Multidomain searches for UNIX user to Windows user name mappings
ONTAP supports multidomain searches when mapping UNIX users to Windows users. All discovered trusted domains are searched for matches to the replacement pattern until a matching result is returned. Alternatively, you can configure a list of preferred trusted domains, which is used instead of the discovered trusted domain list and is searched in order until a matching result is returned.
How domain trusts affect UNIX user to Windows user name mapping searches
To understand how multidomain user name mapping works, you must understand how domain trusts work with ONTAP. Active Directory trust relationships with the SMB server's home domain can be a bidirectional trust or can be one of two types of unidirectional trusts, either an inbound trust or an outbound trust. The home domain is the domain to which the SMB server on the SVM belongs.
-
Bidirectional trust
With bidirectional trusts, both domains trust each other. If the SMB server's home domain has a bidirectional trust with another domain, the home domain can authenticate and authorize a user belonging to the trusted domain and vice versa.
UNIX user to Windows user name mapping searches can be performed only on domains with bidirectional trusts between the home domain and the other domain.
-
Outbound trust
With an outbound trust, the home domain trusts the other domain. In this case, the home domain can authenticate and authorize a user belonging to the outbound trusted domain.
A domain with an outbound trust with the home domain is not searched when performing UNIX user to Windows user name mapping searches.
-
Inbound trust
With an inbound trust, the other domain trusts the SMB server's home domain. In this case, the home domain cannot authenticate or authorize a user belonging to the inbound trusted domain.
A domain with an inbound trust with the home domain is not searched when performing UNIX user to Windows user name mapping searches.
How wildcards (*) are used to configure multidomain searches for name mapping
Multidomain name mapping searches are facilitated by the use of wildcards in the domain section of the Windows user name. The following table illustrates how to use wildcards in the domain part of a name mapping entry to enable multidomain searches:
Pattern | Replacement | Result | ||
---|---|---|---|---|
root |
*\\administrator |
The UNIX user “root” is mapped to the user named “administrator”. All trusted domains are searched in order until the first matching user named “administrator” is found. |
||
* |
*\\* |
Valid UNIX users are mapped to the corresponding Windows users. All trusted domains are searched in order until the first matching user with that name is found.
|
How multidomain name searches are performed
You can choose one of two methods for determining the list of trusted domains used for multidomain name searches:
-
Use the automatically discovered bidirectional trust list compiled by ONTAP
-
Use the preferred trusted domain list that you compile
If a UNIX user is mapped to a Windows user with a wildcard used for the domain section of the user name, the Windows user is looked up in all the trusted domains as follows:
-
If a preferred trusted-domain list is configured, the mapped Windows user is looked up in this search list only, in order.
-
If a preferred list of trusted domains is not configured, then the Windows user is looked up in all the bidirectional trusted domains of the home domain.
-
If there are no bidirectionally trusted domains for the home domain, the user is looked up in the home domain.
If a UNIX user is mapped to a Windows user without a domain section in the user name, the Windows user is looked up in the home domain.