User Query Flow

  • Updated on Jan 31, 2026
  • Published on Jan 26, 2026
  • 2 minute(s) read
Prev Next

New and expired users are retrieved through the following series of queries.

  1. The primary provider for the access protocol is queried for the user attribute declared in the request:

    • If the request is sent via NFSv3, the POSIX primary provider is queried for the UID. The POSIX primary provider is the provider that takes precedence for POSIX attributes. If there is only one provider, that provider is the POSIX primary provider.

    • If the request is sent via SMB and declares a user SID, Active Directory is queried for the SID.

      Note

      If the tenant is configured to use SMB native authentication, SMB client access is authorized by using user and group information supplied in the user's Kerberos or NTLM ticket, rather than by retrieving that data in Active Directory.Authentication for SMB Access

    • If the request is sent via NFSv4.1 and the cluster is joined to Active Directory, then Active Directory is queried for the user attribute that is declared, which is the UID number, if ID mapping is disabled, or the user name, if ID mapping is enabled.

  2. If the UID or SID is found on the provider, the user name and groups associated with the UID or SID are retrieved.

    Additionally, if the request was sent via SMB and therefore the first provider queried was Active Directory, then POSIX attributes are also retrieved for the user.

    Similarly, if the request was sent via NFS and the POSIX Primary provider is Active Directory, and therefore the first provider queried is Active Directory, then SMB attributes are also retrieved from Active Directory for the user.

  3. If there is a different external provider configured on the VAST cluster, that provider is queried for a user name that matches the user name retrieved from the first provider. If a user with the queried user name is found, attributes of that matching user are retrieved from the other provider.

    When the other provider is queried, the username searched for is the value of whichever user attribute is set as the match user attribute for the first provider. By default, this is the uid attribute for Active Directory and LDAP. For successful matches, it must be set to the attribute that stores the user name on each provider. The match user attribute is set in the Attribute mappings tab of the LDAP configuration.

  4. The local provider is also queried by the user name.

  5. New UIDs, GIDs and SIDs are added to the database, and a new user entry is added. The user database keeps track of the user's association with the various attributes.

    Conflicts between providers are handled per Conflict Resolution and Merging Rules.

Related articles
  • User Query Flow
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Tenant Administrator’s Guide > Managing Users > Overview of User Management and Authorization
  • User Query Flow
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Managing Users > Overview of User Management and Authorization
  • User Query Flow
    VAST Cluster > Version 5.1 > VAST Cluster 5.1 Administrator's Guide > Managing Users > Overview of User Management and Authorization