Version 5.3
August 2004
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Cautions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Internal Usermapper Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 EMC NAS Interoperability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Planning Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 User Interface Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Using Celerra Manager to Configure Usermapper . . . . . . . . . . . . . . .8 Internal Usermapper Roadmap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Using the Default Single-Celerra Usermapper Configuration . . . . . . . . .10 Configuring a Multi-Celerra Usermapper Environment . . . . . . . . . . . . . .11 Task 1: Verify the Status of the Primary Usermapper Service . . . . .12 Task 2: Disable the Primary Usermapper Service . . . . . . . . . . . . . . .12 Task 3: Configure the Secondary Usermapper Service . . . . . . . . . .13 Task 4: Verify the Status of the Secondary Usermapper Service . .13 Managing Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Displaying Usermapper Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Importing and Exporting Database Information . . . . . . . . . . . . . . . .17 Modifying the Usermapper Database . . . . . . . . . . . . . . . . . . . . . . . . .20 Backing Up Usermapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Modifying the usrmap.cfg File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Command Syntax Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Changing Usermapper Default Configuration Settings . . . . . . . . . . . . . .29 What the Parameters Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Parameter Files and Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Troubleshooting Usermapper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Known Problems and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Events and Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Want to Know More? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Appendix A: Migrating Windows NT Users to Windows 2000 Domains in Native Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Appendix B: Usermapper Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
1 of 40
Introduction
Internal Usermapper is a Celerra Network Server service that automatically maps each Windows user and group to a UNIX-style user ID (UID) and group ID (GID). Because the Celerra Network Server uses UIDs and GIDs to identify users, Windows users must be assigned UIDs and GIDs so that the Celerra Network Server can determine access to system objects, such as files, as well as enforce CIFS quotas. This technical module is part of the Celerra Network Server information set and is intended for those users that configure and manage Internal Usermapper.
Note: Internal Usermapper replaces External Usermapper for new installations. New Celerra Network Server installations will use Internal Usermapper by default. External Usermapper Version 3.1 and lower versions will only be maintained for existing customers until they can transition to Internal Usermapper. Note: All instances of the term Usermapper in this document refer to Internal Usermapper unless otherwise noted.
Terminology
This section defines terms that are important to understanding Usermapper capabilities on the Celerra Network Server. Refer to the Celerra Network Server User Information Glossary for a complete list of Celerra terminology.
authentication: The process for verifying the identity of a user who is trying to
system that retrieves files from a storage device and makes the files available to a network client.
GID (group identifier): A number assigned to a particular group of users. NIS (Network Information System): A distributed data lookup service that shares user and system information across a network, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions. primary Usermapper service: The instance of the Usermapper service that assigns UIDs and GIDs to Windows users and groups. quota: A limit on the amount of allocated disk space as well as the number of files
(inodes) that a user or group of users can create in a production file system. Quotas control the amount of disk space and the number of files that a user or group of users can consume.
2 of 40 Version 5.3
secondary Usermapper service: In a multi-Celerra environment, an instance of the Usermapper service that forwards requests for user mappings to the primary Usermapper service and returns those mappings to the Data Movers in addition to storing the mappings it processes. SID (security identifier): A unique identifier that defines a user or group in a
Microsoft Windows environment. Each user or group has its own SID.
UID (user identifier): A number that corresponds to a particular user. user file: Refers to the passwd file that resides on each Data Mover. Usermapper service: Software that assigns UIDs and GIDs to Windows users and
groups asking the Celerra Network Server for access to system objects.
Restrictions
Before you configure and run Usermapper, note these restrictions:
You should have only one primary Usermapper in a Celerra Network Server environment. In a single Celerra, you should have only one instance of the Usermapper service, either primary or secondary. All the other Data Movers in that Celerra are clients of the primary or secondary service. In a multiple Celerra environment, the primary Usermapper service must be enabled before you configure any secondary Usermapper services. By default, Usermapper runs on the Data Mover in slot 2 (server_2). This is the preferred location from which to run the primary or secondary Usermapper service. You cannot configure a primary or secondary Usermapper service on a Virtual Data Mover (VDM). Usermapper should only be used in Windows-only environments. In a mixed UNIX and Windows environment, you should use manual mapping methods such as editing the local user and group files. You should not run Internal Usermapper and External Usermapper simultaneously in the same Celerra environment.
Cautions
This section lists cautions for Usermapper.
CAUTION
Do not modify the Usermapper database files. Windows users may have problems accessing files if you have modified the Usermapper database files.
Version 5.3
3 of 40
Internal Usermapper is a Celerra service that automatically generates and maintains a database that maps SIDs to UIDs and GIDs for users or groups accessing file systems from a Windows domain. When a Data Mover receives a file access request from a new user or group in a Windows domain, the file access request includes the SID of the new user or group making the request. The following process takes place: 1. The Data Mover first checks its local user and group files for an existing SID to UID/GID mapping. 2. If none is found, and the Network Information Service (NIS) is configured, the Domain Controller is queried for the user or group name associated with the SID. NIS is queried for a UID/GID to associate with the name. 3. If none is found, and making queries to the Active Directory is configured, the Data Mover queries the Active Directory for a SID to UID/GID mapping.
Note: By default, the Active Directory is not queried for user mappings. This behavior can be changed by modifying the cifs.useADMap parameter. Contact your EMC Customer Support Representative for assistance.
4. If none is found, the Data Mover then determines if it has a mapping for the SID in its local Usermapper cache. If there is no such mapping, the Data Mover sends a mapping request to the primary Usermapper service. 5. The primary Usermapper service checks its database to determine if this user or group has already been assigned a UID/GID. If not, the primary Usermapper generates a new UID or GID and adds the new user or group to its database along with the mapping. It then returns the mapping to the Data Mover and the Data Mover permanently caches the mapping. 6. The user is then authenticated and permissions are checked to determine whether the user can access the system object. 7. If the primary Usermapper service is unavailable or if for some reason it cannot map the user or group, an error is logged in the server log and the user is not able to access system objects.
4 of 40 Version 5.3
One instance of the Usermapper service serves as the primary Usermapper service, meaning it assigns UIDs and GIDs to Windows users and groups. By default, this instance is configured on the Data Mover in slot 2 (server_2). The other Data Movers in a single Celerra environment are configured as clients of the primary Usermapper service, meaning they send mapping requests to the primary service when they do not find a mapping for a user or group in their local cache. By default, all the client Data Movers automatically issue a broadcast over the Celerras internal interfaces to discover the location of the primary Usermapper service. In a multi-Celerra environment, other instances of the Usermapper service can serve as secondary Usermapper services. Like a primary Usermapper service, a secondary Usermapper service checks its database to determine if a user or group has already been assigned a UID/GID. If not, it forwards the mapping request to the primary Usermapper service. The primary Usermapper service checks its database and, if necessary, generates a new UID or GID, returning the mapping to the secondary Usermapper service. The secondary Usermapper service then adds the new user or group to its database along with the mapping and returns the mapping to the Data Mover. Secondary Usermapper services provide high availability by allowing mappings to be collected and stored on each Celerra in a multi-Celerra environment. If the secondary Usermapper service is unavailable, new users are not able to access files and existing users are only able to access files if the user is defined on the Data Mover.
Version 5.3
5 of 40
System Requirements
This section describes the Celerra Network Server software, hardware, network, and storage configurations required for using Usermapper as described in this technical module.
Table 1 System Requirements for Usermapper Celerra Network Server Version 5.3. No specific hardware requirements. No specific network requirements. Verify that there is sufficient space available in the root file system. Contact your EMC Customer Support Representative for assistance with determining size requirements.
6 of 40 Version 5.3
Planning Considerations
Before you begin using Internal Usermapper, you should consider the following situations:
Usermapper stops mapping new UIDs and GIDs once the root file system of the Data Mover on which the Usermapper database is stored becomes 95% full and new users will not be allowed access to system objects. The size of the root file system that will be required is based on the number of users in your Windows environment. Contact your EMC Customer Support Representative for assistance with determining size requirements. If you are replicating a Windows environment that uses Usermapper or if you are using SRDF, special Usermapper restrictions may apply. Contact your EMC Customer Support Representative for more information. Usermapper automatically assigns new UIDs and GIDs based on the next available value. Consequently it does not need to use a Usermapper configuration file to define UID and GID ranges. However, it is possible to import an existing usrmap.cfg and use this file to define UID and GID ranges. This is referred to as the manual mapping method. If you do use the manual mapping method, you must manage UID and GID ranges for each domain as in External Usermapper, by modifying the usrmap.cfg file. Refer to Modifying the usrmap.cfg File on page 21 for more information.
Note: If there is no special reason to use particular UID and GID ranges for your environments domains, EMC encourages you to use the automatic mapping method and let Internal Usermapper automatically assign new UIDs and GIDs based on the next available values.
Version 5.3
7 of 40
For more information about Celerra Manager, refer to Getting Started with Celerra Management in the documentation kit. For instructions on installing Celerra Monitor, refer to the Installing Celerra Management Applications technical module on the Celerra Network Server User Information CD. For a description of each applications capabilities, refer to the Celerra Network Server Concepts and the applications online help systems on the user information CD.
8 of 40 Version 5.3
Using the Default SingleCelerra Usermapper Configuration Configuring a Multi-Celerra Usermapper Environment
Managing Usermapper
Version 5.3
9 of 40
Using the Default Single-Celerra Usermapper Configuration Configuring a MultiCelerra Usermapper Environment
Managing Usermapper
To verify the Usermapper configuration and display its current status, refer to Displaying Usermapper Status on page 14. If the primary Usermapper service is not automatically enabled, refer to Troubleshooting Usermapper on page 32. Refer to Managing Usermapper on page 14 for information on managing your Usermapper environment.
10 of 40 Version 5.3
Using the Default Single-Celerra Usermapper Configuration Configuring a MultiCelerra Usermapper Environment
Note: If you have a Celerra Network Server environment in which there multiple Celerra Network Servers that do not share the same Windows domain, each domain should be configured with its own primary Usermapper service.
Table 2 Configuring a Multi-Celerra Usermapper Environment Tasks
Task
1.
Action
On the first Celerra, verify that the primary Usermapper service is enabled. On the second Celerra, disable the default primary Usermapper service. On the second Celerra, configure a secondary Usermapper service. On the second Celerra, verify that the secondary Usermapper service is enabled.
Procedure
Verify the Status of the Primary Usermapper Service on page 12 Disable the Primary Usermapper Service on page 12 Configure the Secondary Usermapper Service on page 13 Verify the Status of the Secondary Usermapper Service on page 13
2.
3.
4.
Note: In the following description, the Celerra Network Server that supports the primary Usermapper service is referred to as Celerra 1 and the Celerra Network Server that runs the secondary Usermapper service is referred to as Celerra 2.
Version 5.3
11 of 40
Output
server_2 : Usrmapper service: Enabled Service Class: Primary
Output
server_2 : done
Note: No user mapping requests should be sent to the primary Usermapper service on Celerra 2 before you have reconfigured it. Consequently, you should not configure CIFS on the Celerra 2 Data Movers until the Usermapper service is reconfigured as a secondary service.
12 of 40 Version 5.3
Output
server_2 : done
Output
server_2 : Usrmapper service: Enabled Service Class: Secondary Primary = 192.168.21.1
Version 5.3
13 of 40
Managing Usermapper
This section describes the tasks you can use to manage Usermapper.
Action
Display Usermapper status. Import and export user and group information.
Configuring a MultiCelerra Usermapper Environment
Procedure
Displaying Usermapper Status on this page Importing and Exporting Database Information on page 17 Modifying the Usermapper Database on page 20 Backing Up Usermapper on page 20 Modifying the usrmap.cfg File on page 21
14 of 40 Version 5.3
Whether the Usermapper is configured as a primary or secondary service. The IP address of the primary Usermapper service used by the secondary. The operational status of the service.
Action
To display the status of the Usermapper service, use this command syntax: $ server_usermapper <movername> Where: <movername> = name of the specified Data Mover Example: To display the status of the Usermapper service on server_2, type: $ server_usermapper server_2
Output
server_2 : Usrmapper service: Enabled Service Class: Secondary Primary = 192.168.21.1
Notes
Usermapper has three operational states: - UninitializedWhen Usermapper is not available on the Data Mover - InitializedWhen Usermapper has been created on the Data Mover but disabled for some reason - EnabledWhen Usermapper is running You should have only one instance of the Usermapper service, either primary or secondary, in a single Celerra. All the other Data Movers in that environment are clients of the primary or secondary service.
Version 5.3
15 of 40
Action
To display the Usermapper service used by a Data Mover, use this command syntax: $ server_cifs <movername> Where: <movername> = name of the specified Data Mover Example: To display the Usermapper service used by server_3, type: $ server_cifs server_3
Output
server_3 : 96 Cifs threads started Security mode = NT Max protocol = NT1 I18N mode = UNICODE Home Directory Shares DISABLED Usermapper auto broadcast enabled Usermapper[0]=[192.168.1.2] state:active (auto discovered) Usermapper[1]=[192.168.2.2] state:active (auto discovered) Default WINS servers = 192.168.4.230 Enabled interfaces: (All interfaces are enabled) Disabled interfaces: (No interface disabled)
Notes
This example shows that server_3 is using the Usermapper service located on server_2 at internal IP addresses 192.168.1.2 and 192.168.2.2, the service is available, and the service was located using the auto discovery broadcast.
16 of 40 Version 5.3
Example of a user file entry in standard UNIX format (Format 1): rob.hilder.dir:*:26831:903:rob.hilder.dir:/usr/ rob.hilder.dir:/bin/sh Example of a user file entry in SID-based format (Format 3): S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder from domain dir:/usr/S-1-5-15-139d2e78-56b177fd5475b975-3323d:/bin/sh Example of a group file entry in standard UNIX format (Format 1): people.mass.subscribers.db.dir:*:58362:people.mass.subscriber s.db.dir: Example of a group file entry in SID-based format (Format 3): S-1-5-15-139d2e78-56b177fd-5475b9752c3d6:*:58362:people.mass.subscribers.db.dir:
Version 5.3
17 of 40
To import user information into the Usermapper database, use the following command syntax.
Action
To import user information into the Usermapper database, use this command syntax: $ server_usermapper <movername> -Import -user <pathname> Where: <movername> = name of the specified Data Mover <pathname> = name and location of the user file to be imported Example: To import user information into the Usermapper database on server_2, type: $ server_usermapper server_2 -Import -user /nas/cifs/usrmapperV3/linux/ usrmap.passwd
Output
server_2 : done
To import group information into the Usermapper database, use the following command syntax.
Action
To import group information into the Usermapper database, use this command syntax: $ server_usermapper <movername> -Import -group <pathname> Where: <movername> = name of the specified Data Mover <pathname> = name and location of the user file to be imported Example: To import group information into the Usermapper database on server_2, type: $ server_usermapper server_2 -Import -group /nas/cifs/usrmapperV3/linux/ usrmap.group
Output
server_2 : done
18 of 40 Version 5.3
Example of a user file entry in SID-based format (Format 3): S-1-5-15-139d2e78-56b177fd-5475b975-3323d:*:26831:903:user rob.hilder from domain dir:/usr/S-1-5-15-139d2e78-56b177fd5475b975-3323d:/bin/sh Example of a group file entry in SID-based format (Format 3): S-1-5-15-139d2e78-56b177fd-5475b9752c3d6:*:58362:people.mass.subscribers.db.dir: To export user information from the Usermapper database, use the following command syntax.
Action
To export user information from the Usermapper database, use this command syntax: $ server_usermapper <movername> -Export -user <pathname> Where: <movername> = name of the specified Data Mover <pathname> = name and location of the file to which information is to be exported Example: To export user information from the Usermapper database on server_2, type: $ server_usermapper server_2 -Export -user /home/nasadmin/backup.passwd
Output
server_2 : done
Version 5.3
19 of 40
To export group information from the Usermapper database, use the following command syntax.
Action
To export group information from the Usermapper database, use this command syntax: $ server_usermapper <movername> -Export -group <pathname> Where: <movername> = name of the specified Data Mover <pathname> = name and location of the file to which information is to be exported Example: To export group information from the Usermapper database on server_2, type: $ server_usermapper server_2 -Export -group /home/nasadmin/backup.group
Output
server_2 : done
Backing Up Usermapper
Use the following procedure to backup your Internal Usermapper configuration.
Step
1.
Action
As root, dump the password and group files to a specified directory, by typing: $ server_usermapper server_2 -Export -user /home/nasadmin/ backup.passwd $ server_usermapper server_2 -Export -group /home/nasadmin/ backup.group
2.
Make a backup copy of the current usrmap.cfg file (if one is in use), by typing: $ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.cfg /home/nasadmin/ usrmap.cfg
3.
Also make a backup copy of the usrmap.settings file, by typing: $ cp /nas/rootfs/slot_2/.etc/usrmapper/usrmap.settings /home/ nasadmin/usrmap.settings
20 of 40 Version 5.3
CAUTION
If you must modify the Usermapper configuration file, do so with extreme caution and back up the existing Usermapper configuration before you begin. A misconfigured edit of the configuration file can corrupt the Usermapper database, a problem that can be corrected by restoring the database from the backup copy. For a description of the backup procedure, refer to Backing Up Usermapper on page 20.
Item
domain_name[,FQDN]
Meaning
Windows NT domain name or Windows NT domain name and the fully qualified domain name (FQDN) in the case of a Windows 2000 domain. Note: When there are Windows 2000 clients in the domain, you must append the FQDN to the right of the Windows NT domain name and separate the Windows NT domain name and the FQDN by a comma.
GID_for_domain start_UID_range
GID for the domain to be configured. First UID to be assigned from the domain.
Version 5.3
21 of 40
Table 3
Item
end_UID_range [,start_of_UID_range:end_UID_range],...
Meaning
Last UID to be assigned from the domain. Optional additional UID ranges separated by a comma between ranges. Note: The,... denotes one or more occurrences. First GID to be assigned from the domain. Last GID to be assigned from the domain. Optional additional UID ranges separated by a comma between ranges. Note: The,... denotes one or more occurrences.
Entries are not case-sensitive. Blank lines are allowed. Comment lines must begin the # symbol. A return is not required at the end of the last line.
Note: The usrmap.cfg file must always include a _history_sid_range_ record.There is only one _history_sid_range_ record regardless of how many domains exist and it must be the last entry in usrmap.cfg. It uses the following syntax: _history_sid_range_:GID_for_domain:start_UID_range:end_UID_range: start_GID_range:end_GID_range Refer to Appendix A: Migrating Windows NT Users to Windows 2000 Domains in Native Mode on page 35 for more information on the SID history record.
Note: The maximum total number of GIDs is 65,534 per file system. Individual GID values may be greater than this number. The largest supported GID value is 231-1 (about 2 billion).
22 of 40 Version 5.3
Do not reuse GID and UID ranges. If you remove a domain entry in the Usermapper configuration file, you cannot reuse its GID/UID ranges. The Usermapper database files do not recognize the new domain with the GIDs and the UIDs. Do not change the domain name in the domain record. If you want to change a domain name, add a new domain record to the configuration file with new GID/ UID ranges. Do not move previously designated GID and UID ranges to another domain.
The following example illustrates the format of entries in the usermap.cfg file.
cifs:2000:1000:1999,2001:3999:4000:4099,5001:5025 cifsa:6000:5050:5980:6001:6099 cifsb:7000:6200:6899:7001:7299
In this example:
Users from the cifs domain are assigned UIDs from 1000 to 1999 and 2001 to 3999. Groups from the cifs domain are assigned GIDs from 4000 to 4099 and 5001 to 5025, with a domain GID of 2000.
Note: You can specify multiple UID and GID ranges by placing a comma between start_UID_range:end_UID_range and start_GID_range:end_GID_range pairs. Ensure that you do not add UID or GID ranges previously specified by other domain records.
Two more domains, cifsa and cifsb, with a smaller number of users have been added to the Usermapper configuration file. The UID and GID ranges do not overlap. The ranges, as specified, allow for growth and additional UIDs and GIDs can be added from sequential numbers, as yet not specified. In other words, you can add GIDs 5026 through 5999 should later growth require more GIDs.
Action
Back up the usrmap.cfg file by copying it to another directory. Log in to the Control Station as root.
Version 5.3
23 of 40
Step
3. 4.
Action
On the Control Station, open the active Usermapper configuration file with a text editor. With the configuration file open in the text editor, add an additional GID and UID range, subject to these conditions: The ranges cannot overlap any other ranges in the configuration file. Set sufficient GID/UID ranges to cover predicted growth. Use this format: start_UID_range:end_UID_range,start_UID_range:end_UID_range: start_GID_range:end_GID_range,start_GID_range:end_GID_range For example: Original domain record: ABCD:2000:1000:1999:4000:4099 Updated domain record: ABCD:2000:1000:1999,2001:3999:4000:4099,5001:5099
5.
24 of 40 Version 5.3
Command
server_usermapper { <movername> | ALL }
Description
Displays the status of Internal Usermapper services running on the Data Mover, including: Whether the Usermapper is configured as a primary or secondary service. The IP address of the primary Usermapper service used by the secondary. The operational status of the service. The following is an example of the status display: server_2:Usrmapper service: Enabled Service Class: Secondary Primary = 192.168.1.5
Option
-disable
Description
Disables the Usermapper service on the specified Data Mover. Note: Usermapper must be disabled before you make any configuration changes including: - Changing from a primary to a secondary service - Importing a Usermapper database using the -force option. - Issuing the -remove -all command.
Version 5.3
25 of 40
Option
-enable [primary=<ip_addr>] | [secondaries=<ip_addr>,...] [config=<pathname>]
Description
Enables the Usermapper service on the specified Data Mover.
CAUTION
Use the -enable command with caution. It changes a Data Movers relationship with Usermapper without confirming the change.
Note: You do not need to issue this option if you are using the default Internal Usermapper configuration. In this case, primary Usermapper is automatically enabled when the NAS software is installed. You only need to issue this option if you are modifying a default Internal Usermapper configuration, or if you are upgrading from External to Internal Usermapper. Contact EMC Customer Support for assistance if you are upgrading. If the instance of Usermapper you are configuring is to serve as a secondary, use the primary option to indicate the primary Usermapper to which this secondary will send mapping requests. The primary Usermapper is identified by its network IP address. Note: The secondaries option is currently not supported. Use the config option to indicate an existing Usermapper configuration file that should be accessed by the primary Usermapper service. This option is only relevant if you are upgrading from External to Internal Usermapper. Contact EMC Customer Support for assistance if you are upgrading. Note: If there is no special reason to use particular UID and GID ranges for your environments domains, EMC encourages you to use the automatic mapping method and let Internal Usermapper automatically assign new UIDs/GIDs based on the next available values. If you need to use an existing Usermapper configuration file, you must specify the config option during the upgrade or migration procedure, that is, before Internal Usermapper has begun issuing default UIDs and GIDs. In addition, the primary Usermapper service must be disabled before you can import an existing configuration file.
26 of 40 Version 5.3
Option
-Export { -user | -group } <pathname>
Description
Exports all the SID, user, and group information from the Usermapper databases to the file specified by <pathname>. The SID appears in the first field of the output file (Usermapper Format 3 dump format). You can specify any filename but the name should include the suffix .passwd or .group depending on the file type. This option is relevant only for a primary Usermapper service.
Imports Usermapper database information from the file specified by pathname. Note: The Usermapper service must be disabled before you can import database information. By default, only new entries are added to the Usermapper database. If an entry in the imported file does not match a similar entry in the existing database, the entry in the imported file is ignored unless the -force option is selected. If -force is selected, the existing database is deleted and replaced with new entries.
CAUTION
EMC recommends that you consult with Customer Support before issuing the -force option. This option overwrites the existing Usermapper database file. If you decide to use the -force option, you should first back up your existing Usermapper database file and usrmap.cfg file (if one is in use).
Version 5.3
27 of 40
Option
-remove -all
Description
Removes all entries from the Usermapper databases and destroys the database structure. Note: The Usermapper service must be disabled before you can issue the -remove -all option. CAUTION
EMC recommends that you consult with Customer Support before issuing the -remove -all option. This option deletes all Usermapper database entries and may result in users losing access to file systems. If you decide to use the -remove -all option, you should first back up your existing Usermapper database file and usrmap.cfg file (if one is in use).
28 of 40 Version 5.3
Refer to Parameter Files and Formats on page 31 for information on the parameter files.
Module
usrmap
Parameter
minuid
Value
16 - 2^31-1 Default 16
Comment/Description
Minimum UID value. minuid must be less than maxuid. Maximum UID value. maxuid must be greater than minuid. Minimum GID value. mingid must be less than maxgid. Maximum GID value. maxgid must be greater than mingid.
usrmap
maxuid
usrmap
mingid
16 - 2^31-1 Default 16
usrmap
maxgid
Note: If you have imported a pre-existing configuration file, these UID and GID range limits only apply when a new Usermapper database entry is created. Once the database is created, you cannot change maximum UID and GID values.
Use this procedure to modify the Usermapper parameters. Refer to Table 5 on this page for a description of the parameters.
Version 5.3
29 of 40
CAUTION
Do not change other lines in the parameter file without a thorough knowledge of the potential effects on the system. Contact your EMC Customer Support Representative for more information.
Step
1. 2. 3.
Action
Log in to the Control Station. Open /nas/server/slot_<x>/param with a text editor. To change the range of UID and GID values, add one or more of the following parameters: param usrmap minuid=<min UID> param usrmap maxuid =<max UID> param usrmap mingid=<min GID> param usrmap maxgid =<max GID> If the line appears already, ensure that the parameter has the new value.
4. 5.
Close and save the file. Reboot the Data Mover using this command syntax: $ server_cpu <movername> -reboot -monitor now Where: <movername> = name of Data Mover controlled by the slot_<x>/param file. Example: slot_2/param affects server_2.
30 of 40 Version 5.3
Parameter Files
Parameters are stored in text files, /nas/site/slot_param (system) and /nas/ server/slot_<x>/param (server) and are read in sequence. Because these files might already contain parameter settings, it is recommended that you search the file for all occurrences of the parameter, and if found, modify one and remove any duplicates. However, if there is more than one entry for the same parameter, the last entry prevails. To allow you to modify parameters for individual Data Movers, the values in the server file, /nas/server/slot_<x>/param, overwrite the values in the system file, /nas/site/slot_param. For example, if you want the minimum UID value to be 25, the parameter value for usrmap.minuid must be set up as follows: In the system parameter file, /nas/site/slot_param, type: param usrmap minuid=25
Version 5.3
31 of 40
Troubleshooting Usermapper
You can query the EMC WebSupport database for problem information, obtain release notes, or report a Celerra technical problem to EMC at Powerlink, EMC's secure extranet site, at http://powerlink.emc.com. For additional information about using Powerlink and resolving problems, refer to the Celerra Problem Resolution Roadmap technical module on the Celerra Network Server User Information CD.
Error Messages
Table 6 lists Usermapper error messages and their descriptions. These error messages are written to the Celerra Network Servers system log (/nas/log/ sys_log).
Table 6 Usermapper Error Messages
Description
A UID mapping is not available. This error message is only returned if you are using a usrmap.cfg file. A GID mapping is not available. This error message is only returned if you are using a usrmap.cfg file. The primary Usermapper service is unreachable. This error message is only returned if the Data Mover is configured as a secondary Usermapper service. Generic issue.
Corrective Action
Check the corresponding domain description and allocate new space for UIDs.
Check the corresponding domain description and allocate new space for GIDs.
Internal error. (2,000,000,007) No account found. (2,000,000,010) Unsupported request. (2,000,000,011) Invalid input error. (2,000,000,013)
Requested reverse mapping for UID or GID cannot be found. An unknown request has been received. A V3 request is malformed. This error message is returned to Usermapper clients.
For more information, refer to the Celerra Network Server Error Message Guide.
32 of 40 Version 5.3
Known Problem
The primary Usermapper service must be enabled before secondary services can be configured.
Symptom
When you issue the server_usermapper <movername> -enable primary= command, you receive the following error: Error 4020: <movername>:failed to complete command
Workaround
Check the operational state of the primary service and enable it using the server_usermapper <movername> -enable command.
Internal Usermapper stops mapping new UIDs and GIDs once the root file system of the Data Mover where the Usermapper database is stored becomes 95% full. New users will not be allowed access to system objects.
The following errors are entered repeatedly in the server log for any additional mapping requests once root file system capacity is reached: error: -20 for user uid request error: -20 for group gid request
You should determine the size of the root file system required based on the number of users in your Windows environment. Contact your EMC Customer Support Representative for assistance with determining size requirements.
Version 5.3
33 of 40
Related Information
For specific information related to the features and functionality described in this technical module, refer to the following technical modules:
Managing Celerra for the Windows Environment Configuring Celerra for the Windows Environment Using Windows Administrative Tools with Celerra Managing User Accounts on Celerra Configuring External Usermapper for Celerra
For general information on other EMC Celerra publications, refer to the Celerra Network Server User Information CD, which is supplied with your Celerra Network Server and also available at Powerlink at http://powerlink.emc.com.
34 of 40 Version 5.3
Note: The use of a usrmap.cfg file is not required in Internal Usermapper. Internal Usermapper automatically assigns UID and GID mappings, including SID history, by default.
A user, AlphaUser, was registered in the Usermapper database prior to the domain migration. A user, BetaUser, was not registered in the Usermapper database prior to the domain migration.
Previously Registered User After the migration, the first time that AlphaUser accesses a file, the Data Mover recognizes the Security Access Token with the history and new SIDs. The Data Mover then queries Usermapper for mapping for both SIDs. Usermapper returns mappings for both SIDs, assigning the original GID and UID to the history SID and assigning a new UID and GID to AlphaUser as a member of the Windows 2000 domain. Usermapper creates an entry for AlphaUser from the Windows 2000 domain in the Usermapper database files. Now the Data Mover allows AlphaUser to access all files bearing the history SID and the original GID and UID. Any ACLs created in the future bear the AlphaUsers Windows 2000 SID.
Version 5.3
35 of 40
Previously Unregistered User BetaUser never accessed the Celerra as a member of the Windows NT domain. Consequently, BetaUser does not have an entry in the Usermapper database files. The first time that BetaUser accesses a file as a member of the Windows 2000 domain, the Data Mover does not recognize either SID and queries the Usermapper host. The Usermapper host recognizes the SID from the Windows NT domain and assigns a UID and a GID from the ranges assigned in the _history_SID_range_:GID_for_domain:start_UID_range: end_UID_range:start_GID_range:end_GID_range record in usrmap.cfg. This allows BetaUser to access any migrated information that bears the history SID. Usermapper also recognizes the Windows 2000 domain name and assigns a new UID and GID to BetaUser as a member of the Windows 2000 domain. Usermapper creates an entry for BetaUser from the Windows 2000 domain in the Usermapper database files, assigning BetaUser from the Windows 2000 domain with a new UID and GID. Any files created in the future bear BetaUsers new attributes.
Numbers for GID_for_domain and the UID and GID ranges that have not been specified in usrmap.cfg. Quantities for the UID and GID ranges that, as a minimum, equal the total quantities for the preceding UID and GID ranges in usrmap.cfg. For example, the record at the end of this file represents these conditions:
domain_a:300:3001:3199:3001:3199 domain_b:400:4001:4199:4001:4199 domain_c:500:5001:5199:5001:5199 domain_d,domain_d.dom:700:7001:8099:7001:8099 domain_big5:600:6001:6099:6001:6099 domain_lt9:610:6101:6199:6101:6199 domain_lt1:620:6201:6299:6201:6299 domain_jan:630:6301:6399:6301:6399 domain_kot:640:6401:6499:6401:6499 sirint5:650:6501:6599:6501:6599 int_sirint6:660:6601:6699:6601:6699 int_sirint7:670:6701:6799:6701:6799 int_sirint8:680:6801:6899:6801:6899 int_sirint9:690:6901:6999:6901:6999 int_sirint1:810:8101:8199:8101:8199 int_sirint2:820:8201:8299:8201:8299 int_sirint3:830:8301:8399:8301:8399 int_sirint4:840:8401:8499:8401:8499 int_sirint5:850:8501:8599:8501:8599 int_sirint10:860:8601:8699:8601:8699 int_sirint11:870:8701:8799:8701:8799 int_sirint12:880:8801:8899:8801:8899 int_sirint13:890:8901:8999:8901:8999 domain_d1,domain_d1.domain_d.dom:900:9001:9099:9001:9099 domain_d2,domain_d2.domain_d.dom:910:9101:9199:9101:9199 domain_d3,domain_d3.domain_d.dom:920:9201:9299:9201:9299 _history_sid_range:1000:20000:25000:20000:25000
36 of 40 Version 5.3
Facility Name
USRMAP
Facility ID
93
Facility Description
Monitors Usermapper events
Event ID
0 1
Event Description
Usermapper OK Usermapper database created Usermapper service enabled Usermapper service stopped Usermapper database destroyed Usermapper available Usermapper unreachable Usermapper file system quota exceeded
5 6 7
Version 5.3
37 of 40
Index
Symbols
_history_sid_range_ 35
U
Usermapper cautions 3 configuration file _history_sid_range_ 22, 35 format 21 GID range 21 guidelines 23 multiple GID and UID ranges 23 UID range 21 default configuration 10 error messages 32 exporting database information 19 importing database information 17 mapping process 4 modifying database 20 default settings 29 multicabinet configuration 11 restrictions 3 secondary configuration 11 server_usermapper command 25 user migration to Windows 2000 native mode domains 35 using secondary service 5, 11 usrmap.cfg _history_sid_range_ 22, 35 adding GID and UID ranges to a domain record 23 format and syntax 21 manually modifying 23
C
cautions 3 command syntax 25 configuration default 10 multicabinet 11 secondary 11 configuration settings, modifying 29
D
database, modifying 20
E
error messages 32 events, list of USRMAP 37 exporting database information 19 External Usermapper 2
F
FQDN 21
H
history SID, using in usrmap.cfg 35
I
importing database information 17 installation 10 Internal Usermapper, see Usermapper
M
mapping process 4 multiple GID and UID ranges 23
P
parameters 29
S
server parameters, file format 31 server_usermapper command 25 SID history 35 system requirements 6
T
troubleshooting 32
Version 5.3
38 of 40
Notes
Version 5.3
39 of 40
40 of 40 Version 5.3