Prerequisite for configuring AD-based authentication for file access

See Integrating with AD server for more information on the prerequisites for integrating AD server with the IBM Storage Scale system.

You must run the mmuserauth service create command with the following parameters to create AD-based authentication for file access:
  • --type ad
  • --data-access-method file
  • --servers server host name or IP address
  • --netbios-name netBiosName
  • --user-name admin-username
  • --unixmap-domains <unixDomainMap>. This option is mandatory if RFC2307 ID mapping is used. For example, --unixmap-domains DOMAINS(5000-20000). Specifies the Active Directory domains for which user ID and group ID must be fetched from the Active directory server (RFC2307 schema attributes).
  • --idmap-role master | subordinate. While you use the automatic ID mapping for the same ID maps on systems that share Active File Manager (AFM) relationship, you must export the ID mappings from the system whose ID map role is master to the system whose ID map role is subordinate.

For more information about each parameter, see the mmuserauth service create command.

Prerequisites for configuring AD with RFC2307

The following prerequisites are specific to AD with RFC2307 configuration:
  • RFC2307 schema is extended on the AD and all UNIX attributes (including UID and GID) are populated.
  • If a trusted domain is configured with ID mapping from RFC2307, the trusted domain must have two-way trust with the host domain. This host domain the Active Directory domain that is configured for use with the IBM Storage Scale system. For example, assume that trusted relationships are X, Y, Z, and the IBM Storage Scale system is configured with domain X as the host domain. If RFC2307 ID mappings are required for domains Y and Z, domains Y and Z must each have a two-way trust with the domain X. X <-> Y ; X <-> Z.
  • User and group in the Active Directory domain, which is configured with ID mapping from RFC2307, must have a valid UID and a valid GID assigned to enable access to IBM Storage Scale system exports. The UID and GID number that is assigned must be within the ID map range that is specified in the mmuserauth service create command. Any users or groups from this domain that do not have UID or GID attributes configured are denied access.
Note: The primary Windows group that is assigned to an AD user must have a valid GID assigned within the specified ID-mapping range. The primary Windows group is usually located in the Member Of tab in the user's properties. The primary Windows group is different from the UNIX primary group, which is listed in the UNIX Attributes tab. A user is denied access if a valid GID is not assigned to the user’s Windows primary group. The UNIX primary group attribute is ignored.

In a case of a mutual trust setup between two independent AD domains, DNS forwarding must be configured between the two trusts.