EMC VNX Integration Quest Vintela Authentication Services
Learning to implement GID/UID mappings that are LDAP/AD integrated can be a difficult task because you need to manage permissions in two realms. Quest (Vintela) Authentication Services (VASD) provides schema extensions to Active Directory to authentication against LDAP by providing SID to UID/GID mappings and vice versa. In multiprotocol environments that provide NFS and SMB protocols to the same underlying data it becomes tricky with permissions and file ownership since it must be maintained in the *nix and Windows environments. There are many ways to provide mappings for this situation but for those that use Quest (Vintela) Authentication Services (VASD) here is a proven guide on how to leverage your existing authentication services against the EMC VNX/Celerra for file. ldap.conf
# -------------------------------------------------------------------- # This template must be copied to /.etc/ldap.conf when the ldap # server[s] used by the data mover is using the Quest Vintela # Authentication Services schema installed on Windows Server. # -------------------------------------------------------------------- nss_schema rfc2307bis nss_base_passwd DC=northwind,DC=lan?sub nss_base_shadow DC=northwind,DC=lan?sub nss_base_group DC=northwind,DC=lan?sub nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group nss_map_attribute uid sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute givenname givenName nss_map_attribute ou description nss_map_attribute shadowLastChange pwdLastSet nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uidNumber uidNumber nss_map_attribute gidNumber gidNumber nss_map_attribute gecos gecos nss_map_attribute loginShell loginShell
nsswitch.conf
passwd: files ldap group: files ldap hosts: files dns ldap netgroup: files ldap
Copy the contents of ldap.conf and push to server_2.
[nasadmin@CELERRA ~]$ cp ***ldap.conf*** /nas/site/ldap.conf.server_2 [nasadmin@CELERRA ~]$ server_file server_2 -put /nas/site/ldap.conf.server_2 ldap.conf
Copy the contents of nsswitch.conf and push to server_2.
[nasadmin@CELERRA ~]$ cp ***nsswitch.conf*** /nas/site/nsswitch.conf.server_2 [nasadmin@CELERRA ~]$ server_file server_2 -put /nas/site/nsswitch.conf.server_2 nsswitch.conf
Disables the default usermapper and removes any existing usermapper configurations
[nasadmin@CELERRA ~]$ server_usermapper server_2 -disable [nasadmin@CELERRA ~]$ server_usermapper server_2 -remove -all
Bind the primary DataMover (server_2) to the domain and associate a binding user distinguished name and password for LDAP authentication lookups.
[nasadmin@CELERRA ~]$ server_ldap server_2 -set -p -basedn "DC=northwind,DC=lan" -binddn "CN=EMCServiceUser,OU=Users,DC=northwind,DC=lan" -servers 192.168.1.100,192.168.1.101
Use the following commands to verify connectivity and lookup capabilities against LDAP.
[nasadmin@CELERRA ~]$ server_ldap server_2 -info
server_2 :
LDAP domain: northwind.lan
State: Configured - Connected
Schema: Active Directory
Base dn: dc=northwind,dc=lan
Bind dn:
Configuration: RFC-2307 defaults
LDAP server: 192.168.1.100 - Port: 389 - Active
SSL: Not enabled
LDAP server: 192.168.1.101 - Port: 389 - Spare
SSL: Not enabled
[nasadmin@CELERRA site]$ server_ldap server_2 -service -status
server_2 :
LDAP domain "northwind.lan" is active - Configured with file "ldap.conf"
[nasadmin@CELERRA ~]$ server_ldap server_2 -lookup -user jsmith
server_2 :
user: jsmith, uid: 500, gid: 301, homeDir: /northwind/home/jsmith
Set parameters to utilize LDAP to look up the SID to UID/GID mappings.
[nasadmin@CELERRA ~]$ server_param server_2 -facility cifs -modify resolver -value 1 [nasadmin@CELERRA ~]$ server_param server_2 -facility cifs -modify useADMap -value 1 server_2 : done Warning 17716815753: server_2 : You must stop and start the service associated with the cifs facility for changes to useADMap to take effect
**** REBOOT server_2 DATAMOVER **** This will disrupt connectivity to the DataMover and should be done in a maintenance window.
server_cpu server_2 -reboot warm -monitor now
We have to create the mapping which will force the user to be looked up in LDAP. Finally, check that the user was looked up successfully.
[nasadmin@CELERRA ~]$ server_cifssupport server_2 -secmap -create -name jsmith -domain northwind [nasadmin@CELERRA ~]$ server_cifssupport server_2 -secmap -list server_2 : done SECMAP USER MAPPING TABLE UID Origin Date of creation Name SID 500 ldap Fri Aug 31 07:40:23 2012 NORTHWINDjsmith S-1-5-15-4376b78a-a9aad504-d4f8c2d6-460
If you are having troubles use the following command to provide verbose information which will contain any informational, warning or critical error messages.
[nasadmin@CELERRA ~]$ server_ldap server_2 -info -verbose
Please let me know if you have any questions! Thanks!
2 Thoughts on EMC VNX Integration Quest Vintela Authentication Services
Followed these steps on VNX box and LDAP configuration worked at first attempt. It was failing for over a month now and i was struggling to find documentation on Dell EMC portals as well. These are very well documented steps.
Thanks for the comment. I had a month to prove out it was going to work in a greenfield environment and agreed the documentation gives you the bits and peices but not exactly how to do it. Again, thanks for the comment.