Group mapping improves the accuracy of permissions that appear when NFSv4.1 clients display the ACL of a file or directory that has NTFS file permissions. If an Infinite Volume supports both NFSv4.1 ACLs and SMB, you should configure group mapping, which is similar to user mapping.
Groups are often used in ACLs to simplify security management. However, groups in multiple Windows domains cannot be easily translated to the groups of a single NFSv4.1 domain.
Mapping groups from Windows to UNIX ensures that group names appear when NFSv4.1 ACLs are displayed on NFSv4.1 clients.
If a Windows group is not mapped to a UNIX group and a default UNIX group is not configured, the Windows group is displayed to an NFSv4.1 client as nobody (specifically nobody@v4-id-domain).
If an Infinite Volume supports both SMB and NFSv4.1 ACLs, you should perform the following configurations:
Group mapping and user mapping share the following similarities:
For information about conversion rules in user and group mappings, see either the Clustered Data ONTAP File Access Management Guide for NFS or the Clustered Data ONTAP File Access Management Guide for CIFS.
Group mapping is unique in the following ways:
During access checks, a user's group membership is determined in the same way on all SVMs.
UNIX groups do not have to be mapped to Windows groups.