In this ever changing and “Directory Agnostic” to shifting world, we’re sometimes asked to perform awkward tasks.
This is one of them, but mixing 2 worlds to please the majority of your users isn’t a bad thing in my book, so here goes.
When for various reasons the directory the users authenticate to shifted from eDirectory (eDir) to Active Directory (AD) they should not lose access to their data (hosted on the great NSS storage and all its benefits).
So… using “the best of both worlds” how would one go about that?
Stage one: Preparing the OES Server(s)
As we need to go in the NSS for AD world, the server needs to be 2015SP1 or up, preferably fully patched.
Then in case the OES environment is using DST make sure to enable the REPLICATE_PRIMARY_TREE_TO_SHADOW option in the NCP server configuration. (ncpcon set REPLICATE_PRIMARY_TREE_TO_SHADOW=1) and that both NSS volumes are AD enabled.
In case DFS is used, make sure to AD enable the target volumes as well and ensure the required AD rights are set.
The novell-cifs service already needs to be up and running, and usable before activating the volumes for NSS for AD, and the NSS for AD volumes should already be accessible for the AD users that are going to access this data before continuing these next steps (mainly so we know we did not break it)…
In the Novell CIFS server, set the smb signature to “optional” ( novcifs -g yes ).
(To verify it’s set use: novcifs -o)
NSS for AD on 2015SP1: https://www.novell.com/documentation/oes2015/stor_nss_ad_lx/data/b1h322dq.html
Stage two: Creating the MS DFS using the NSS4AD shares
To setup the MS DFS, please keep in mind these things.
- Using NSS4AD there is currently no capability to build a replicated DFS (DFSR).
- It is not possible to browse to the NSS4AD share, the network path needs to be typed or copy pasted.
Setting up the DFS NameSpace.
- Create a new DFS NameSpace, if desired or required.
- In the DFS NameSpace, create the Folder Target, pointing to the NSS4AD volume.
- Leave the rights to inherit, unless otherwise desired.
When the AD users can access the DFSed NSS4AD volumes, the next stage can be started, the Filr access enabling.
Stage three: Creating the Filr Net Folder Server and Net Folder
The first step is… un-appliance like, so use with care. Be aware that if the appliance is ever replaced it will undo this change (for a major version upgrade or a broken appliance) and this step will need to be reapplied.
- Access the server prompt either over ssh or using the hypervisor
- vi /etc/krb5.conf
- Under [libdefaults] set the default realm to the FQDN of the AD Domain
- add these lines:
- case_sensitive = false
- default_ccache_name = /vastorage/filr/krb5cc_0
- restart the famtd or the appliance
An example krb5.conf:
[libdefaults] # default_realm = EXAMPLE.COM default_realm = ADDOM.DIGITALAIRLINES.COM case_sensitive = false default_ccache_name = /vastorage/filr/krb5cc_0
When the Name Space is a Domain Name Space, but not all Domain Controllers host the Name Space, reconfigure the Filr VA’s /etc/hosts file so it can only reach these servers using the DNS name of the Domain.
After this is done, the Net Folder Server, pointing to the MS DFS NSS4AD Name Space or Target Folder can be created.
- Log in to Filr with an administrative account
- In the Net Folder Server section, create a new Net Folder Server
- Set the server type to Microsoft Windows
- Under the authentication tab, set an AD user (preferably member of the NSS4AD administrative group) as proxy user and limit the authentication level to kerberos only.
Then this Net Folder Server can be used to create a Net Folder and managed as any other.