#vserver name-mapping and duplicate uid's

Hey folks,

I've got an SVM dedicated to the problematic issues around mixed protocol environments.

I've got probably a dozen or so AIX environments that need to access stuff written out to SMB shares for many reasons, and I've been working around the shortcomings of using the cifs mounting types by creating a unix-user on the NAS with the appropriate UID, creating a name-mapping (vserver name-mapping create) and having it replaced with a unique NTFS security group dedicated to that system/account. It's worked well.

Except everyone fights over uid 1001.

Oracle? Uid 1001
Pagerduty? Uid 1001
Other stuff related to our PMR? uid 1001.

Without having the end user change UID's (nightmare) or creating new SVM's for them or recycling generic name-maps, what can I do to get around this limitation?

with UIDs alone, no chance. In NFS, the only thing that gets sent over the wire is the UID number so unless you can separate the mounts to different SVMs (with different mappings) orcan switch to NFS4 with iddomains, you're out of luck.
You might be able to change the UIDs on the hosts, i.e. swap Oracle's UID to 1002 or something else by editing /etc/passwd and chmod'ing all files owned by 1001, but I have no idea if that will work out in the end

Yeah they're terrified of changing UID's, rightfully so.

How does NFS4 and iddomains work?

Because we are using NFS4.1+ now to squeak this to life normally.

Oooh, that looks like a NIS function

basically NFSv4.1 can use "usernames" (strings of the form "user@somedomain.com") and you can configure the mapping to UIDs on the hosts (in Linux it's done by idmapd, don't know about AIX). It's a bit more complex to set up but as an added bonus you can also get windows-like ACLs on NFS with more fine-grained permissions than what the usual modebits offer

it has nothing to do with NIS though

I suggest you spend some intimate time with Justin Parisi's excellent TR-4067 (https://www.netapp.com/pdf.html?item=/media/10720-tr-4067.pdf) as it covers basically everything. It's not as simple as "flick this switch and you're good to go" though

i guess you could also use nfs exports to mask off directories that need to be read between systems...

depending on the setup... where scripts dump whatever the next script needs to read... i hate legacy systems like this