your multiprotocol environment consists primarily of Windows users, you can use
the Active Directory to centralize both your Windows and UNIX user account
management.
If the Active Directory schema is extended to include UNIX attributes for Windows
users and groups, you can configure a Data Mover to query the Active Directory to
determine if a user and the group the user is a member of has UNIX attributes
assigned. If so, information stored in these attributes is used for file access
authorization.
To configure a Data Mover to query the Active Directory, you must do the following:
1. Install the UNIX user management component of the Celerra CIFS Microsoft
Management Console (MMC) snap-ins for managing Celerra users from a
Windows computer. These snap-ins provide a manual mapping method that
enables you to assign specific UIDs and GIDs to Windows users.
2. Set the cifs.useADMap parameter to 1 to enable the snap-ins to interact with
the Data Mover.
The Installing Celerra Management Applications technical module and the Celerra
UNIX User Management and Celerra UNIX Attribute Migration online help systems
provide more information. The online help provides details of the Active Directory
schema extensions. Also refer to "Using user account migration tools" on page 37
for information about migrating user information from one environment to another.
Celerra UNIX user management snap-in

Celerra UNIX User Management is an MMC snap-in to the Celerra Management
view that you can use to assign, remove, or modify UNIX UID/GIDs for a single
Windows user or group on the local domain and on remote domains.
You also use this snap-in to select the location of the attribute database. This
location can either be in a local or a remote domain. You would choose to store the
attribute database in the Active Directory of a local domain if:
You have only one domain.
Trusts are not allowed.
You have no need to centralize your UNIX user management information.
You would choose a remote domain if:
You have multiple domains.

Bidirectional trusts between domains that need to access the attribute database
already exist.
You want to centralize your UNIX user management.
Celerra UNIX users and groups property page extension

Celerra UNIX Users and Groups property pages are extensions to Active Directory
Users and Computers view. You can use these property pages to assign, remove,
or modify UNIX UID/GIDs for a single Windows user or group on the local domain.
Note: You cannot use this extension to manage users or groups on a remote domain.
Version 5.5
29 of 48
Using local files

If your multiprotocol environment consists primarily of UNIX users and has more
than one Windows domain, or usernames that are not unique across the Windows
domains, you can manually edit the Data Movers local passwd and group files.
By default, the Data Mover checks for a username in the form username.domain
and a groupname in the form groupname.domain. If the usernames and
groupnames do not have a domain association, you must add the Windows domain
name as well as verify that the Windows user is assigned the UID and GID of the
existing UNIX account.
Note: "Using user account migration tools" on page 37 provides information about migrating
user information from one environment to another.
If you have added usernames and groupnames to the local files without a domain
association, you can set the cifs.resolver parameter so the Data Mover looks
for the names without appending the domain. "Using NIS" on page 35 provides a
description of using the cifs.resolver parameter.
When editing the passwd and group files, the following rules apply:
All of the entries (Windows names, usernames, domain names, global group
names) in the passwd and group files must be entered in lowercase ASCII
only.
Any spaces in Windows domain or group names should be replaced with =20 so
that they become legal in a UNIX-style passwd or group file.
If you are using UNIX user authentication, issue the server_user command
to generate an encrypted password in the password field, but do not include the
domain as part of the username.
Note: The Configuring Celerra Naming Services technical module provides additional
information on using local files for naming services.
Use this procedure to manually add Windows users and groups to the passwd and
group files on the Data Mover.
Table 7
Task
Using local files tasks
Action
Procedure
1.
Copy the passwd and group files from the

Data Mover to the Control Station for
editing. If the local files do not exist, create
them with an ASCII editor such as vi or
Emacs.
Task 1: "Copy files from the Data Mover" on

page 31.
2.
Add the Windows domain name as a group

name to the UNIX group file.
Task 2: "Add Windows domain name as a

group name" on page 32
Table 7
Using local files tasks (continued)
Task
Action
Procedure
3.
Add the Windows usernames from the

Windows domain to the UNIX password
file.
Task 3: "Add Windows usernames" on

page 33
4.
Copy the passwd and group files back to

the Data Mover.
Task 4: "Copy files to the Data Mover" on

page 34
Task 1: Copy files from the Data Mover

Before you can edit the local files, you must copy them from the Data Mover.
CAUTION
This command overwrites existing files of the same name without notification. Use
care when copying files.
Action
To copy the passwd or group file, use the following command syntax for each file:
$ server_file <movername> -get <src_file> <dst_file>
Where:
<src_file> = name of the source file
<dst_file> = name of the destination file
Example:
To copy the passwd file to /home/nasadmin/passwd, type:
$ server_file server_2 -get passwd /home/nasadmin/passwd
Output
server_2 : done
Version 5.5
31 of 48
Task 2: Add Windows domain name as a group name

Use this procedure to add the domain name to the copy of the group file on the
Data Mover.
Note: Use the UNIX text editors vi or Emacs to manually modify the configuration file. You
can also use Windows Notepad.
Action
Using a text editor, add the Windows domain name as a group name in the group file. Assign a
GID for the newly created group name. The group file entries are in the following format:
<groupname.domain>:*:<GID>:
Where:
<groupname.domain> = the group name and Windows domain name.
* = indicates the UNIX password for the group. This field should contain an asterisk (*) because
the password is not used on the Celerra Network Server.
<GID> = unique numeric group ID that you assign to the group name.
Example 1:
To add the Windows domain galaxy to the group file, add the following line:
galaxy:*:100:
The Windows domain galaxy is the group name; 100 is the GID.
Example 2:
Here is an example of a group file, including the galaxy example and the default Windows global
groups:
. (numerous UNIX groups skipped)
.
galaxy:*:100:
domain=20admins.galaxy:*:101:
domain=20users.galaxy:*:102:
domain=20guests.galaxy:*:103:
Task 3: Add Windows usernames

Use this procedure to add usernames to the copy of the passwd file on the Data
Mover.
Action
Add the Windows usernames from the Windows domain to the passwd file and assign each user
a unique UID and the GID specified for the Windows domain in "Add Windows domain name as a
group name" on page 32.
Password file entries are in the following format:
<user.domain>:*:<UID>:<GID>:<name>:<path>:<shell>
Where:
<user.domain> = the Windows username and domain name.
* = indicates the UNIX password for the user. If the user authentication mode on the Data Mover is
set to NT or SHARE, this field should contain an asterisk (*). If the Data Mover uses UNIX user
authentication, the field should contain the encrypted password for the user.
<UID> = a unique user ID that you assign.
<GID> = GID assigned to the domain.
<name>, <path>, and <shell> are optional informational fields and are ignored during
processing.
Example:
The following is an example of a password file entry of user glenn in domain galaxy. This
requires an entry in passwd as:
glenn.galaxy:*:530:100:J.GLENN:/usr/home/jdir:/bin/csh
Where:
glenn = Windows username.
galaxy = Windows domain name; appended to preclude accidental mapping to existing UNIX or
Windows clients of the same name.
* = indicates the UNIX password for the user. If the user authentication mode on the Data Mover is
set to NT or SHARE, this field is ignored.
530 = UID.
100 = GID.
J.GLENN = username (optional; ignored during processing).
/usr/home/jdir = UNIX home directory path (optional; ignored during processing).
/bin/csh = UNIX shell (optional; ignored during processing).
Version 5.5
33 of 48
Task 4: Copy files to the Data Mover

Use the following procedure to copy the edited local files back to the Data Mover.
CAUTION
This command overwrites existing files of the same name without notification. Use
care when copying files.
Action
To copy the passwd or group file, type the following for each file:
$ server_file <movername> -put <src_file> <dst_file>
Where:
<src_file> = name of the source file
<dst_file> = name of the destination file
Examples:
$ server_file server_2 -put passwd passwd
$ server_file server_2 -put group group
Output
server_2 : done
Using NIS
If your multiprotocol environment consists primarily of UNIX users and has only one
Windows domain, or usernames that are unique across multiple Windows domains,
you can use NIS to manage user and group mapping.
The Configuring Celerra Naming Services technical module provides information
on configuring a Data Mover to access a NIS server. For information about
manually updating the NIS passwd and group maps, refer to your NIS server
documentation.
Note: All of the entries (Windows names, usernames, domain names, global group names)
in the passwd and group maps must be entered in lowercase ASCII only.
"Using user account migration tools" on page 37 provides information about

migrating user information from one environment to another.
Once you have NIS configured, the Data Mover automatically checks NIS for a user
and group names. By default, it checks for a username in the form
username.domain and a groupname in the form groupname.domain. If you
have added usernames and groupnames to NIS without a domain association, you
can set the cifs.resolver parameter so the Data Mover looks for the names
without appending the domain.
To change the default format of username and groupname so they can be
retrieved from NIS without a domain extension, use the following command syntax.
Action
To change the default format of username and groupname so they can be retrieved from NIS
without a domain extension, use this command syntax:
Where:
Example:
To change the default format of username and groupname so they can be retrieved from NIS
without a domain extension, type:
$ server_param server_2 -facility cifs -modify resolver -value 1
Output
server_2 : done
Version 5.5
35 of 48
Table 8 shows the cifs.resolver parameter and its values.

Table 8
cifs.resolver parameter
Module
Parameter
Value
Comment/Description
cifs
resolver
0 (default) or 1
Setting this parameter to 1 enables the

retrieval of NIS entries without domain
extensions for SID mapping.
param cifs.resolver=1 first tries to
retrieve the UID/GID from NIS or local user/
group files without appending the domain
extension. If this fails, the extension is then
used.
param cifs.resolver=0 always uses
the domain extension to get the UID/GID.
parameters.
Using user account migration tools

If you currently have a single protocol environment (either pure CIFS or pure NFS),
and you want to convert to a multiprotocol environment (supporting both Windows
and UNIX clients), you can use the following tools to migrate your user accounts
from one environment to the other.
Celerra UNIX Attributes Migration Tool
NTMigrate
Celerra UNIX Attributes Migration tool

Celerra UNIX Attributes Migration is a tool that enables you to migrate existing
UNIX users from the Celerra Network Server (local files) or NIS to the Active
Directory. You can select the UNIX attributes (UIDs and GIDs) to add to the Active
Directory. However, you cannot add new users or groups, nor can you modify
existing UNIX UIDs/GIDs. To add new users or groups, or to modify existing UNIX
attributes, refer to "Using the Active Directory" on page 28 for more information on
using the Active Directory for user mapping.
Note: Using this tool extends the Active Directory schema. Once the schema is extended,
you cannot revert to the original Active Directory schema.
The Installing Celerra Management Applications technical module provides more

information on installing this tool. The Celerra UNIX Attributes Migration Tool online
help provides more information on using this tool.
NTMigrate
NTMigrate is a tool that migrates Windows users to an existing UNIX UID/GID
database (local passwd file or NIS). NTMigrate collects user information from the
Windows domain and merges it with UNIX password and group files.
NTMigrate is best suited for mapping large Windows domains into UNIX UIDs and
GIDs.
The Using NTMigrate with Celerra technical module provides more information.
Version 5.5
37 of 48
Configuring the primary group mapping for file

system objects
In a file system, every object (such as a file, directory, link, and shortcut) has an
associated owner and owner group (identified by a UID and GID). NFS uses the
UID and GID to control access to the file system object. Since a user can be a
member of many groups, the Celerra Network Server needs some way to
determine which group should be associated with a newly created file. A users
primary group setting determines which GID gets assigned to the file system object.
Both NFS and CIFS have the concept of a primary group for a user. In NFS, the
primary group is required; however, the primary group is optional on Windows
platforms and defaults to the Domain Users group.
All file system objects (FSOs) on a Data Mover have an associated owner
(identified by a UID) and group (identified by a GID). The UID and GID associated
with an FSO are determined as follows:
For NFS: When a FSO is created from a UNIX client, the FSO GID is taken from
the GID supplied by the UNIX client (based on the creators primary group).
For CIFS: When a FSO is created from a Windows client, the GID can be
determined in the following ways:
(Default) The file system object GID is taken from the GID associated with
the creators primary group.
The file system object GID is taken from a users UNIX primary group as
defined in the passwd file, NIS, or Active Directory.
Using user UNIX GIDs for file system objects

The cifs acl.useUnixGid parameter controls whether the Celerra Network
Server obtains an FSOs GID from a users primary group or from the users GID
stored in the passwd file, NIS, or Active Directory.
parameters.
To set the GID mapping for file system objects created on an Windows client to the
Windows users GID stored in the passwd file, NIS, or Active Directory, use the
following command syntax.
Action
To set the GID mapping for file system objects created on an Windows client to the Windows
users GID, use this command syntax:
Where:
Example:
To set the GID mapping for file system objects created on an Windows client to the Windows
users GID, type:
$ server_param server_2 -facility cifs -modify acl.useUnixGid -value 1
Output
server_2 : done
Table 9 shows the cifs acl.useUnixGid parameter and its values.

Table 9
cifs acl.useUnixGid parameter
Module
Parameter
Value
Comment/Description
cifs
acl.useUnixGid
0 (default) or 1
Sets the GID mapping for file system objects

created on an Windows client.
param cifs acl.useUnixGid=0
Assigns the GID of the Windows Primary
Group to which the user belongs.
param cifs acl.useUnixGid=1
Assigns the Windows users GID (as found
in the GID field of the passwd file, NIS
database entry, or Active Directory).
Determining the GIDs on copied file system objects

Typically, when a Windows user copies an FSO using a tool such as Windows
Explorer, the ownership of the new FSO is assigned to the user who did the
copyingin effect, the user takes ownership of the copied FSO.
Since the Celerra Network Server also maintains GIDs on FSOs, a GID must be
applied to the copied FSO. The cifs acl.takegroupship parameter
determines the source of the GID for the copied FSO.
Version 5.5
39 of 48
parameters.
To change the source of the GID for the copied FSO (that is, determine that the
primary group is derived from the source specified by the acl.useUnixGid
parameter), use the following command syntax.
Action
To determine that the primary group is derived from the source specified by the acl.useUnixGid
parameter, use this command syntax:
Where:
Example:
To determine that the primary group is derived from the source specified by the acl.useUnixGid
parameter, type:
$ server_param server_2 -facility cifs -modify acl.takegroupship
-value 1
Output
server_2 : done
Table 10 shows the cifs acl.takegroupship parameter and its values.

Table 10 cifs acl.takegroupship parameter
Module
Parameter
Value
Comment/Description
cifs
acl.takegroupship
0 (default) or 1
When changing ownership of a FSO from

Windows (if a new primary group is not
provided), this parameter determines if
the new primary group for a FSO is
based on the UseUnixGid parameter.
param cifs acl.takegroupship=0
disables this setting. The primary group
is derived from the Windows Primary
Group of the user who copied the FSO.
param cifs acl.takegroupship=1
enables this setting. The primary group is
derived from the source specified by the
acl.useUnixGid parameter.
Troubleshooting user mapping

You can query the EMC WebSupport database for problem information, obtain
release notes, or report a Celerra technical problem to EMC on Powerlink, the EMC
secure extranet site. The Celerra Problem Resolution Roadmap technical module
contains additional information about using Powerlink and resolving problems.
Error messages
Table 11 lists Usermapper error messages and their descriptions. These error
messages are written to the Celerra Network Servers system log (/nas/log/
sys_log). The Celerra Network Server Error Messages Guide contains additional
information on error messages.
Table 11 Usermapper server log error messages
Message text
Description
Corrective action
Cannot connect
(to the server,
primary,
secondary,
etc...)
A connection or connections
among the Usermapper services
and/or Data Movers are down.
1. Check the connectivity between the

primary Usermapper, the secondary
Usermappers, and the Data Movers.
2. Use the server_log command to
ensure that the correct IP addresses
are listed using server_cifs.
3. If the IP addresses are incorrect,
use server_cifs to provide the
correct IP addresses for the primary
and secondary Usermappers.
Internal error
This could be any of the UNIX or

database errors that are internal
to the Usermapper software. It is
not specific to any request made
by the Data Movers.
Check the usrmapper.log for any

description of the problem. If the
problem description is not clear or no
problem is reported, contact EMC
Customer Service.
Invalid input
The input received by

Usermapper is invalid due to
communication problems
between the Usermapper service
and its client (Data Mover or
secondary Usermapper).
Contact EMC Customer Service.
No record for the

domain
Usermapper receives a request

for a UID or a GID for assignment
in a domain, but the domain is not
configured in the usrmap.cfg file.
Modify the usrmap.cfg file to include

the domain.
This error message is only

returned if you are using a
usrmap.cfg file.
Primary error
There is an error at the primary

Usermapper.
Check the error log at the primary

Usermapper.
Version 5.5
41 of 48
Table 11 Usermapper server log error messages (continued)
Message text
Description
Corrective action
Primary down
The primary Usermapper is

unreachable. This error appears
in the error log on the secondary
Usermapper.
Check the network connection

between the primary and the
secondary Usermapper.
Request from the

server is not
supported
Usermapper cannot process the

request from the Data Mover.
1. Check the usrmapper.log for the

request type.
2. Use rpcinfo on a Solaris
Usermapper host or pmap_dump on
a Linux Usermapper to determine if
program 536870919 Versions 1 and
3 of the UDP/TCP protocol are
running.
RPC error
This is a remote procedure call

error, probably between the
primary Usermapper, the
secondary Usermappers, and the
Data Movers.
1. Check the network connectivity

between the primary and the
secondary Usermappers.
2. Use the server_log command to
ensure that the correct IP addresses
are listed using server_cifs.
3. If the IP addresses are incorrect,
use server_cifs to provide the
correct IP addresses for the primary
and secondary Usermappers.
System error
A system error has occurred.
Check the usrmapper.log and the

system log for the exact error. If there
are any environmental errorsfile
permissions, for examplethey can be
fixed. If the problem description is not
clear or if there is no problem reported,
contact EMC Customer Service.
There are no more

gids that can be
given out
No more GIDs are available as

specified in the GID ranges for
this domain in the usrmap.cfg file.

more GIDs for the domain.

usrmap.cfg file.
There are no more
uids that can be
given out
No more UIDs are available as

specified in the UID ranges for
this domain in the usrmap.cfg file.

more UIDs for the domain.

usrmap.cfg file.
Table 11 Usermapper server log error messages (continued)
Message text
Description
Corrective action
UID account
request error
Usermapper received a request

for the account name domain (in
other words, a reverse lookup) for
a UID. No UID, however, matched
the account. Most probably,
Usermapper has not yet assigned
the UID to any account.
If Usermapper is not running on the

Usermapper host, do the following:
1. Use rpcinfo on Solaris Usermapper
host or pmap_dump on a Linux
Usermapper to determine if program
536870919 Versions 1 and 3 of the
UDP/TCP protocol are running.
2. Start the Usermapper service or
daemon.
If the UID has not been assigned, do
the following:
1. Check the usrmapper.log file to find
which UID was sent to Usermapper.
2. Output the Usermapper database to
see if this UID is in the database for
at least one user.
Known problems and limitations

Table 12 describes known problems that might occur when using Usermapper and
presents workarounds.
Table 12 Usermapper known problems and workarounds
Known problem
Symptom
Workaround
The primary Usermapper

service must be enabled
before secondary services
can be configured.
When you issue the

server_usermapper
<movername> -enable
primary= command, you
receive the following error:
Check the operational state of

the primary service and enable
it using the
server_usermapper
<movername> -enable
command.
Error 4020:
<movername>:failed to
complete command
Internal Usermapper stops
mapping new UIDs and
GIDs once the root file
system of the Data Mover
(where the Usermapper
database is stored)
becomes 95% full. New
users will be denied access
to system objects.
The following errors are entered

repeatedly in the server log for
any additional mapping
requests once the root file
system reaches capacity:
error: -20 for user uid
request
error: -20 for group
gid request
You should determine the size

of the root file system required
based on the number of users in
your Windows environment.
Contact your EMC Customer
Support Representative for
assistance in determining size
requirements.
Version 5.5
43 of 48
Events and notifications

Table 13 lists the Usermapper events. The Configuring Celerra Events and
Notifications technical module provides a description of how to configure the
Celerra Network Server to record and display these events.
Table 13 USRMAP events
Facility
name
Facility
ID
Facility
description
USRMAP
93
Monitors
Usermapper events
Event ID
Event
description
Usermapper OK
Usermapper database
created
Usermapper service
enabled
Usermapper service
stopped
Usermapper database
destroyed
Usermapper available
Usermapper unreachable
Usermapper file system

quota exceeded
Related information
For specific information related to the features and functionality described in this
technical module, refer to:
Celerra Network Server Command Reference Manual
Online Celerra man pages
Celerra Network Server Parameters Guide
Managing Celerra for the Windows Environment
Configuring CIFS on Celerra
Managing Celerra for a Multiprotocol Environment
Configuring External Usermapper for Celerra
Using NTMigrate with Celerra
Installing Celerra Management Applications
Using Windows Administrative Tools with Celerra
Configuring Celerra Naming Services
Celerra Network Server Error Messages Guide
Configuring Celerra Events and Notifications
The Celerra Network Server Documentation CD, supplied with your Celerra
Network Server and also available on Powerlink, provides general information on
other EMC Celerra publications.
Customer training programs

EMC customer training programs are designed to help you learn how EMC storage
products work together and integrate within your environment to maximize your
entire infrastructure investment. EMC customer training programs feature online
and hands-on training in state-of-the-art labs conveniently located throughout the
world. EMC customer training programs are developed and delivered by EMC
experts. For program information and registration, refer to Powerlink, our customer
and partner website.
Version 5.5
45 of 48
Index
A
Active Directory 28
C
Celerra Manager, using 11
cifs acl.takegroupship parameter 39
cifs acl.useUnixGid parameter 38
configuration
default 16
multicabinet 16
secondary 16
settings, modifying 25
N
NIS 35
P
parameters 25
cifs acl.takegroupship 39
cifs acl.useUnixGid 38
password and group files 30, 35
primary groups 38
R
restrictions 8
S
SID history 15
snap-ins, UNIX User Management 28
database, modifying 24
tools
UNIX Attribute Migration 37
UNIX User Management 28
UNIX Users and Groups property page extension 29
error messages 41
cannot connect 41
internal error 41
no more gids 42
no more uids 42
No record for the domain 41
primary error 41
primary is down 42
request not supported 42
RPC error 42
system error 42
uid account request error 43
events, list of USRMAP 44
exporting database information 23
External Usermapper 27
G
GIDs
on copied files 39
using UNIX GIDs 38
I
importing database information 22
installation 16
Internal Usermapper 14
L
local files 30
M
mapping
primary groups 38
user IDs, resolution order 9
MMC snap-ins 28
multiprotocol environments 8
U
UNIX Attributes Migration tool 37
UNIX User and Groups property page extenion 29
UNIX User Manager snap-in 28
user ID resolution
local files 30
NIS 35
UNIX Attributes Migration tool 37
UNIX User and Groups property page extension 29
UNIX User Manager snap-in 28
user IDs, look-up order 9
Usermapper
default configuration 16
error messages 41
exporting database information 23
external 7
importing database information 22
internal 7
modifying
database 24
default settings 25
multicabinet configuration 16
restrictions 8, 14
one primary only 8
secondary configuration 16
using secondary service 16
W
Windows-only environments 7
Version 5.5
47 of 48
About this technical module

As part of its effort to continuously improve and enhance the performance and capabilities of the Celerra Network Server product line, EMC
from time to time releases new revisions of Celerra hardware and software. Therefore, some functions described in this document may not be
supported by all revisions of Celerra software or hardware presently in use. For the most up-to-date information on product features, see your
product release notes. If your Celerra system does not offer a function described in this document, contact your EMC Customer Support
Representative for a hardware upgrade or software update.
Comments and suggestions about documentation

Your suggestions will help us improve the accuracy, organization, and overall quality of the user documentation. Send a message to
celerradoc_comments@EMC.com with your opinions of this document.
Copyright 1998-2006 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.

Docu5414 - Configuring Celerra User Mapping PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Docu5414 - Configuring Celerra User Mapping PDF

Uploaded by

Copyright:

Available Formats

Configuring Celerra User Mapping

Events and notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Configuring Celerra User Mapping

Usermapper (Internal or External)

Network Information Service (NIS)

Servers. It stores information about objects on a network and makes this

access a resource or object, such as a file or a directory.

Configuring Celerra User Mapping

used in Windows 2000 to encode authentication information. Kerberos coexists

a computer with a network time source.

Configuring Celerra User Mapping

Windows 2000/Windows Server 2003 domain: A Microsoft Windows domain

controlled and managed by a Microsoft Windows server/Windows 2003 server

determines the IP address associated with a particular network node. WINS

Configuring Celerra User Mapping

User mapping concepts

Configuring Celerra User Mapping

Active Directory and

Figure 1 Flow Chart of User Mapping Techniques

Configuring user mapping in Windows-only environments

EMC recommends that you use Internal Usermapper in Windows-only

Configuring user mapping in multiprotocol environments

Active Directory (using Microsoft Management Console snap-ins)

A Data Movers local user and group files

Network Information Service (NIS)

Configuring Celerra User Mapping

How user mapping works

Configuring Celerra User Mapping

System requirements for user mapping

Celerra Network Server Version 5.5.

No specific hardware requirements.

Windows 2000, Windows Server 2003, or WIndows NT domain.

EMC NAS Interoperability Matrix

Configuring Celerra User Mapping

User interface choices

Celerra Manager - Basic Edition

Celerra Manager - Advanced Edition

Microsoft Management Console (MMC) snap-ins

Active Directory Users and Computers (ADUC) extensions

For additional information about managing your Celerra, refer to:

Learning about Celerra

Celerra Manager Online Help

Applications online help system on the Celerra Network Server Documentation

The Installing Celerra Management Applications technical module includes

Using Celerra Manager to configure user mapping

User mapping configured using Celerra Manager

Celerra Manager procedure

Configuring Celerra User Mapping

Configuring Celerra User Mapping

User mapping roadmap

Configuring Celerra User Mapping

User mapping roadmap

Use Internal Usermapper.

"Using Internal Usermapper" on page 14

Use External Usermapper.

"Using External Usermapper" on page 27

Use the Active Directory with MMC snap-ins.

"Using the Active Directory" on page 28

Use local files.

"Using local files" on page 30

"Using NIS" on page 35

Use migration tools to move user accounts

"Using user account migration tools" on