Skip to main content

Learn about local ONTAP SMB users and groups

Contributors netapp-aherbin netapp-aaron-holt
PDFs

You should know what local users and groups are, and some basic information about them, before determining whether to configure and use local users and groups in your environment.

  • Local user

    A user account with a unique security identifier (SID) that has visibility only on the storage virtual machine (SVM) on which it is created. Local user accounts have a set of attributes, including user name and SID. A local user account authenticates locally on the CIFS server using NTLM authentication.

    User accounts have several uses:

    • Used to grant User Rights Management privileges to a user.

    • Used to control share-level and file-level access to file and folder resources that the SVM owns.

  • Local group

    A group with a unique SID has visibility only on the SVM on which it is created. Groups contain a set of members. Members can be local users, domain users, domain groups, and domain machine accounts. Groups can be created, modified, or deleted.

    Groups have several uses:

    • Used to grant User Rights Management privileges to its members.

    • Used to control share-level and file-level access to file and folder resources that the SVM owns.

  • Local domain

    A domain that has local scope, which is bounded by the SVM. The local domain's name is the CIFS server name. Local users and groups are contained within the local domain.

  • Security identifier (SID)

    A SID is a variable-length numeric value that identifies Windows-style security principals. For example, a typical SID takes the following form: S-1-5-21-3139654847-1303905135-2517279418-123456.

  • NTLM authentication

    A Microsoft Windows security method used to authenticate users on a CIFS server.

  • Cluster replicated database (RDB)

    A replicated database with an instance on each node in a cluster. Local user and group objects are stored in the RDB.

Reasons for creating local ONTAP SMB users and local groups

There are several reasons for creating local users and local groups on your storage virtual machine (SVM). For example, you can access an SMB server by using a local user account if the domain controllers (DCs) are unavailable, you might want to use local groups to assign privileges, or your SMB server is in a workgroup.

You can create one or more local user accounts for the following reasons:

  • Your SMB server is in a workgroup, and domain users are not available.

    Local users are required in workgroup configurations.

  • You want the ability to authenticate and log in to the SMB server if the domain controllers are unavailable.

    Local users can authenticate with the SMB server by using NTLM authentication when the domain controller is down, or when network problems prevent your SMB server from contacting the domain controller.

  • You want to assign User Rights Management privileges to a local user.

    User Rights Management is the ability for an SMB server administrator to control what rights the users and groups have on the SVM. You can assign privileges to a user by assigning the privileges to the user's account, or by making the user a member of a local group that has those privileges.

You can create one or more local groups for the following reasons:

  • Your SMB server is in a workgroup, and domain groups are not available.

    Local groups are not required in workgroup configurations, but they can be useful for managing access privileges for local workgroup users.

  • You want to control access to file and folder resources by using local groups for share and file-access control.

  • You want to create local groups with customized User Rights Management privileges.

    Some built-in user groups have predefined privileges. To assign a customized set of privileges, you can create a local group and assign the necessary privileges to that group. You can then add local users, domain users, and domain groups to the local group.

Related information