IN THIS ARTICLE
Outlines the required values for AD RFC2307 for Multi-Mode permissions management (without Using MS Services for Unix)
- Cluster running Qumulo Core
- Using Microsoft Active Directory
In order to best manage permissions settings between Active Directory bound SMB and NFS clients writing to the same Qumulo hosted file shares, the following RFC2307 values need to be present for each involved User Account and User Group that is managed via Microsoft Active Directory.
User Accounts should have the following values:
gidNumber: determines the user's primary GID
loginShell: /bin/bash for example
uidNumber: users's UID
unixHomeDirectory: path in Linux (/home/username for example)
Any Group that has User Accounts as Members that are expected to write to NFS accessible directories (even if over SMB) should also have the gidNumber set.
If you do not have Microsoft Identity Management for Unix and the NIS Server Role enabled (IDMU/NIS) in your Domain, you can reach the required attributes via each User and Group's Attribute Editor control panel in Active Directory's Users and Computer control panel (ADUC).
If your user's Primary Group GID as added to the gidNumber attribute listed above is different than Active Directory's default Domain Users group, then it is also necessary to change the users Primary Group in the "Member Of" tab in ADUC by choosing the desired value from the list and clicking on the "Set Primary Group" button:
NOTE: If you need to change or populate the attributes of a large number of User Accounts, Microsoft provides multiple Powershell methods to accomplish this. Please refer to the Microsoft article under Additional Resources as a starting point.
For better performance, we highly recommend configuring Active Directory to allow search queries on UID, GID, and Alias by publishing RFC2307 attributes to the global catalog by following the steps below:
- Log on to Windows Server Active Directory using the Administrator account or an account with Schema Admin privileges
- Load the Active Directory Schema Snap-in
- To install the Active Directory Schema Snap-in, reference the Install the Active Directory Schema Snap-in article on Microsoft TechNet
- Select the Attributes folder
- In the right hand window pane, open the properties dialog box
- Select the Index this attribute and the Replicate this attribute to the Global Catalog check boxes for each of the following attributes:
CAUTION: Do not modify any other check boxes for the above attributes.
You should now be able to successfully configure the required AD RFC2307 values for multi-mode permissions
Like what you see? Share this article with your network!