Apply AD Authentication To NAS
You can apply your environment's existing Microsoft Active Directory (AD) authentication services to StorNext NAS. Through AD authentication, clients can access NAS shares only if they are authenticated by the AD server(s).
Note: For a list of all the Appliance Controller commands, see the Command Index.
You can apply the following advanced configurations to your AD authentication. If you do not need to apply advanced configuration options, follow the steps outlined in Apply AD Authentication without Advanced Options.
- Apply advanced options to your AD authentication configuration, such as configuring an AD machine organizational unit (OU) to which to limit authentication. See Apply AD Authentication with Advanced Options.
- Authenticate user connections through AD by mapping a specific UID or GID to an AD user or group. See Map UIDs and GIDs
- Apply ID mapping options to map UNIX IDs from AD user accounts. See Apply ID Mapping.
-
StorNext NAS supports Access Control Lists (ACLs) when the NAS server is bound to an AD server. You do not need to take any additional steps within the NAS controller to receive full ACL support.
- If your environment consists of a large AD network, we recommend adding the StorNext NAS object to the AD server and allowing for replication to complete before configuring AD authentication for StorNext NAS.
Important
If you configure AD or OpenLDAP to authenticate users accessing your NAS cluster, you must add your cluster host name to the same DNS as your AD or OpenLDAP server. Otherwise, users authenticated through AD or OpenLDAP cannot access the NAS shares through the NAS cluster.
Apply AD Authentication without Advanced Options
- Log in to the Appliance Controller CLI.
- At the prompt, enter the following:
auth config ads <admin_username> <ip_addr|host> [,<ip-addr|host>, ...] [(qtm_guid) | (rfc2307) | (tdb) | (rid)]
Standard (non-advanced) parameters:
Parameter Explanation <admin_username>The admin user or user with admin privileges to create computer objects in the domain/computers OU.
Note: We recommend setting a permanent password for the admin user. If you change the admin user's password, you will need to re-issue the
auth config adscommand to rejoin the NAS controller to the AD service.<ip_addr|host>IP address or hostname where the AD server is running.
You do not need to specify a port number. If your AD server is using SSL, then the port defaults to 636. If your AD server does not use SSL, the port is set to 389.
If you are defining multiple IP addresses or hostnames, separate each item with a comma.
[(qtm_guid) | rfc2307) | (tdb) | (rid)]
(Optional) The method used to map UNIX IDs from the AD server for user accounts.
Enter one of the following options, or press <Enter> to apply the default option.
qtm_guid(default)rfc2307ridtdb
For more information, see Apply ID Mapping.
Note: If you do not include one of these in the auth config ads command you will be prompted:
ID mapping to use: qtm_guid, rfc2307, rid, or tdb (Default = qtm_guid). Enter an ID mapping to use, or accept the default value. - If you don't select an ID mapping option, you will be prompted to select one of the options:
- At the
Do you want to configure 'advanced ADS' optionsprompt, press <Enter> to apply the default option (default=No). - At the
Please enter the password for user administratorprompt, enter the admin user's password to apply the AD authentication selections.If you change the admin user's password, you will need to re-issue the
auth config adscommand to rejoin StorNext NAS to the AD service.Example:
>
auth config ads administrator dc1.eng.example.comID mapping to use: qtm_guid, rfc2307, rid, or tdb (Default = qtm_guid):
Do you want to configure advanced options (yes/No)?
Please enter the password for user administrator:
Query to dc1.eng.example.com found: domain=eng.example.com, workgroup=ENG
Auth-configuration starting ...
Applying ads configuration settings ...
Join to ENG.EXAMPLE.COM as SNT933231-MVIP starting ...
Using AD Computers OU "Computers" ...
Verify now joined to ENG.EXAMPLE.COM as SNT933231-MVIP ...
Clearing ID map cache ...
Restart SMB services to join with ENG.EXAMPLE.COM ...
Successfully configured Active Directory services authentication
- Validate your AD configuration by displaying authenticated users. See View User and Group Information.
> auth config ads nasadmin dc1.eng.example.com
ID Mapping to use: qtm_guid, rfc2307, rid, or tdb (Default=qtm_guid):
If you do not enter a different option than the default, which is qtm_guid, and click Enter, qtm_guid is applied.
Apply AD Authentication with Advanced Options
- Log in to the Appliance Controller CLI
- At the prompt, enter the following:
auth config ads <admin_username> <ip_addr|host> [,<ip-addr|host>, ...] [(qtm_guid) | (rfc2307) | (tdb) | (rid)]
Standard (non-advanced) parameters:
Parameter Explanation <admin_username>The admin user or user with admin privileges to create computer objects in the domain/computers OU.
Note: We recommend setting a permanent password for the admin user. If you change the admin user's password, you will need to re-issue the
auth config adscommand to rejoin the NAS controller to the AD service.<ip_addr|host>IP address or hostname where the AD server is running.
You do not need to specify a port number. If your AD server is using SSL, then the port defaults to 636. If your AD server does not use SSL, the port is set to 389.
If you are defining multiple IP addresses or hostnames, separate each item with a comma.
[(qtm_guid) | (rfc2307) | (tdb) | (rid)]
(Optional) The method used to map UNIX IDs from the AD server for user accounts. This is called the ID mapping in StorNext NAS.
Enter one of the following options, or press <Enter> to apply the default option.
qtm_guid(default)rfc2307ridtdb
For more information, see Apply ID Mapping.
Note: If you do not include one of these in the auth config ads command you will be prompted:
ID mapping to use: qtm_guid, rfc2307, rid, or tdb (Default = qtm_guid). Enter an ID mapping to use, or accept the default value. - At the
Do you want to configure advanced optionsprompt, enteryes.The controller will prompt for valid parameters for each of the following advanced options.
Note: If you do not need to set a parameter for an advanced option, press <Enter> to apply the default parameter to the advanced option and move to the next advanced option.
Parameter/Prompt
Explanation
Use unix primary groupThis option is available if you choose rfc2307 for the idmap. When this is set, auth will use the ldap gidnumber for the primary group, instead of using the group number for the group with its RID obtained from the ldap PrimaryGroup entry. (Default = '')
Specify the list of domains that will be excluded when using winbind user mapping.
If you exclude multiple domains, separate each domain by a comma.
Note: This is only valid when you set "
Allow Trusted Domains" is set to "yes" for "Allow Trusted Domains". See Allow Trusted Domains.Press <Enter> to apply the default setting of "none"/blank.
AD Organizational Unit
(Default = 'Computers')
The AD machine organizational unit (OU) to which to limit authentication.
Keep in mind that OUs are containers within AD. Use them to organize users, groups, or machines into units to which to apply Group Policy settings or account permissions.
Example
You want to limit authentication to the NAS machine unit, which is contained in the Appliances location. Enter the following as the AD OU:
Appliances/NAS
Enter the AD OU, or press <Enter> to apply the default setting of
Computers.This is the NETBIOS name that will be used as the computer object name. The default varies depending on the cluster configuration as follows:
- In a scale-out NAS cluster, this is the short version of the cluster hostname
- In a NAS cluster with a single VIP, this will be the short version of the VIP hostname
- In a non-clustered NAS configuraton, this is the short version of the computer hostname
Note: The default will revert to the IP address if the short hostname is greater than 15 characters.
(Default = 'no')
Whether to allow access from all AD domains in the AD forest.\
- Enter
noor press <Enter> to refuse access to all AD domains in the AD forest.Important
This setting is the default and recommended setting. If you set this option to
yes, all AD domains within your AD forest can connect to your NAS shares. If your AD forest is large — consisting of multiple AD domains and firewalls protecting the clients — the authentication could time out and fail. - Enter
yesto allow access from all AD domains in the AD forest. Keep in mind that this setting can present time out issues for organizations with large AD forests.
Note: If you set "
Allow Trusted Domains" is set to "yes", ensure you have also set AD Domains to exclude, if desired, for domains that should not be allowed.Please enter the password for user administrator
Enter the admin user's password to apply the AD authentication selections.
If you change the admin user's password, you will need to re-issue the
auth config adscommand to rejoin StorNext NAS to the AD service.Example
>
auth config ads administrator dc1.eng.example.comDo you want to configure advanced options (yes/No)?
yesID mapping to use: qtm_guid, rfc2307, rid, or tdb (Default = qtm_guid):
ridAD Domains to exclude (Default = ''):
AD Organizational Unit (Default = 'Computers'):
AD Machine Account (Default = SNT933231-MVIP):
Allow Trusted Domains (Default = 'no'):
Please enter the password for user administrator:
Query to dc1.eng.example.com found: domain=eng.example.com, workgroup=ENG
Auth-configuration starting ...
Applying ads configuration settings ...
Join to ENG.EXAMPLE.COM as SNT933231-MVIP starting ...
Using AD Computers OU "Computers" ...
Verify now joined to ENG.EXAMPLE.COM as SNT933231-MVIP ...
Clearing ID map cache ...
Restart SMB services to join with ENG.EXAMPLE.COM ...
Successfully configured Active Directory services authentication
- Validate your AD configuration by displaying authenticated users. See View User and Group Information.
Map UIDs and GIDs
To authenticate user connections through AD by mapping a specific UID or GID to an AD user or group, use the following commands.
Note: The auth map ads user and auth map ads group commands are supported with AD authentication only when the TDB idmap is used.
UID
To map the SID of an AD user to a specific UID, enter the following command:
auth map ads user <username> <UID>
The parameters are:
|
|
User name of the AD account. |
|
|
UID number to map the user to the AD account. |
GID
To map the UID of an AD group to a specific GID, enter the following command:
auth map ads group <groupname> <GID>
The parameters are:
|
|
Group name of the AD account. |
|
|
GID number to map the user to the AD account. |
Apply ID Mapping
An ID map is used to map UNIX IDs from AD user accounts. Quantum supports four different types of idmapping for the ADS authentications: qtm_guid, rfc2307, rid, and tdb, to use when configuring StorNext NAS to use AD.
qtm_guid
The qtm_guid idmap is a Quantum-developed ID map which allows UID mapping to match the default UID mapping used by macOSX when bound to an AD server. This is the default idmapping which generates an id based on the ADS user GUI ID number, and is the same mapping used by StorNext Windows clients when the unixIdFabricationOnWindows flag is set to true.
Note: The UID number can range from 1 to 2147483647.
qtm_guid Algorithm
The following algorithm is used to calculate the qtm_guid:
We take the first 8 hex digits of the objectGUID, add "0x" to that, mask the Hex value with 7FFFFFFF, and convert the result to decimal, to yield the qtm_guid value.
Example:
Step 1: Take the first 8 digits of the objectGUID = A546C5C4-0E3B-4D6F-9A02-C63C383F9DFA
Step 2: Add 0x + A546C5C4 = 0XA546C5C4
Step 3: 0XA546C5C4 & 0X7FFFFFFF == 0X2546C5C4 ==> in Decimal 625395140
So the qtm_guid = 625395140
Things to know: using qtm_guid
The advantage of this ID map is that it allows Xsan clients and StorNext NAS servers to share a common UID/GUID mapping when bound to an Active Directory server. macOSX uses this as the default method to bind to ADS, and it is compatible with Xsan clients. This mapping is also available for StorNext Windows clients using the "Unix ID Fabrication on Windows" attribute for file systems.
There are 2 main issues you choose this mapping:
- Linux systems, other than the host Quantum appliance server node(s), do not have access to this mapping.
- This mapping does not work in an AD forest environment.
rfc2307
The rfc2307 ID map option uses the AD UNIX Attributes mechanism. This mechanism guarantees consistency in user IDs (UIDs) and group IDs (GIDs) when connecting to multiple Gateways across your environment. This idmapping standard provides a username to UID mapping that can be consistent across all flavors of UNIX.
When the auth config ads command is issued, StorNext NAS verifies whether rfc2307 has been configured on the AD server.
- If it has been configured, then StorNext NAS uses rfc2307 as the default ID map.
- If it has not been configured, then the
auth config adsrequest returns an error stating such.
Things to know: using rfc2307
The main issue with this mapping is that it requires configuration on the ADS server, usually using the "Windows service for unix". While deprecated in newer versions of ADS (making it harder for Windows administrators to implement), this functionality is the best solution for multi-platform ID mapping. this functionality.
To set up the rfc2307 extension for AD, see the following Microsoft instructions: https://technet.microsoft.com/en-us/library/cc754871(v=ws.11).aspx.
rid
The Relative Identifier (rid) map option converts a Security Identifier (SID) to a RID. This method allows all Quantum appliances to see the same UID.
rid Algorithm
The following algorithm is used to calculate RIDs:
RID portion of the SID + 1000
Example
User A has the following SID:
S-1-5-21-2500398869-2327988562-2535538314-1117
By applying the algorithm (taking the last 4 digits and adding 1000), User A would then have the following RID:
uid=2117
Things to know: using rid
RID used to be the recommended idmapping when RC2307 was not available. It works in a similar fashion to qtm_guid, with the same limitations. However, it is NOT compatible with Xsan or StorNext Windows client mapping.
tdb
The Trivial Database (tdb) ID map option tells Samba to generate UIDs and GIDs — within the given default range or custom range — locally on demand.
If you have trusted domain environments joined to AD, you can map users with tdb IDs. Quantum recommends mapping non-trusted domain users with rid map options.
Things to know: using tdb
Sometimes this is used to force a specific mapping when all other mapping methods fail.
The Appliance Controller auth map ads user command allows you to select a specific uid for each user.
How do I determine the best ID map to use for my AD environment?
Use the following table to determine the appropriate ID map value, depending on whether you are running StorNext NAS on multiple nodes in your environment and whether the rfc2307 extension has been configured:
|
Multiple Gateways |
AD rfc2307 Extension |
ID Map |
|---|---|---|
|
Yes |
Yes |
rfc2307 |
|
No |
Yes |
rfc2307 |
|
Yes |
No |
qtm_guid, rid or tdb |
|
No |
No |
qtm_guid, rid or tdb |
Important
If you change from your current mapping configuration to a new mapping configuration, you will also need to manually reconcile the mapping to any existing files within StorNext that users accessed under the original mapping. Otherwise, users may not be able to access these files.
