Integrating Isilon with AD and RDFC 2307 settings
2,489 views
Skip to first unread message
Gumar K
May 20, 2013, 11:43:22 PM5/20/13
to isilon-u...@googlegroups.com
Does anyone have experience integrating Isilon with AD and RDFC 2307 settings enabled to provide multiprotocol access? Where can I find the documentation for this?
I have a requirement of configuring OneFS withActive Directory for RFC 2307 for a customer as they wanted multiprotocol (mixed mode) for users to access Isilon data via CIFS,NFS. With RFC 3207 option, AD will assign the Unix UID/GIDs and will be unique for all users. Currently the customer do not have Ldap/NIS in their environment and they manage unix user IDs manually (20-30 unix systems)
The primus emc14002451 does have some steps mentioned for code 6.5 and older, but no steps for Code 7.0. The menus are different for 6.5 and 7.0 so this primus will not be of great help to me.
I would like to know how to create user mapping rules under Acess Management,Access Zones, System, details. I believe this has to be configured to implement RFC 3207.
thanks in advance.
GKI have a requirement of configuring OneFS withActive Directory for RFC 2307 for a customer as they wanted multiprotocol (mixed mode) for users to access Isilon data via CIFS,NFS. With RFC 3207 option, AD will assign the Unix UID/GIDs and will be unique for all users. Currently the customer do not have Ldap/NIS in their environment and they manage unix user IDs manually (20-30 unix systems)
The primus emc14002451 does have some steps mentioned for code 6.5 and older, but no steps for Code 7.0. The menus are different for 6.5 and 7.0 so this primus will not be of great help to me.
I would like to know how to create user mapping rules under Acess Management,Access Zones, System, details. I believe this has to be configured to implement RFC 3207.
thanks in advance.
rgera...@gmail.com
Jun 23, 2013, 8:09:55 AM6/23/13
to isilon-u...@googlegroups.com
Op dinsdag 21 mei 2013 05:43:22 UTC+2 schreef GK het volgende:
Hi,
I have struggled with this aswell. But in the end it was pretty easy (and indeed very poorly documented). The steps are as follows:
- Have your users and groups in your Active Directory assigned a uid or gid. We use a powershell script to generate them based on last digits for guid. Since the AD will not generate them by itself its a script that u have to rerun frequently.
- Onefs 6.X -> enable SFU support (rfc2307) or Onefs 7.x -> Enable Services for Unix (rfc 2307) under the respective Active Directory tabs
From that point on the Isilon will request uid/gid from the AD aswell and only generate one itself when AD does not provide one. This offcourse does assume your unix machines use AD for authentication, which was more work for the UNIX guys then for me. If you would like the powershell script, just let me know.
Remco Gerards
Gumar K
Jun 23, 2013, 11:04:29 PM6/23/13
to isilon-u...@googlegroups.com
Thanks Remco for sharing your experience and list of things to do..
So the first step is configuring AD with Unix UID/GIDs, disable UID and GID allocation on Isilon cluster so that it does not supply UID/GID from its ID Mapper database and then enable RFC2307 in Isilon and join the Cluster to AD. So I have to work with AD folks and ask them to create UID/GIDs for all the users before putting the cluster to production. This is going to be challenging. so the Isilon and AD communicates over the ldap protocol ?
We do not have NIS or LDAP to centrally manage unix users and most of the unix users have different UID/GIDs created per systems by Unix Admins. So I have to ask the unix admins to provide AD authentication to unix users and I assume they have to configure unix ldap clients to connect to AD ?
If you dont mind can you please share the powershell scripts ?
thanks in advance.
-GK
--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Richard Kunert
Jun 24, 2013, 10:04:13 AM6/24/13
to isilon-u...@googlegroups.com
We use RID mapping, which is simple to set up using winbind on Linux and has the advantage of not requiring any setup at all on the AD side. UIDs are calculated by adding a constant to the last part of the Windows SID. The only downside is that it supports one domain only, if you need support for multiple Windows domains through trusts, etc., it is not the way to go.
We also have a script to do the UID mapping on the Isilon, but it runs on the Isilon itself. It's a ~100 line bash script that Isilon support wrote for us a few years ago. The script was originally written for OneFS 5.4. OneFS 6.5 changed the isi auth mapping command, which broke the script but it wasn't hard to fix. We have it running from a cron job once a day.
--Richard
rgera...@gmail.com
Jun 25, 2013, 8:48:02 AM6/25/13
to isilon-u...@googlegroups.com
I can share 2 things:
Op maandag 24 juni 2013 05:04:29 UTC+2 schreef GK het volgende:
1. The website where our unix guys have a manual on how to connect the unix machine to our AD (its public, dont ask me why): CLICK !!
2. The powershell script my colleague wrote. Offcourse you would have to modify this for your own environment. I have attached it to this post.
Any questions, just ask.
Remco
Op maandag 24 juni 2013 05:04:29 UTC+2 schreef GK het volgende:
Reply all
Reply to author
Forward
0 new messages