Data ONTAP uses name mapping to map CIFS identities to UNIX identities, Kerberos identities to UNIX identities, and UNIX identities to CIFS identities. It needs this information to obtain user credentials and provide proper file access regardless of whether they are connecting from an NFS client or a CIFS client.
Name mapping is usually required due to the multiprotocol nature of Data ONTAP, which supports CIFS and NFS client access to the same data. Data stored on Storage Virtual Machines (SVMs) with FlexVol volumes uses either UNIX- or NTFS-style permissions. To authorize a client, the credentials must match the security style. Consider the following scenarios:
If a CIFS client wants to access data with UNIX-style permissions, Data ONTAP cannot directly authorize the client because it cannot use CIFS credentials with UNIX-style permissions. To properly authorize the client request, Data ONTAP must first map the CIFS credentials to the appropriate UNIX credentials so that it can then use the UNIX credentials to compare them to the UNIX-style permissions.
If an NFS client wants to access data with NTFS-style permissions, Data ONTAP cannot directly authorize the client because it cannot use UNIX credentials with NTFS-style permissions. To properly authorize the client request, Data ONTAP must first map the UNIX credentials to the appropriate NTFS credentials so that it can then use the NTFS credentials to compare them to the NTFS-style permissions.
There are two exceptions where you do not have to use name mapping:
In this scenario, name mapping is not required because Data ONTAP can use the UNIX credentials of the NFS clients to directly compare them to the UNIX-style permissions.
In this scenario, name mapping is not required because instead of mapping every individual client credential all client credentials are mapped to the same default user.
Note that you can use name mapping only for users, not for groups. It is not possible to map CIFS users to a group ID (GID), or UNIX users to a group in the Active Directory (AD). Similarly, it is not possible to map a GID to a group or a user in AD, or an AD group to a UNIX UID or GID.
However, you can map a group of individual users to a specific user. For example, you can map all AD users that start or end with the word SALES to a specific UNIX user and to the user’s UID. As a result, you can rename certain users in AD and use regular expressions to effectively emulate group actions. This type of mapping also works in reverse.