Building an MS-DFS environment containing NSS4AD volumes and making it available through Filr

Building an MS-DFS environment containing NSS4AD volumes and making it available through Filr

In this ever changing and "Directory Agnostic" to shifting world, we're sometimes asked to perform awkward tasks.

This is one of them, but mixing 2 worlds to please the majority of your users isn't a bad thing in my book, so here goes.

When for various reasons the directory the users authenticate to shifted from eDirectory (eDir) to Active Directory (AD) they should not lose access to their data (hosted on the great NSS storage and all its benefits).

So... using "the best of both worlds" how would one go about that?

Stage one: Preparing the OES Server(s)



As we need to go in the NSS for AD world, the server needs to be 2015SP1 or up, preferably fully patched.

Then in case the OES environment is using DST make sure to enable the REPLICATE_PRIMARY_TREE_TO_SHADOW option in the NCP server configuration. (ncpcon set REPLICATE_PRIMARY_TREE_TO_SHADOW=1) and that both NSS volumes are AD enabled.

In case DFS is used, make sure to AD enable the target volumes as well and ensure the required AD rights are set.

The novell-cifs service already needs to be up and running, and usable before activating the volumes for NSS for AD, and the NSS for AD volumes should already be accessible for the AD users that are going to access this data before continuing these next steps (mainly so we know we did not break it)...

In the Novell CIFS server, set the smb signature to "optional" ( novcifs -g yes ).
(To verify it's set use: novcifs -o)

NSS for AD on 2018: https://www.novell.com/documentation/open-enterprise-server-2018/stor_nss_ad_lx/data/b1h322dq.html

NSS for AD on 2015SP1: https://www.novell.com/documentation/oes2015/stor_nss_ad_lx/data/b1h322dq.html

Stage two: Creating the MS DFS using the NSS4AD shares



To setup the MS DFS, please keep in mind these things.


  • Using NSS4AD there is currently no capability to build a replicated DFS (DFSR).


  • It is not possible to browse to the NSS4AD share, the network path needs to be typed or copy pasted.





Setting up the DFS NameSpace.

  • Create a new DFS NameSpace, if desired or required.

  • In the DFS NameSpace, create the Folder Target, pointing to the NSS4AD volume.

  • Leave the rights to inherit, unless otherwise desired.


When the AD users can access the DFSed NSS4AD volumes, the next stage can be started, the Filr access enabling.

More info: https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview

Stage three: Creating the Filr Net Folder Server and Net Folder



The first step is... un-appliance like, so use with care. Be aware that if the appliance is ever replaced it will undo this change (for a major version upgrade or a broken appliance) and this step will need to be reapplied.

  • Access the server prompt either over ssh or using the hypervisor

  • vi /etc/krb5.conf

  • Under [libdefaults] set the default realm to the FQDN of the AD Domain

  • add these lines:

    • case_sensitive = false

    • default_ccache_name = /vastorage/filr/krb5cc_0



  • restart the famtd or the appliance



An example krb5.conf:

[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = ADDOM.DIGITALAIRLINES.COM
case_sensitive = false
default_ccache_name = /vastorage/filr/krb5cc_0


When the Name Space is a Domain Name Space, but not all Domain Controllers host the Name Space, reconfigure the Filr VA's /etc/hosts file so it can only reach these servers using the DNS name of the Domain.

After this is done, the Net Folder Server, pointing to the MS DFS NSS4AD Name Space or Target Folder can be created.

  • Log in to Filr with an administrative account

  • In the Net Folder Server section, create a new Net Folder Server

  • Set the server type to Microsoft Windows

  • Under the authentication tab, set an AD user (preferably member of the NSS4AD administrative group) as proxy user and limit the authentication level to kerberos only.



More info: https://www.novell.com/documentation/filr-3/filr-admin/data/netfolders_servers.html#new-net-folder-server-dialog

Then this Net Folder Server can be used to create a Net Folder and managed as any other.

More info: https://www.novell.com/documentation/filr-3/filr-admin/data/netfolders_create.html#new-nf-dialog
Tags (3)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2018-11-30 16:41
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.