Best Practices : Deploying NSS AD in DSfW environment

Best Practices : Deploying NSS AD in DSfW environment

Your organization might require Active Directory-style authentication and authorization to support an enterprise application. The enterprise application can be any third-party service that integrates with Active Directory.

The DSfW integration with NSS for AD lets you access data on NSSAD volumes as a DSfW user by taking benefit of the single sign-on capability through Kerberos authentication.

The OES server can join any DSfW domain allowing users on DSfW to access AD enabled NSS volumes over the SMB protocol. DSfW users are considered same as AD users which enables them to take advantage of single sign-on through Kerberos authentication. The NSS for AD management tools, such as NURM and NFARM, can be used by DSfW administrators and users to manage file system trustees, rights, quotas, salvage and purge. DSfW environments can also take advantage of Dynamic Storage Technology (DST)  and Distributed File System (DFS). Users of Active Directory domains and forests having bi-directional trust with DSfW domain can access the NSS volume.

Overall, OES server with NSS AD configured can join AD or DSfW domain and users of cross forest AD or DSfW domain can seamlessly access NSS volumes over the SMB protocol.

 

Below are some of the best practices for such deployments

  1. In a name-mapped DSfW environments create only one central domain representing the entire eDirectory tree
  2. For existing OES environments, place the DSfW Forest Root Domain at the top-most partition (O or OU) in the existing eDirectory tree and replicate all eDirectory partitions
  3. Configure at least 2 domain controllers per domain for high availability and fault tolerance
  4. Add additional domain controllers to meet the domain member server’s third-party performance needs and for more scalability
  5. For existing OES users, always use the existing eDirectory tree and select the partition that needs to be mapped to the domain
  6. All servers joined to the DSfW domain should be OES 2018 SP2 or later
  7. The user should access NSS by using either eDirectory or DSfW credentials. The same user should not access NSS as both eDirectory and DSfW user
  8. Single DSfW domain where all eDirectory users belong to single DSfW Domain
    • Ensure to meet the NSS AD requirements. For more information, see  Prerequisites for Installing and Configuring NSS AD  in the OES 2018 SP2: Installation Guide.
    • The OES server should resolve the DNS queries for the DSfW domain
    • Join OES to DSfW domain
    • Use  novcifs command set --map-adsessions-to-edir=YES on the OES server
    • By setting this option,
      • The DSfW/AD domain users can access NSS over SMB by using DSfW or AD credentials seamlessly
      • The file system operations are executed with the rights granted to their eDirectory identities
    • On successful authentication the OES file system treats the connections as eDirectory connections
    • CIFS servers should be OES 2018 SP1 or later
    • Same set of users cannot access NSS over SMB as both eDirectory and DSfW users
  9. DSfW domain having trust with Active Directory where AD and DSfW has different user sets
    • Ensure to meet the NSS AD requirements. For more information, see  Prerequisites for Installing and Configuring NSS AD  in the OES 2018 SP2: Installation Guide.
    • The OES server should resolve the DNS queries for the DSfW domain
    • Users in the DSfW and AD environments should be unique
    • Enable file access for both DSfW and AD users
    • For AD users file permissions should be crated for their respective AD identities
    • Join OES to DSfW domain like joining any other AD or DSfW domain
    • OES server can be within the same partition of DSfW or some other partition
    • No change in file system rights
    • Use novcifs command set map-adsessions-to-edir = fallback on the OES server
    • By setting this option,
      • File permissions on NSS for DSfW users are enforced using their eDirectory identities
      • All the connections from the DSfW users are listed as eDirectory connections
      • All the connections from the AD users are listed as AD connections
Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-08-31 11:21
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.