Configuration Examples

This configuration uses Active Directory for ID mapping and enforces ACLs on all platforms.

1. From the StorNext GUI, for each file system where ACLs are to be used, set securityModel=acl and unixIdMapping=winbind. Use the mdc value when the MDCs for a file system are bound to Active Directory using Winbind but one or more of the Linux clients in the environment are not running Winbind. For example, Linux clients may instead be bound to Active Directory using sssd. The use of mdc unixIdMapping allows such environments to be supported by having Linux clients forward ID mapping requests to the MDC for processing.
2. Join StorNext Windows and Xsan clients to Active Directory. Xsan clients should be configured to use RFC2307 mapping.

3. Join all Linux systems to Active Directory using Winbind using rfc2307. Refer to operating system documentation for instructions. Or, when using StorNext appliances licensed for the NAS stack, the Appliance Controller can be used to join to Active Directory. For example:

   x86_64:mymdc1> auth config ads administrator ad.mycompany.com mycompany.com rfc2307

   Note: Before running these commands, ensure that the license.dat files on the MDCs contain proper NAS licenses and that the system clocks on the MDCs and the active directory server are relatively in sync.

This configuration uses Active Directory for ID mapping and enforces Unix permission bits on all platforms.

1. From the StorNext GUI, for each file system where Unix permissions bits are to be used, set securityModel=unixpermbits and windowsIdMapping=ldap.

   Note: Complete this step when the file systems are created. Typically, it is not possible to switch to the unixpermbits security model after a file system has been created.

2. Join StorNext Windows clients to Active Directory

This configuration uses the password service on the MDC for ID mapping and enforces Unix permission bits on all platforms.

1. Update the password file/database on the MDC so that account names exactly match the local accounts on Windows clients; however, the names are allowed to vary by case.

2. From the StorNext GUI, for each file system where Unix permissions bits are to be used, set securityModel=unixpermbits and windowsIdMapping=mdc.

   Note: Complete this step when the file systems are created. Typically, it is not possible to switch to the unixpermbits security model after a file system has been created.

In this configuration, macOS clients use Open Directory for ID mapping. Linux clients using algorithmic mapping and it is assumed that no Windows clients are in the environment.

1. Join macOS and Linux clients to Open Directory.

   Note: For Linux clients, use sssd insetad of winbind.

2. From the StorNext GUI, for each file system Open Directory is to be used, set securityModel=acl and unixIdMapping=algorithmic.

3. On a macOS system run the following command, where username is the name of any regular user account in Open Directory.

   $ dsmemberutil getsid –U username

   This will return a string such as the following:

   S-1-5-21-2553502104-2799725507-638401443-3106

   The Domain SID is the string without the trailing RID so in this example, it has the value S-1-5-21-2553502104-2799725507-638401443. The following command may be run on primary and standby MDCs to set this domain SID:

   mdc# echo S-1-5-21-2553502104-2799725507-638401443 > /usr/cvfs/config/domainsid
4. After configuring the domainsid, file systems must be restarted on the FSM to have it take effect.

In this example, it is assumed that the environment contains no Xsan or Windows clients but ACL enforcement is still desired. 

1. Ensure that all Linux/Unix clients are using the same database for UIDs and GIDs. For example, they are all bound to the same NIS domain, are using identical password files, or are bound to the same Active Directory server, etc.
2. From the StorNext GUI, for each file system where ACLS are to be used, set securityModel=acl and unixIdMapping=algorithmic.

For additional information, refer to the snfs_config(5) man-page or the following sections in the Windows Help.

• User ID Mapping Overview
• Windows Active Directory Config
• Apple/XSAN Fabricated ID’s
• Unix Permissions Background