Quantum
HOWTO: Joining SN-NAS to Active Directory with a user account that is NOT member of Domain Admin

This article was submitted by Danny Barbour/SPS on 2/6/2017.

Thanks Danny!

 

 Team,

 

  Today I learned that you can join SN-NAS to an Active Directory domain with a regular domain user that is not in the ‘Domain Admins’ group (see steps below).  We had to do this for Altess today, who was setting up a NAS cluster at a site with very strict security requirements.  The site requires the domain join process be performed by a regular domain user (not in the ‘Domain Admins’ group), and the computer object must be created ahead of time:

 

  1. Create the computer object for the NAS VIP ahead of time (nested OUs are fine) and grant the AD user or group ‘Full Control’ of that object.

 

  1. vi "/usr/local/quantum/python/plugins/ldap_plugin.py" (on all nodes, if in a cluster) and comment out these lines:

 

        #if not admin:

        #    # Not in the Domain Admins group.

        #    errmsg = "Notice: user '{0}' is not member of {1} group, may not be able to create computer account in {2}".format(

        #        user, lc.AD_DOMAIN_ADMINS, base)

        #    cmd_update(self.db, uuid, errmsg)

 

  1. Join the domain with your standard ‘auth config ads’ command.  This customer is at a dark site, so here’s an example from my lab:

 

x86_64:mdc02> auth config ads testuser 192.168.1.100 testlab.local rid

Please enter the password for user testuser:

 

Auth-configuration starting ...

Applying ads configuration settings ...

Checking SMB interface list: lo 192.168.1.110

Checking SMB interface 'eth0:nas:192.168.1.110' status ...

Join to TESTLAB.LOCAL starting ...

Verify now joined to TESTLAB.LOCAL ...

Restart SMB services to join with TESTLAB.LOCAL ...

Sending ads auth-config sync to 192.168.1.101 ...

[192.168.1.101]:

[192.168.1.101]:

[192.168.1.101]: Updating system NAS cluster configuration ...

[192.168.1.101]: Verifying local configuration with master 192.168.1.102 ...

[192.168.1.101]: Synchronization of local configuration with master 192.168.1.102 starting...

[192.168.1.101]: Applying ads configuration settings ...

[192.168.1.101]: Checking SMB interface list: lo 192.168.1.101

[192.168.1.101]: Checking SMB interface 'eth0:192.168.1.101' status ...

[192.168.1.101]: Join to TESTLAB.LOCAL starting ...

[192.168.1.101]: Verify now joined to TESTLAB.LOCAL ...

[192.168.1.101]: Restart SMB services to join with TESTLAB.LOCAL ...

Successfully configured Active Directory services authentication

 

 

x86_64:mdc02> auth show config

Status:  OK

Type:    ads

Domain:  testlab.local

Url:     ldap://192.168.1.100:389

DC:      dc=testlab,dc=local

CN:      testuser,dc=testlab,dc=local

IDMap:   rid

 

x86_64:mdc02> auth show user testuser

uid=1261(testuser) gid=613(domain users)

 

[root@mdc02 ~]# id testuser

uid=1261(testuser) gid=613(domain users) groups=613(domain users),1261(testuser),1262(qservice),33554438(BUILTIN+users)

 

Regards,

 


This page was generated by the BrainKeeper Enterprise Wiki, © 2018