Configuring AD-based authentication with RFC2307 ID mapping

​​​​​​​When the IBM Storage Scale is configured for the AD-based authentication with the RFC2307 ID mapping method, ID mappings are read from the AD server. The value that is stored in the uidNumber attribute for a user and the gidNumber attribute for a group is read from the AD server.

This ID mapping method is useful when:
  • You have user IDs and group IDs that are populated on the AD server.
  • You want to host data on IBM Storage Scale system that NFS and SMB clients access.
  • You want to host multiple IBM Storage Scale systems in an AFM relationship.
If you use an AD-based authentication and the ID maps are not configured with RFC2307, the IBM Storage Scale system uses the automatic ID mappings by default. In multiple AD-domain setups, IBM Storage Scale system reads the IDs from the AD server for the AD domains that are configured with RFC2307 ID mapping. The remaining AD domains are configured with the automatic ID mapping mode.

Configuring Active Directory with RFC2307 mapping

The following steps provide an example of configuring Active Directory (AD) with RFC2307 mapping
  1. Issue the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create  --type ad --data-access-method file --netbios-name 
ess --user-name administrator --idmap-role master --servers myADserver 
 --idmap-range-size 1000000 --idmap-range 10000000-299999999 
--unixmap-domains 'DOMAIN(5000-20000)'
    The system displays the following output: 
    File authentication configuration completed successfully.
  2. Issue the mmuserauth service list to verify the authentication configuration as shown in the following example: 
    # mmuserauth service list
    The system displays the following output:
    FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      false
SERVERS                  "*"
USER_NAME                ess$
NETBIOS_NAME             ess
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          DOMAIN(5000-20000:win)
LDAPMAP_DOMAINS          none

OBJECT access not configured
PARAMETERS               VALUES
  3. Verify the user name resolution on the system. Confirm that the resolution is showing IDs that are pulled from RFC2307 attributes on the AD server. 
    # id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=10000(DOMAIN\domain users) 
groups=10000(DOMAIN\domain users

Configuring Active Directory using Kerberos with RFC2307 ID mapping

The following steps provide an example of configuring Active Directory (AD) by using Kerberos with RFC2307 mapping.
  1. Issue the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create  --data-access-method file --type ad --netbios-name 
kknode_v42 --servers myADserver --user-name administrator  --idmap-role master 
--enable-nfs-kerberos --unixmap-domains "DOMAIN(10000-200000)"
    The system displays the following output: 
    File authentication configuration completed successfully.
  2. Issue the mmuserauth service list to verify the authentication configuration as shown in the following example: 
    # mmuserauth service list
    The system displays the following output:
    FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      true
SERVERS                  "*"
USER_NAME                kknode_v42$
NETBIOS_NAME             kknode_v42
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          DOMAIN(1000-200000:win)
LDAPMAP_DOMAINS          none

OBJECT access not configured
PARAMETERS               VALUES
  3. Verify the user name resolution on the system. Confirm that the resolution is showing IDs that are pulled from RFC2307 attributes on the AD server. 
    # id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=40000(DOMAIN\domain users) 
groups=11000545(BUILTIN\users),11000544 (BUILTIN\administrators)

Configuring Active Directory using IPv6 address with RFC2307 ID mapping

The following steps provide an example of configuring Active Directory (AD) by using IPv6 address with RFC2307 mapping.
  1. Issue the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create --type ad --data-access-method file --servers [2001:192::e61f:122:feb7:5df0]
--netbios-name specscale --user-name adUser --idmap-role master --unixmap-domains 'TESTDOMAIN(10000-50000:win)'
    The system displays the following output: 
    File authentication configuration completed successfully.
  2. Issue the mmuserauth service list to verify the authentication configuration as shown in the following example: 
    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : AD
PARAMETERS               VALUES                   
-------------------------------------------------
ENABLE_NFS_KERBEROS      false                    
SERVERS                  "*"                      
USER_NAME                adUser$             
NETBIOS_NAME             specscale              
IDMAP_ROLE               master                   
IDMAP_RANGE              10000000-299999999       
IDMAP_RANGE_SIZE         1000000                  
UNIXMAP_DOMAINS          TESTDOMAIN(10000-50000:win)                     
LDAPMAP_DOMAINS          none                     

OBJECT access not configured
PARAMETERS               VALUES                   
-------------------------------------------------