Related Tips & Info

Deploying NetApp Filer in a DSfW environment

psahukar
 
0 Likes
This document presents the configuration and working of NetApp filer in a DSfW environment.

For this exercise, let's select a very simple environment that consists of a single domain DSfW forest.

The setup details are as follows:

  • A OES2 SP3 server running DSfW forest with a single domain

    (Refer to the DSfW Administration Guide for details on forest and domain)

  • A NetApp filer

  • A Windows XP workstation joined to the DSfW domain

  • A DSfW user


Pictorially, the setup looks as follows:

dsfw-1.png

DSfW domain provisioning

DSfW is Domain Services for Windows, a product shipped with the OES platform starting from OES2 SP1. Refer to the DSfW Administration Guide mentioned below for DSfW installation and provisioning.

OES 2 SP3: Domain Services for Windows Administration Guide

Let's take the simplest scenario, 'Installing a Forest Root Domain' option in 'Installing DSfW in a Non-Name-Mapped Setup' section 6.2.1. Follow section 6.2.1 and chapter 7 'Provisioning Domain Services for Windows' to complete the DSfW installation and provisioning. Please note, the DSfW domain/forest configuration is complete only after operations in chapter 7 are completed. After doing this, chapter 8 can be run to verify the provisioning status.

Active Directory domain authentication setup on NetApp filer

In this section let's look at the Active Directory domain authentication setup on the NetApp filer. In simple terms it is joining the NetApp filer to the DSfW domain.

NetApp works in a domain mode. The command to perform the cifs configuration on the NetApp box is 'cifs setup'.

The DNS resolver configuration points to the DSfW DC. A sample output is as follows:
nfs-netapp-2> dns info
...snip...
Default domain: GMC3.COM
Search domains: GMC3.COM

Below is the verbatim of a 'cifs setup' run.
nfs-netapp-2> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

        This filer is currently a member of the Active Directory domain
        'USA.EDU'.
Do you want to continue and change the current filer account information? [n]: y
        Your filer is currently visible to all systems using WINS. The WINS
        name server currently configured is: [ 192.168.28.20 ].

(1) Keep the current WINS configuration
(2) Change the current WINS name server address(es)
(3) Disable WINS

Selection (1-3)? [1]:
        This filer is currently configured as an NTFS-only filer.
Would you like to reconfigure this filer to be a multiprotocol filer? [n]:
        The default name for this CIFS server is 'NFS-NETAPP-2'.
Would you like to change this name? [n]:
        Data ONTAP CIFS services support four styles of user authentication.
        Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 1
What is the name of the Active Directory domain? [USA.EDU]: gmc3.com
        In order to create an Active Directory machine account for the filer,
        you must supply the name and password of a Windows account with
        sufficient privileges to add computers to the GMC3.COM domain.
Enter the name of the Windows user [Administrator@GMC3.COM]:
Password for Administrator@GMC3.COM:
CIFS - Logged in as Administrator@GMC3.COM.
        Setup was unable to retrieve a list of joinable containers
        (organizational units) from Active Directory, therefore a list of
        selectable options cannot be provided. Please enter the distinguished
        name of the container that you would like the filer to join below.
        There is no need to add the domain name portion, 'dc=gmc3,dc=com', of
        the distinguished name.
Enter the name of the organizational unit [CN=Computers]:
CIFS - Starting SMB protocol...
Welcome to the GMC3.COM (GMC3) Active Directory(R) domain.

CIFS local server is running.
nfs-netapp-2>

Joining a Windows workstation to DSfW domain

Join the Windows XP workstation to the DSfW domain. The below link has the required details for the join operation.

Joining a Windows Workstation to a DSfW Domain

After joining the Windows workstation, login as the DSfW user (rocky) via domain logon.

Browsing the computer's container in the domain partition of the eDirectory tree, will show the last two objects created as a result of the above two operations.
lin-gmc:~ # ldapsearch -b "cn=computers,dc=gmc3,dc=com" -s one dn -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0 uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=QWERT-XP1,cn=Computers,dc=gmc3,dc=com
dn: cn=WIN2K3-2,cn=Computers,dc=gmc3,dc=com
dn: cn=XPCLIENT,cn=Computers,dc=gmc3,dc=com
dn: cn=NFS-NETAPP-2,cn=Computers,dc=gmc3,dc=com

DSfW User Management

We are now ready with the DSfW environment. We will need some users and maybe groups for this exercise. User management in DSfW can be done through iManager or MMC. There is a command line approach to it that I am going to present here.

The command line tool for user/group management in DSfW is 'pgo'. The tool is located at /opt/novell/xad/sbin/

Setup the environment to run this tool:
$ export SASL_PATH=/opt/novell/xad/lib/sasl2 # change lib to lib64 for X86_64 environment
$ kinit administrator  # the domain administrator
$ pgo -t user –add rocky # there are 2 hyphes for the add option

The above set of commands create a DSfW user 'rocky'.

The Final Step

In this last step, we will see the working of the whole setup. In a typical scenario, the NetApp filer will host some CIFS shares. Domain Users will map to the CIFS shares from their desktops, using their domain identity.

Now let's create a CIFS share on the NetApp filer.
nfs-netapp-2> qtree status
Volume   Tree     Style Oplocks  Status
-------- -------- ----- -------- ---------
vol0              ntfs  enabled  normal
vol0     test1    unix  enabled  normal
vol0     testnss  unix  enabled  normal
vol3              ntfs  enabled  normal
vol1              ntfs  enabled  normal
vol4              ntfs  enabled  normal
newvol1           ntfs  enabled  normal
newvol1  newvol1  unix  enabled  normal
vol2              ntfs  enabled  normal
vol5dsfw          ntfs  enabled  normal
MPVOl2            ntfs  enabled  normal
VOLUME_30GB          ntfs  enabled  normal

The above command will list volume information on the NetApp filer. Let's select one volume for our CIFS share. Selecting 'vol4' for this exercise. Note: the security style on 'vol4' is 'ntfs'.
nfs-netapp-2> cifs shares -add nshare /vol/vol4
nfs-netapp-2> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        ** no access **
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        ** no access **
nshare       /vol/vol4
                        everyone / Full Control
nfs-netapp-2>

We have created a CIFS share 'nshare' (NetApp share). By default everyone has full control on this share. Let's restrict this just to the domain user 'rocky' created earlier. Below are the commands to manage the access rights on the CIFS share.
nfs-netapp-2> cifs access -delete nshare everyone
nfs-netapp-2> cifs lookup rocky
SID = S-1-5-21-494855465-201376168-299812962-1122
nfs-netapp-2> cifs access nshare rocky "read"
nfs-netapp-2> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        ** no access **
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        ** no access **
nshare       /vol/vol4
                        GMC3\rocky / Read

We can see from the above output, that the 'everyone' rights is revoked and domain user 'rocky' has just read rights. Note: the rights are of NTFS style.

Now let's map the CIFS share from a windows workstation that we have logged in as domain user 'rocky'.

Mapping the NetApp CIFS share to 'Z:' drive

dsfw-2.png

Accessing the 'Z:' drive and reading file named 'welcome'.

dsfw-3.png

Folder creation fails as domain user 'rocky' has 'read' rights only on the CIFS shares.

dsfw-4.png

Commands to grant additional rights on CIFS share to domain user 'rocky'.
nfs-netapp-2> cifs access nshare rocky "full control"
nfs-netapp-2> cifs shares nshare
Name         Mount Point                       Description
----         -----------                       -----------
nshare       /vol/vol4
                        GMC3\rocky / Full Control

Folder creation successful after granting appropriate rights!

dsfw-5.png

Labels:

How To-Best Practice
Comment List
Parents
  • When we attempt to setup CIFS on a FAS2020 or FAS2040 filer based on DSfW AD authentication, it fails with 'cannot bind to an LDAP server for the ... domain' error.
    The filers have DOT 7 / Dot 8-7 mode, DSfW is on SLES10 SP4 + OES2 SP3, March 2012 patches.
  • in reply to MigrationDeletedUser
    Please check if the following commands work fine on the DSfW server

    1. kinit administrator
    # Replace lib64 with lib on 32 bit systems
    2. SASL_PATH=/opt/novell/xad/lib64/sasl2 /usr/bin/ldapsearch -Y GSSAPI -b "" -s base dn

    If the second command fails then the GSSAPI method has some problem, possibly a configuration problem. I would need the ndstrace with TIME TAGS NMAS DBG and MISC tags enabled, lan trace and ndsd.log and syslog to troubleshoot this issue. Can you please raise an SR. That way it will be easy to troubleshoot.
Comment
  • in reply to MigrationDeletedUser
    Please check if the following commands work fine on the DSfW server

    1. kinit administrator
    # Replace lib64 with lib on 32 bit systems
    2. SASL_PATH=/opt/novell/xad/lib64/sasl2 /usr/bin/ldapsearch -Y GSSAPI -b "" -s base dn

    If the second command fails then the GSSAPI method has some problem, possibly a configuration problem. I would need the ndstrace with TIME TAGS NMAS DBG and MISC tags enabled, lan trace and ndsd.log and syslog to troubleshoot this issue. Can you please raise an SR. That way it will be easy to troubleshoot.
Children
No Data
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.