How CIFS users obtain UNIX credentials

A UNIX credential consists of a UNIX-style user ID (UID) and group IDs (GIDs).

Data ONTAP uses the UNIX credential for the following purposes:

When a user tries to access files that have UNIX-style security, Data ONTAP uses the UID and the user's GIDs to determine the access rights of the user.
When you want to use group quotas on a group that contains CIFS users, those CIFS users must have UNIX credentials.
For more information about group quotas, see the Data ONTAP Storage Management Guide for 7-Mode.

When a CIFS user tries to connect to the storage system, Data ONTAP tries to determine the UID, the primary GID, and all secondary group GIDs of the CIFS user. If Data ONTAP cannot determine the UID of the CIFS user and a default UNIX user is not defined, the user is denied access.

When retrieving UNIX user and group information, Data ONTAP uses the /etc/nsswitch.conf file to determine which name services to use, and in what order to use them. Data ONTAP supports files (passwd), NIS, and LDAP name services for UNIX user and group databases. Data ONTAP obtains UNIX credentials by looking up the UNIX password and group databases, which can be the /etc/passwd and /etc/group files, NIS maps, or an LDAP directory store to obtain the user and group information for a user. The configured databases contain account information for all users that might access the storage system.

After Data ONTAP determines that the UNIX user name is a valid user name, the UID and GIDs (both primary and secondary) are retrieved from the directory store and are included in the CIFS credential.

Note: If you are using an NIS map, ensure that its entries do not exceed 1,024 characters per line.

For Data ONTAP to obtain the UID and GIDs for a CIFS user, it must first determine the user’s UNIX-style name. It does this through user mapping. Data ONTAP does not require that a user’s Windows name be identical to the UNIX name. By entering information in the /etc/usermap.cfg file, you can specify how each Windows name maps to a UNIX name. If you accept the default mapping, you do not need to enter this information. By default, Data ONTAP uses the Windows name as the UNIX name when it looks up the UID. (The storage system converts uppercase characters in the Windows name to lowercase before the lookup.)

If the user names in the UNIX password database are identical to the Windows names, you need not provide the mapping information in the /etc/usermap.cfg file. If the user name is not found in the UNIX password database and the wafl.default_unix_user option has been specified, the default login name specified for that option is used. See the options(1) man page for more information about setting the wafl.default_unix_user option.

Data ONTAP obtains a user’s GIDs in the following ways:

Data ONTAP obtains the user’s primary GID from the UNIX password database.
Each account in the UNIX password database contains the primary GID for that user.
Data ONTAP obtains the user’s other GIDs from the group database, which can be the NIS group map, the LDAP data store, or the /etc/group file.
The group database is where you define membership for various groups.

You can see the UNIX credential of a connected CIFS user when you display CIFS session information.