How group mapping supports multiprotocol access to Infinite Volumes

Why group mapping is required​

Groups are often used in ACLs to simplify security management. However, groups in multiple Windows domains cannot be easily translated to the groups of a single NFSv4.1 domain.

Mapping groups from Windows to UNIX ensures that group names appear when NFSv4.1 ACLs are displayed on NFSv4.1 clients.

If a Windows group is not mapped to a UNIX group and a default UNIX group is not configured, the Windows group is displayed to an NFSv4.1 client as nobody (specifically nobody@ v4-id-domain ).

What group mapping is required​

If an Infinite Volume supports both SMB and NFSv4.1 ACLs, you should perform the following configurations:

• Create a Windows-to-UNIX mapping for every Windows group.

• Define a default UNIX group that is used when no mapping exists for a Windows group and the lowercase name of the Windows group is not a valid group name in the UNIX domain.

Comparison of user and group mapping​

Group mapping and user mapping share the following similarities:

• Group mapping and user mapping can both be defined by using either ONTAP or LDAP.

• If group mapping and user mapping are defined by using ONTAP, the mappings are defined in a similar way and by using the same conversion rules.

  For information about conversion rules in user mapping and group mapping, see either the NFS Reference or the SMB/CIFS Reference .

Group mapping is unique in the following ways:

• Group mapping is available only on storage virtual machines (SVMs) with Infinite Volume, not on SVMs.

• Group mapping is required only if an SVM is configured for both SMB and NFSv4.1, including NFSv4.1 ACLs.

• Group mapping does not affect access; group mapping affects only what NFSv4.1 clients display.

  During access checks, a user's group membership is determined in the same way on all SVMs .

• Group mapping is required only in one direction—from Windows to UNIX.

  UNIX groups do not have to be mapped to Windows groups.