Apply Apple OD Authentication to NAS
Apply Apple Open Directory (OD) authentication services to StorNext NAS by using the native Kerberos features of OD, without changing the existing authentication methods.
Important
Keep in mind that the ONLY StorNext NAS-supported authentication method for Apple OD services is Kerberos.
Note: For a list of all the Appliance Controller commands, see the Command Index.
Review the following terminology to assist you with the kadmin shell commands.
Hostname
The server name, such as nas.
Fully Qualified Domain Name (fqdn)
The full name of the server including the domain and top-level domain (tld), such as nas.domain.com.
Kerberos Realm
The domain on which the Kerberos authentication protocol acts, usually expressed as DOMAIN.TLD or ODMASTER.DOMAIN.TLD.
You can determine how the Kerberos Realm is expressed by entering the following command from a server bound to the domain:
sso_util info -g
Note: The Kerberos Realm should always be entered in upper case letters.
Step 1: Generate a Kerberos Keytab File on Mac OS X 10.10 and later
Note: Generating Kerberos Keytab Files on Mac OS X 10.10 and earlier are no longer supported.
Note: In the following procedure, make sure to use the indicated case when entering commands.
- Log in to the OD Server as the root user.
- Enter the following to create the service principal in the Kerberos database:
krbservicesetup -x cifs cifs/NASfqdn@REALM
The following output is normal:
ktutil: remove: Key table entry not foundImportant
If you are configuring a NAS cluster in your environment, you need to create a service principal for each node within the cluster and for the NAS VIP.
See NAS Cluster Overview.
- Enter the following to open the kadmin shell:
kadmin -l
- Enter the following to verify that the service principal has been created:
get cifs/NASfqdn@REALM
- Enter the following to create a keytab that contains the service principal:
ext_keytab -k krb5.keytab.NAS cifs/NASfqdn@REALM
- Enter the following to exit the kadmin program:
quit
-
Confirm that the krb5.keytab.NAS file is present in the working directory.
Step 2: Import the Kerberos Keytab File to the NAS Controller
- Copy the keytab file to the
/var/upgradedirectory on the Appliance Controller.Important
For the Appliance Controller to recognize and import the keytab file, you must name the file krb5.keytab.
- Log in to the Appliance Controller CLI.
- Enter the following command to import the keytab file in to the Appliance Controller:
auth import keytab
Example:
> auth import keytab
Imported keytab /var/upgrade/krb5.keytab
Step 3: Apply the Kerberos Keytab File to Enable OD Authentication
- After the keytab is imported, Log in to the Appliance Controller CLI.
- Enter the following command to enable OD authentication:
auth config aod <ip_addr|host> <KERBEROS_REALM> [ldap-domain]
The parameters are:
<ip_addr|host>IP address or hostname for the OD server.
The port is not required and will be set to 636 to ensure encryption. If the Appliance Controllercannot access port 636, it will redirect to port 389.
<ldap_domain>Optional ldap domain when it does not match the Kerberos Realm.
<KERBEROS_REALM>Your Kerberos Realm.
Example:
> auth config aod 192.168.1.10 AOD.DOMAIN.COM
Configured Apple open directory services authentication
(Optional) Step 4: Enable SID Mapping for Full ACL Support
If you choose to manage user access to SMB shares with ACLs and OpenLDAP authentication — rather than using SMB options such as admin users, valid users, and invalid users — you must enable SID mapping.
Important
You only need to enable SID mapping if you want to use ACLs with your OpenLDAP server. If you are using local or AD authentication, you do not need to enable SID mapping.
You can disable SID mapping if you no longer want to use ACLs with your OpenLDAP server. However, when you disable SID mapping under these circumstances, ACLs that have already been applied to folders and subfolders will remain, and in most cases, will be enforced.
Additional Considerations
Before enabling SID mapping in StorNext NAS, we recommend performing the following tasks.
Configure ACLs
We recommend configuring ACLs in one of the following ways:
- From Xsan clients, use the
chmod +a | -a| =acommand. See Display and Modification of File Permissions in the StorNext Documentation Center. - From Linux and Unix native StorNext clients, use the
snacl +a | -a| =acommand. See Display and Modification of File Permissions in the StorNext Documentation Center.
Enable SID mapping
- Log in to the Appliance Controller CLI.
- Enter:auth map sid enable
Example:
> auth map sid enable
SID mapping enabled and domain-sid has been set to S-1-5-21-2321498199-xxxxxxxxxx-xxxxxxxxxx
You can optionally include the domainsid parameter (if auto-detection does not work):
auth map sid enable <domainsid><domainsid>This parameter is optional and specifies the authentication server's domain security identifier (SID) if auto-detection does not work.
Example:
> auth map sid enable S-1-5-21-2321498199-xxxxxxxxxx-xxxxxxxxxx
SID mapping enabled and domain-sid has been set to S-1-5-21-2321498199-xxxxxxxxxx-xxxxxxxxxx
Disable SID mapping
Important
You can disable SID mapping if you no longer want to use ACLs with your OpenLDAP server. However, when you disable SID mapping under these circumstances, ACLs that have already been applied to folders and subfolders will remain, and in most cases, will be enforced.
- Log in to the Appliance Controller CLI.
- Enter:
auth map sid disable
Example:
> auth map sid disable
SID mapping disabled
