Print Email PDF

Required Active Directory RFC2307 Values for NFS/SMB Multi-Mode Permissions Management

IN THIS ARTICLE

Outlines the required values for AD RFC2307 for Multi-Mode permissions management (without Using MS Services for Unix)

REQUIREMENTS

  • Cluster running Qumulo Core
  • Using Microsoft Active Directory

DETAILS

In order to best manage permissions settings between Active Directory bound SMB and NFS clients writing to the same Qumulo hosted file shares, the following RFC2307 values need to be present for each involved User Account and User Group that is managed via Microsoft Active Directory.

User Accounts should have the following values:

gidNumber: determines the user's primary GID
loginShell: /bin/bash for example
uidNumber: users's UID
unixHomeDirectory: path in Linux (/home/username for example)

Any Group that has User Accounts as Members that are expected to write to NFS accessible directories (even if over SMB) should also have the gidNumber set.

If you do not have Microsoft Identity Management for Unix and the NIS Server Role enabled (IDMU/NIS) in your Domain, you can reach the required attributes via each User and Group's Attribute Editor control panel in Active Directory's Users and Computer control panel (ADUC).

NOTE: You must enable Advanced Features to see the additional tabs.  Go to ADUC, click the View menu, and select Advanced Features to see the Attribute Editor tab under a user or group.

If your user's Primary Group GID as added to the gidNumber attribute listed above is different than Active Directory's default Domain Users group, then it is also necessary to change the users Primary Group in the "Member Of" tab in ADUC by choosing the desired value from the list and clicking on the "Set Primary Group" button:

Screen_Shot_2018-01-30_at_11.21.18_AM.png

NOTE: If you need to change or populate the attributes of a large number of User Accounts, Microsoft provides multiple Powershell methods to accomplish this. Please refer to the Microsoft article under Additional Resources as a starting point.

RESOLUTION

You should now be able to successfully configure the required AD RFC2307 values for multi-mode permissions

ADDITIONAL RESOURCES

QQ CLI: Active Directory

Active Directory Users attribute Administration-Powershell

 

Like what you see? Share this article with your network!

Was this article helpful?
1 out of 1 found this helpful

Comments

1 comment

  • very helpful

    1

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.