AD authentication with RFC2307 ID mapping for picking UNIX primary group
You can configure IBM Storage Scale system authentication with Active Directory (AD) and RFC2307 ID mapping or AD with Kerberos NFS and RFC2307 ID mapping. In these authentication methods, use Active Directory to store user credentials and RFC2307 attributes on the same AD server to store UIDs and GIDs. These authentication schemes are useful when you are planning to use any pre-existing UNIX client or NFS protocol together with SMB protocols for data access. RFC2307 ID mapping is configurable per AD domain. If you use AD-based authentication and the ID maps are not configured with RFC2307, the IBM Storage Scale system uses the automatic ID mappings by default.
The following provides an example of how to configure the IBM
Storage Scale system with Active Directory and RFC2307 ID
mapping for picking UNIX primary group:
- Submit the mmuserauth service create command as shown in the following
example:
The system displays this output:# mmuserauth service create --type ad --data-access-method file --netbios-name ess --user-name administrator --idmap-role master --servers myADserver --idmap-range-size 1000000 --idmap-range 10000000-299999999 --unixmap-domains 'DOMAIN(5000-20000:unix)'File authentication configuration completed successfully. - Issue this command to verify the authentication
configuration:
The system displays the following output:mmuserauth service listFILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS "*" USER_NAME ess$ NETBIOS_NAME ess IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS DOMAIN(5000-20000:unix) LDAPMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES - Verify the user name resolution on the system after successfully authenticating the user.
Confirm that the resolution is showing primary group picked up as defined in UNIX attribute of the user. Validate the IDs that are pulled are from RFC2307
attributes on the AD server:
The system displays the following output:# id DOMAIN\\unixuseruid=10002(DOMAIN\unixuser) gid=10000(DOMAIN\unix users) groups=10000(DOMAIN\unix users), 11000545(BUILTIN\users),11000544 (BUILTIN\administrators)
Configuring AD using Kerberos with RFC2307 ID mapping
- Submit the mmuserauth service create command as shown in the following
example:
The system displays the following output:# mmuserauth service create --data-access-method file --type ad --netbios-name ess --servers myADserver --user-name administrator --idmap-role master --enable-nfs-kerberos --unixmap-domains "DOMAIN(10000-200000:unix)"File authentication configuration completed successfully. - Issue the mmuserauth service list command to verify the authentication
configuration as shown in the following example:
The system displays the following output:# mmuserauth service listFILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS true SERVERS "*" USER_NAME ess$ NETBIOS_NAME ess IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS DOMAIN(10000-200000:unix) LDAPMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES - Verify the user name resolution on the system after successfully authenticating the user.
Confirm that the resolution is showing primary group picked up as defined in the UNIX attribute of the user. Validate the IDs that are pulled are
from RFC2307 attributes on the AD server:
The system displays the following output:# id DOMAIN\\unixuseruid=10002(DOMAIN\unixuser) gid=10000(DOMAIN\unix users) groups=10000(DOMAIN\unix users), 11000545(BUILTIN\users),11000544 (BUILTIN\administrators)
Note: If the domain mapping is set to
":unix", it is
expected that the user's unix attribute "gidNumber" is populated correctly. If the
attribute is empty, authentication falls back to the user's primary group's
"gidNumber".