EMC VNX/Celerra Integration with Quest Authentication Services (Vintela)

EMC

Quest (Vintela) Authentication Services (VASD) provides schema extensions to Active Directory to authentication against LDAP by providing SID to UID/GID mappings and vice versa. In multiprotocol environments that provide NFS and SMB protocols to the same underlying data it becomes tricky with permissions and file ownership since it must be maintained in the *nix and Windows environments. There are many ways to provide mappings for this situation but for those that use Quest (Vintela) Authentication Services (VASD) here is an proven guide on how to leverage your existing authentication services against the EMC VNX/Celerra for file.

ldap.conf

# --------------------------------------------------------------------
# This template must be copied to /.etc/ldap.conf when the ldap
# server[s] used by the data mover is using the Quest Vintela 
# Authentication Services schema installed on Windows Server.
# --------------------------------------------------------------------
nss_schema			rfc2307bis

nss_base_passwd		DC=northwind,DC=lan?sub
nss_base_shadow		DC=northwind,DC=lan?sub
nss_base_group		DC=northwind,DC=lan?sub

nss_map_objectclass posixAccount		User
nss_map_objectclass shadowAccount		User
nss_map_objectclass posixGroup			Group

nss_map_attribute	uid					sAMAccountName
nss_map_attribute	uniqueMember		member
nss_map_attribute	givenname			givenName
nss_map_attribute 	ou					description
nss_map_attribute	shadowLastChange	pwdLastSet
nss_map_attribute 	homeDirectory		unixHomeDirectory
nss_map_attribute	uidNumber			uidNumber
nss_map_attribute	gidNumber			gidNumber
nss_map_attribute	gecos				gecos
nss_map_attribute	loginShell			loginShell

nsswitch.conf

passwd:         files ldap
group:          files ldap
hosts:          files dns ldap
netgroup:       files ldap

Copy the contents of ldap.conf and push to server_2.

[nasadmin@CELERRA ~]$ cp ***ldap.conf*** /nas/site/ldap.conf.server_2
[nasadmin@CELERRA ~]$ server_file server_2 -put /nas/site/ldap.conf.server_2 ldap.conf

Copy the contents of nsswitch.conf and push to server_2.

[nasadmin@CELERRA ~]$ cp ***nsswitch.conf*** /nas/site/nsswitch.conf.server_2
[nasadmin@CELERRA ~]$ server_file server_2 -put /nas/site/nsswitch.conf.server_2 nsswitch.conf

Disables the default usermapper and removes any existing usermapper configurations

[nasadmin@CELERRA ~]$ server_usermapper server_2 -disable
[nasadmin@CELERRA ~]$ server_usermapper server_2 -remove -all

Bind the primary DataMover (server_2) to the domain and associate a binding user distinguished name and password for LDAP authentication lookups.

[nasadmin@CELERRA ~]$ server_ldap server_2 -set -p -basedn "DC=northwind,DC=lan" -binddn "CN=EMCServiceUser,OU=Users,DC=northwind,DC=lan" -servers 192.168.1.100,192.168.1.101

Use the following commands to verify connectivity and lookup capabilities against LDAP.

[nasadmin@CELERRA ~]$ server_ldap server_2 -info
server_2 :
LDAP domain:      northwind.lan
State:            Configured - Connected
Schema:           Active Directory
Base dn:          dc=northwind,dc=lan
Bind dn:          <anonymous>
Configuration:    RFC-2307 defaults
LDAP server:      192.168.1.100 - Port: 389 - Active
    SSL:          Not enabled
LDAP server:      192.168.1.101 - Port: 389 - Spare
    SSL:          Not enabled
	
[nasadmin@CELERRA site]$ server_ldap server_2 -service -status
server_2 :
LDAP domain "northwind.lan" is active - Configured with file "ldap.conf"
	
[nasadmin@CELERRA ~]$ server_ldap server_2 -lookup -user jsmith
server_2 :
user: jsmith, uid: 500, gid: 301, homeDir: /northwind/home/jsmith

Set parameters to utilize LDAP to look up the SID to UID/GID mappings.

[nasadmin@CELERRA ~]$ server_param server_2 -facility cifs -modify resolver -value 1
[nasadmin@CELERRA ~]$ server_param server_2 -facility cifs -modify useADMap -value 1
server_2 : done
Warning 17716815753: server_2 : You must stop and start the service associated with the cifs facility for changes to useADMap to take effect

**** REBOOT server_2 DATAMOVER **** This will disrupt connectivity to the DataMover and should be done in a maintenance window.

server_cpu server_2 -reboot warm -monitor now

We have to create the mapping which will force the user to be looked up in LDAP. Finally, check that the user was looked up successfully.

[nasadmin@CELERRA ~]$ server_cifssupport server_2 -secmap -create -name jsmith -domain northwind
[nasadmin@CELERRA ~]$ server_cifssupport server_2 -secmap -list
server_2 : done

SECMAP USER MAPPING TABLE

UID         Origin      Date of creation         Name                        SID
500	        ldap        Fri Aug 31 07:40:23 2012 NORTHWIND\jsmith           S-1-5-15-4376b78a-a9aad504-d4f8c2d6-460

If you are having troubles use the following command to provide verbose information which will contain any informational, warning or critical error messages.

[nasadmin@CELERRA ~]$ server_ldap server_2 -info -verbose

Please let me know if you have any questions! Thanks!

Related Posts

Leave a Reply