IN THIS ARTICLE
- Outlines how to use AD for POSIX attributes for customers who require multi-protocol access (NFS and SMB) and manage POSIX and Windows identities within Active Directory.
- Note that this feature will not benefit anyone who uses standalone LDAP or NIS servers to manage POSIX identities. While this feature does make use of the LDAP protocol when querying Active Directory, we do not support standalone LDAP servers.
- Cluster running Qumulo Core
SMB clients live in one identity domain while NFS clients live in a separate identity domain. That means that I can walk up to my Linux machine, write a file, and then walk over to my Windows machine and potentially be unable to access my own file because the storage doesn’t understand that it is the same person trying to access the file. It has identification numbers from the NFS side and separate identification numbers from the SMB side but no way to link them together when they represent the same identity.
Several solutions have been devised to solve this problem. Among our customers, a common solution is to map the two identities--POSIX identities for NFS clients and Windows identities for SMB clients--using Active Directory as the single source of truth. This standard is specified in RFC2307.
This feature enables Qumulo Core to respect POSIX-to-Windows identity mappings when those mappings are maintained in the customer’s Active Directory.
- ‘User’ object in Active Directory: SID or “objectSid” assigned to every object in Windows
- ‘UNIX Attributes’ tab: where AD administrators enter the NFS UID of the user, thereby mapping one identity (the user’s Windows SID) to the other (that same person’s NFS UID).
If you have mapped this inside your AD server, and this feature is enabled, Qumulo Core will see that NFS UID 2053 is the same person as Windows SID S-1-5-21-.....
Whenever that user’s identity is required (i.e. to check permissions), Qumulo Core will use the mapping to retrieve the entire identity of that user--the NFS UIDs and GIDs as well as all SIDs, including the group IDs of all relevant parent groups.
It’s worth noting that this method of full credential expansion also allows customers who use this feature to support more than 16 group memberships for their NFS users, as long as their group membership is configured in Active Directory.
With this feature enabled and joined to our internal Active Directory domain, we saw no impact on our published performance benchmarks. However, we did see a performance impact on tests that fill a directory with many items over SMB and then list the directory’s contents over NFS. For instance, a test that writes 10k files over SMB and then runs ‘ls -l’ over NFS takes ~10 seconds to complete while that test takes ~1 second otherwise (i.e. when this feature is disabled or when the files are written and listed over the same protocol). This test was done with an empty cache to approximate worst-case performance.
- Any of the following actions may take longer when this feature is enabled:
- Expand a user/machine’s credentials
- Given the expanded set of credentials, check permission of a given operation
- Translate group/owner information from one identity space to the other
We cache identity expansions. 24 MB of RAM are set aside per node to cache expanded credentials, including negative caches (when there is no mapping). There is a TTL (time to live) of 15 minutes for these cache entries. The cache does persist through quorum events but not upgrades, so the cache will need to be rebuilt after each upgrade, but we expect this will happen over time as users access the cluster and require credential expansion. The cache can be cleared via an API call.
Enable via the UI
To enable this feature via the UI, go to Sharing > Active Directory. When joining a domain, select Yes on Use Active Directory for POSIX Attributes (see screenshot below). Any clusters already joined to a domain will need to leave the domain and re-join.
You can then optionally input a Base DN. This is to limit the part of an Active Directory tree that Qumulo Core queries. As is customary in AD, the default container (or ‘CN’) is Users. This is explained in the help bubble.
Once the cluster is joined to Active Directory, all sessions (SMB) or operations (NFS) will result in a full credential expansion for each user. This means that when NFS UID 2053 tries to access a file, the cluster will first query the AD server to find all the groups that user belongs to, map that user and groups to all the Windows SIDs, and then apply permissions based on that fully expanded credential set. So in the example above, Qumulo Core would know that SID 1-5-21-... is the same person as NFS UID 2053.
As a reminder, anything available in the UI is available via API (and via ‘qq’). On the API & Tools page, you can see the options for /v1/ad/join at the bottom.
Control via the API
To turn the feature on and off, use the fields “use_ad_posix_attributes” and “base_dn” under the Active Directory endpoints:
- Get Configuration and Status - /v1/ad/status
- Get Operation Status - /v1/ad/monitor
- Join Active Directory - /v1/ad/join
To translate identities in one domain to identities in another domain (POSIX, Windows, Qumulo local), use the following endpoints:
Under the Active Directory section
- UID to SIDs - /v1/ad/uids/:uid:/sids (Note: this is UID to plural SIDs because one UID could be mapped to multiple SIDs. We saw this with a customer during our pre-release testing)
- SID to UID - /v1/ad/uids/:sid:/uid
- SID to GID - /v1/ad/uids/:uid:/gid
- GID to SIDs - /v1/ad/uids/:gid:/sids
- SID to Expanded Group SIDs - /v1/ad/uids/:gid:/sids
Under the Auth section
- Get Related Auth IDs - /v1/auth/auth-ids/:id:/related-identities
- POSIX UID to All Related Identities - /v1/auth/posix-uids/:id:/related-identities
- POSIX GID to All Related Identities - /v1/auth/posix-gids/:id:/related-identities
- Windows NT SID to All Related Identities - /v1/auth/sids/:id:/related-identities
- Local Username to All Related Identities - /v1/auth/local-username/:username:/related-identities
You should now be able to understand and successfully use AD for POSIX attributes.
Like what you see? Share this article with your network!