Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

badland

10 Posts

2794

December 8th, 2016 00:00

LDAP and multi-domain configuration

Hi!

I faced with the domains integration problem. Especially with LDAP integration.

We have:

... Celerra: two blades (server_2 is a standby)

... Windows Domain: domain.local, Sub-domain windows: sib.domain.local, trused windows forest/doman: ext-domain.local

... EMC storage is placed on domain.local

... Two CIFS servers: stor-1.domain.local and stor-2.sib.domain.local. Each of which has been joined to their domains.

... Usermapper has been disabled. Resolver param is 1. Autobroadcast is 1. LDAP has been enabled. nsswitch.conf and ldap.conf were configured. As kerberos account system uses stor-1$. On each domain UNIX UID/GID, Primary group for each used account or group are configured in Active Directory.

... VDM "vdm_sib_0" on server_3 with connected CIFS server stor-2.sib.domain.local.

... Users from default domain.local domain are able to connect to stor-1.domain.local and stor-2.sib.domain.local. ACLs on folders work only for them too.

Secmap worked fine until we decided to make a sub-domain and trusted forest: sib.domain.local, ext-domain.local. As I understand only one domain is possible per DM. VDM as I also understand takes the same LDAP settings as DM-owner. However, I guess that in my network where domain has trusts to subdomain and neighbor domain CIFS server stor-1$ are able get UID/GID but I can't understand how to make that (if is possible of course). Because now I can set ACLs, authorizate users, grand permissions to connect to CIFS servers only for my domain accounts: domain.local. secmap shows Origin ldap. I have a few users from sib.domain.local and ext-domain.local but I guess it's because I have the same name-accounts in my AD.

Ideas: I can set server_2 (standby) as primary server, move VDM "vdm_sib_0" to it, set ldap for sib.domain.local domain. However, I don't want to do that. I can enable usermapper/disable ldap - this is the last thing which I want to make. Probably I can enable secondary usermapper (or main?) with ldap but as I read it's a bad idea.

Question: Is it possible to serve different domains on one DM or different VDMs on it (how to be better?) with LDAP not usermapper? How can I set that? If not should I disable LDAP, clean secmap cache and enable usermapper? What about nsswitch.conf? If usermapper is enabled should I back original file?

Thank you!

Rainer_EMC

4 Operator

 • 

8.6K Posts

December 9th, 2016 02:00

some quick comments

I think a complete review and design is beyond the scope of a forum post

IF you disable usermapper you need to do a complete multi-protocol config - if we cannot map a CIFS user to a Unix user/UID and vice versa you cant connect it via CIFS

Only disable usermapper if you need multi-protocol

For a particular CIFS Server it needs to be able to resolve Windows username to SID and vice versa - this is only possible for domains that the CIFS Server can query - either the one it is joined to or trusted domains

we can use multiple domains for user mapping on different VDM's - see the VNX naming Services manual and server_nsdomains

LDAP can be tricky to configure correctly

badland

10 Posts

December 12th, 2016 03:00

Thanks for answer, Rainer_EMC!

Rainer_EMC написал(а):

For a particular CIFS Server it needs to be able to resolve Windows username to SID and vice versa - this is only possible for domains that the CIFS Server can query - either the one it is joined to or trusted domains

From PC with limited domain account access (not enterprise admin) in domain.local:

Get-ADUser -Server DC1.sib.domain.local -Filter 'uidNumber -eq "35003"' -Properties uid,uidNumber | select uid,uidNumber

uid                                    uidNumber

---                                    ---------

{A.Poly*******}                        35003

#######################

Get-ADUser A.Poly******* -Server DC1.sib.domain.local -Properties uid,uidNumber | select uid,uidNumber

uid                                    uidNumber

---                                    ---------

{A.Poly*******}                        35003

The second moment is our old storage Celerra/CLARiiON: NX4 (ver. 6.0.70.4)/ AX4-5F8 (ver. 2.23)

$ server_nsdomains

-bash: server_nsdomains: command not found

$ server_

.... server_mount        server_nfsstat      ....

.... server_mountpoint   server_nis          ....

.... server_mpfs         server_param        ....

.... server_mpfsstat     server_pax          ....

.... server_mt           server_ping         ....

.... server_kerberos     server_muxconfig    ....

.... server_ldap         server_name         ....    

.... server_log          server_netstat      ....       

.... server_mgr          server_nfs          ....

However, your answer is very nice. And if we had a VNX it would resolve our problem. Is it possible to make that but in another way?

Thank you.

Rainer_EMC

4 Operator

 • 

8.6K Posts

December 12th, 2016 07:00

Server_nsdomains was implemented in 7.0.50.2 - which is for VNX1 and upwards

you need to first decide what you want to do - multi-protocol or no multi-protocol

LDAP settings are mostly for user mapping needed for multi-protocol

If you dont need the mapping for multi-protocol you can just use usermapper

maybe it is possible to solve using LDAP settings like scope, search order, ... but I am not an ldap expert.

you can troubleshoot via server_ldap and server_cifssupport

IF your user names are literally the same on Windows and Unity or only a few you can avoid the trouble of mapping via LDAP and use ntxmap instead

badland

10 Posts

December 13th, 2016 00:00

Hi,

You gave me a full answer on my question.

Thank you =)

Was this post helpful?

View All

No Events found!

Top