Deploying NetApp Filer in a DSfW environment

0 Likes
This document presents the configuration and working of NetApp filer in a DSfW environment.

For this exercise, let's select a very simple environment that consists of a single domain DSfW forest.

The setup details are as follows:

  • A OES2 SP3 server running DSfW forest with a single domain

    (Refer to the DSfW Administration Guide for details on forest and domain)

  • A NetApp filer

  • A Windows XP workstation joined to the DSfW domain

  • A DSfW user


Pictorially, the setup looks as follows:

dsfw-1.png

DSfW domain provisioning

DSfW is Domain Services for Windows, a product shipped with the OES platform starting from OES2 SP1. Refer to the DSfW Administration Guide mentioned below for DSfW installation and provisioning.

OES 2 SP3: Domain Services for Windows Administration Guide

Let's take the simplest scenario, 'Installing a Forest Root Domain' option in 'Installing DSfW in a Non-Name-Mapped Setup' section 6.2.1. Follow section 6.2.1 and chapter 7 'Provisioning Domain Services for Windows' to complete the DSfW installation and provisioning. Please note, the DSfW domain/forest configuration is complete only after operations in chapter 7 are completed. After doing this, chapter 8 can be run to verify the provisioning status.

Active Directory domain authentication setup on NetApp filer

In this section let's look at the Active Directory domain authentication setup on the NetApp filer. In simple terms it is joining the NetApp filer to the DSfW domain.

NetApp works in a domain mode. The command to perform the cifs configuration on the NetApp box is 'cifs setup'.

The DNS resolver configuration points to the DSfW DC. A sample output is as follows:
nfs-netapp-2> dns info
...snip...
Default domain: GMC3.COM
Search domains: GMC3.COM

Below is the verbatim of a 'cifs setup' run.
nfs-netapp-2> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

This filer is currently a member of the Active Directory domain
'USA.EDU'.
Do you want to continue and change the current filer account information? [n]: y
Your filer is currently visible to all systems using WINS. The WINS
name server currently configured is: [ 192.168.28.20 ].

(1) Keep the current WINS configuration
(2) Change the current WINS name server address(es)
(3) Disable WINS

Selection (1-3)? [1]:
This filer is currently configured as an NTFS-only filer.
Would you like to reconfigure this filer to be a multiprotocol filer? [n]:
The default name for this CIFS server is 'NFS-NETAPP-2'.
Would you like to change this name? [n]:
Data ONTAP CIFS services support four styles of user authentication.
Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 1
What is the name of the Active Directory domain? [USA.EDU]: gmc3.com
In order to create an Active Directory machine account for the filer,
you must supply the name and password of a Windows account with
sufficient privileges to add computers to the GMC3.COM domain.
Enter the name of the Windows user [Administrator@GMC3.COM]:
Password for Administrator@GMC3.COM:
CIFS - Logged in as Administrator@GMC3.COM.
Setup was unable to retrieve a list of joinable containers
(organizational units) from Active Directory, therefore a list of
selectable options cannot be provided. Please enter the distinguished
name of the container that you would like the filer to join below.
There is no need to add the domain name portion, 'dc=gmc3,dc=com', of
the distinguished name.
Enter the name of the organizational unit [CN=Computers]:
CIFS - Starting SMB protocol...
Welcome to the GMC3.COM (GMC3) Active Directory(R) domain.

CIFS local server is running.
nfs-netapp-2>

Joining a Windows workstation to DSfW domain

Join the Windows XP workstation to the DSfW domain. The below link has the required details for the join operation.

Joining a Windows Workstation to a DSfW Domain

After joining the Windows workstation, login as the DSfW user (rocky) via domain logon.

Browsing the computer's container in the domain partition of the eDirectory tree, will show the last two objects created as a result of the above two operations.
lin-gmc:~ # ldapsearch -b "cn=computers,dc=gmc3,dc=com" -s one dn -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0 uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=QWERT-XP1,cn=Computers,dc=gmc3,dc=com
dn: cn=WIN2K3-2,cn=Computers,dc=gmc3,dc=com
dn: cn=XPCLIENT,cn=Computers,dc=gmc3,dc=com
dn: cn=NFS-NETAPP-2,cn=Computers,dc=gmc3,dc=com

DSfW User Management

We are now ready with the DSfW environment. We will need some users and maybe groups for this exercise. User management in DSfW can be done through iManager or MMC. There is a command line approach to it that I am going to present here.

The command line tool for user/group management in DSfW is 'pgo'. The tool is located at /opt/novell/xad/sbin/

Setup the environment to run this tool:
$ export SASL_PATH=/opt/novell/xad/lib/sasl2 # change lib to lib64 for X86_64 environment
$ kinit administrator # the domain administrator
$ pgo -t user –add rocky # there are 2 hyphes for the add option

The above set of commands create a DSfW user 'rocky'.

The Final Step

In this last step, we will see the working of the whole setup. In a typical scenario, the NetApp filer will host some CIFS shares. Domain Users will map to the CIFS shares from their desktops, using their domain identity.

Now let's create a CIFS share on the NetApp filer.
nfs-netapp-2> qtree status
Volume Tree Style Oplocks Status
-------- -------- ----- -------- ---------
vol0 ntfs enabled normal
vol0 test1 unix enabled normal
vol0 testnss unix enabled normal
vol3 ntfs enabled normal
vol1 ntfs enabled normal
vol4 ntfs enabled normal
newvol1 ntfs enabled normal
newvol1 newvol1 unix enabled normal
vol2 ntfs enabled normal
vol5dsfw ntfs enabled normal
MPVOl2 ntfs enabled normal
VOLUME_30GB ntfs enabled normal

The above command will list volume information on the NetApp filer. Let's select one volume for our CIFS share. Selecting 'vol4' for this exercise. Note: the security style on 'vol4' is 'ntfs'.
nfs-netapp-2> cifs shares -add nshare /vol/vol4
nfs-netapp-2> cifs shares
Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote Administration
** no access **
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote Administration
** no access **
nshare /vol/vol4
everyone / Full Control
nfs-netapp-2>

We have created a CIFS share 'nshare' (NetApp share). By default everyone has full control on this share. Let's restrict this just to the domain user 'rocky' created earlier. Below are the commands to manage the access rights on the CIFS share.
nfs-netapp-2> cifs access -delete nshare everyone
nfs-netapp-2> cifs lookup rocky
SID = S-1-5-21-494855465-201376168-299812962-1122
nfs-netapp-2> cifs access nshare rocky "read"
nfs-netapp-2> cifs shares
Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote Administration
** no access **
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote Administration
** no access **
nshare /vol/vol4
GMC3\rocky / Read

We can see from the above output, that the 'everyone' rights is revoked and domain user 'rocky' has just read rights. Note: the rights are of NTFS style.

Now let's map the CIFS share from a windows workstation that we have logged in as domain user 'rocky'.

Mapping the NetApp CIFS share to 'Z:' drive

dsfw-2.png

Accessing the 'Z:' drive and reading file named 'welcome'.

dsfw-3.png

Folder creation fails as domain user 'rocky' has 'read' rights only on the CIFS shares.

dsfw-4.png

Commands to grant additional rights on CIFS share to domain user 'rocky'.
nfs-netapp-2> cifs access nshare rocky "full control"
nfs-netapp-2> cifs shares nshare
Name Mount Point Description
---- ----------- -----------
nshare /vol/vol4
GMC3\rocky / Full Control

Folder creation successful after granting appropriate rights!

dsfw-5.png

Labels:

How To-Best Practice
Comment List
Parents Comment Children
  • Please check if the following commands work fine on the DSfW server

    1. kinit administrator
    # Replace lib64 with lib on 32 bit systems
    2. SASL_PATH=/opt/novell/xad/lib64/sasl2 /usr/bin/ldapsearch -Y GSSAPI -b "" -s base dn

    If the second command fails then the GSSAPI method has some problem, possibly a configuration problem. I would need the ndstrace with TIME TAGS NMAS DBG and MISC tags enabled, lan trace and ndsd.log and syslog to troubleshoot this issue. Can you please raise an SR. That way it will be easy to troubleshoot.
Related
Recommended