This article explains the required values for AD RFC2307 for Multi-Mode permissions management without Using MS Services for Unix.
- Cluster running Qumulo Core
- Using Microsoft Active Directory
In order to best manage permissions settings between Active Directory bound SMB and NFS clients writing to the same Qumulo hosted file shares, the following RFC2307 values need to be present for each involved User Account and User Group that is managed via Microsoft Active Directory.
User Accounts should have the following values:
gidNumber: determines the user's primary GID
loginShell: /bin/bash for example
uidNumber: users's UID
unixHomeDirectory: path in Linux (/home/username for example)
Any Group that has User Accounts as Members that are expected to write to NFS accessible directories (even if over SMB) should also have the gidNumber set.
If you do not have Microsoft Identity Management for Unix and the NIS Server Role enabled (IDMU/NIS) in your Domain, you can reach the required attributes via each User and Group's Attribute Editor control panel in Active Directory's Users and Computer control panel (ADUC).
NOTE: You must enable Advanced Features to see the additional tabs. Go to ADUC, click the View menu, and select Advanced Features to see the Attribute Editor tab under a user or group.
If your user's Primary Group GID as added to the gidNumber attribute listed above is different than Active Directory's default Domain Users group, then it is also necessary to change the users Primary Group in the "Member Of" tab in ADUC by choosing the desired value from the list and clicking on the "Set Primary Group" button:
NOTE: If you need to change or populate the attributes of a large number of User Accounts, Microsoft provides multiple Powershell methods to accomplish this. Please refer to the Microsoft article under Additional Resources as a starting point.