Cool Solutions

Deploying NetApp Filer in a DSfW environment



By:

April 27, 2011 11:05 am

Reads:6,951

Comments:6

Score:5

This document presents the configuration and working of NetApp filer in a DSfW environment.

For this exercise, let’s select a very simple environment that consists of a single domain DSfW forest.

The setup details are as follows:

  • A OES2 SP3 server running DSfW forest with a single domain

    (Refer to the DSfW Administration Guide for details on forest and domain)

  • A NetApp filer
  • A Windows XP workstation joined to the DSfW domain
  • A DSfW user

Pictorially, the setup looks as follows:

dsfw-1.png

DSfW domain provisioning

DSfW is Domain Services for Windows, a product shipped with the OES platform starting from OES2 SP1. Refer to the DSfW Administration Guide mentioned below for DSfW installation and provisioning.

OES 2 SP3: Domain Services for Windows Administration Guide

Let’s take the simplest scenario, ‘Installing a Forest Root Domain’ option in ‘Installing DSfW in a Non-Name-Mapped Setup’ section 6.2.1. Follow section 6.2.1 and chapter 7 ‘Provisioning Domain Services for Windows’ to complete the DSfW installation and provisioning. Please note, the DSfW domain/forest configuration is complete only after operations in chapter 7 are completed. After doing this, chapter 8 can be run to verify the provisioning status.

Active Directory domain authentication setup on NetApp filer

In this section let’s look at the Active Directory domain authentication setup on the NetApp filer. In simple terms it is joining the NetApp filer to the DSfW domain.

NetApp works in a domain mode. The command to perform the cifs configuration on the NetApp box is ‘cifs setup’.

The DNS resolver configuration points to the DSfW DC. A sample output is as follows:

nfs-netapp-2> dns info
...snip...
Default domain: GMC3.COM
Search domains: GMC3.COM

Below is the verbatim of a ‘cifs setup’ run.

nfs-netapp-2> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

        This filer is currently a member of the Active Directory domain
        'USA.EDU'.
Do you want to continue and change the current filer account information? [n]: y
        Your filer is currently visible to all systems using WINS. The WINS
        name server currently configured is: [ 192.168.28.20 ].

(1) Keep the current WINS configuration
(2) Change the current WINS name server address(es)
(3) Disable WINS

Selection (1-3)? [1]:
        This filer is currently configured as an NTFS-only filer.
Would you like to reconfigure this filer to be a multiprotocol filer? [n]:
        The default name for this CIFS server is 'NFS-NETAPP-2'.
Would you like to change this name? [n]:
        Data ONTAP CIFS services support four styles of user authentication.
        Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 1
What is the name of the Active Directory domain? [USA.EDU]: gmc3.com
        In order to create an Active Directory machine account for the filer,
        you must supply the name and password of a Windows account with
        sufficient privileges to add computers to the GMC3.COM domain.
Enter the name of the Windows user [Administrator@GMC3.COM]:
Password for Administrator@GMC3.COM:
CIFS - Logged in as Administrator@GMC3.COM.
        Setup was unable to retrieve a list of joinable containers
        (organizational units) from Active Directory, therefore a list of
        selectable options cannot be provided. Please enter the distinguished
        name of the container that you would like the filer to join below.
        There is no need to add the domain name portion, 'dc=gmc3,dc=com', of
        the distinguished name.
Enter the name of the organizational unit [CN=Computers]:
CIFS - Starting SMB protocol...
Welcome to the GMC3.COM (GMC3) Active Directory(R) domain.

CIFS local server is running.
nfs-netapp-2>

Joining a Windows workstation to DSfW domain

Join the Windows XP workstation to the DSfW domain. The below link has the required details for the join operation.

Joining a Windows Workstation to a DSfW Domain

After joining the Windows workstation, login as the DSfW user (rocky) via domain logon.

Browsing the computer’s container in the domain partition of the eDirectory tree, will show the last two objects created as a result of the above two operations.

lin-gmc:~ # ldapsearch -b "cn=computers,dc=gmc3,dc=com" -s one dn -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=QWERT-XP1,cn=Computers,dc=gmc3,dc=com
dn: cn=WIN2K3-2,cn=Computers,dc=gmc3,dc=com
dn: cn=XPCLIENT,cn=Computers,dc=gmc3,dc=com
dn: cn=NFS-NETAPP-2,cn=Computers,dc=gmc3,dc=com

DSfW User Management

We are now ready with the DSfW environment. We will need some users and maybe groups for this exercise. User management in DSfW can be done through iManager or MMC. There is a command line approach to it that I am going to present here.

The command line tool for user/group management in DSfW is ‘pgo’. The tool is located at /opt/novell/xad/sbin/

Setup the environment to run this tool:

$ export SASL_PATH=/opt/novell/xad/lib/sasl2 # change lib to lib64 for X86_64 environment
$ kinit administrator  # the domain administrator
$ pgo -t user –add rocky # there are 2 hyphes for the add option

The above set of commands create a DSfW user ‘rocky’.

The Final Step

In this last step, we will see the working of the whole setup. In a typical scenario, the NetApp filer will host some CIFS shares. Domain Users will map to the CIFS shares from their desktops, using their domain identity.

Now let’s create a CIFS share on the NetApp filer.

nfs-netapp-2> qtree status
Volume   Tree     Style Oplocks  Status
-------- -------- ----- -------- ---------
vol0              ntfs  enabled  normal
vol0     test1    unix  enabled  normal
vol0     testnss  unix  enabled  normal
vol3              ntfs  enabled  normal
vol1              ntfs  enabled  normal
vol4              ntfs  enabled  normal
newvol1           ntfs  enabled  normal
newvol1  newvol1  unix  enabled  normal
vol2              ntfs  enabled  normal
vol5dsfw          ntfs  enabled  normal
MPVOl2            ntfs  enabled  normal
VOLUME_30GB          ntfs  enabled  normal

The above command will list volume information on the NetApp filer. Let’s select one volume for our CIFS share. Selecting ‘vol4′ for this exercise. Note: the security style on ‘vol4′ is ‘ntfs’.

nfs-netapp-2> cifs shares -add nshare /vol/vol4
nfs-netapp-2> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        ** no access **
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        ** no access **
nshare       /vol/vol4
                        everyone / Full Control
nfs-netapp-2>

We have created a CIFS share ‘nshare’ (NetApp share). By default everyone has full control on this share. Let’s restrict this just to the domain user ‘rocky’ created earlier. Below are the commands to manage the access rights on the CIFS share.

nfs-netapp-2> cifs access -delete nshare everyone
nfs-netapp-2> cifs lookup rocky
SID = S-1-5-21-494855465-201376168-299812962-1122
nfs-netapp-2> cifs access nshare rocky "read"
nfs-netapp-2> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        ** no access **
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        ** no access **
nshare       /vol/vol4
                        GMC3\rocky / Read

We can see from the above output, that the ‘everyone’ rights is revoked and domain user ‘rocky’ has just read rights. Note: the rights are of NTFS style.

Now let’s map the CIFS share from a windows workstation that we have logged in as domain user ‘rocky’.

Mapping the NetApp CIFS share to ‘Z:’ drive

dsfw-2.png

Accessing the ‘Z:’ drive and reading file named ‘welcome’.

dsfw-3.png

Folder creation fails as domain user ‘rocky’ has ‘read’ rights only on the CIFS shares.

dsfw-4.png

Commands to grant additional rights on CIFS share to domain user ‘rocky’.

nfs-netapp-2> cifs access nshare rocky "full control"
nfs-netapp-2> cifs shares nshare
Name         Mount Point                       Description
----         -----------                       -----------
nshare       /vol/vol4
                        GMC3\rocky / Full Control

Folder creation successful after granting appropriate rights!

dsfw-5.png

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading ... Loading ...

Tags: ,
Categories: Open Enterprise Server, Technical

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

6 Comments

  1. By:geoffc

    do you have to use kinit to make the dfsw user? Would an existing eDir user be sufficient?

    Can you manage the NTFS permissions via the Windows UI for permission?

    Will CACLS.exe style tools work against the NetApp share?

    • By:psahukar

      Hi,

      do you have to use kinit to make the dfsw user? Would an existing eDir user be sufficient?

      pgo tool is one way to create (DSfW) users which needs kerberos ticket obtained via kinit. There are other ways to create users like iManager or ConsoleOne where existing eDir user can create DSfW users.

      Can you manage the NTFS permissions via the Windows UI for permission?

      The permissions are set on the NetApp. I remember a web interface available for setting the permission (though I have used the command line to keep the content compact). Not very sure if Windows UI can be used in a very straightforward way.

      Will CACLS.exe style tools work against the NetApp share?

      I haven’t tried this. I don’t have a NetApp filer handy to try this out :(

      Thanks,
      Praveen Kumar

  2. By:padl

    But it could do with some proofreading, with all due respect. :-)

    If you don’t have a filer, get in touch with NetApp and see if they’ll give you a copy of the ONTAP simulator, which runs on Linux.

  3. By:itwr

    When we attempt to setup CIFS on a FAS2020 or FAS2040 filer based on DSfW AD authentication, it fails with ‘cannot bind to an LDAP server for the … domain’ error.
    The filers have DOT 7 / Dot 8-7 mode, DSfW is on SLES10 SP4 + OES2 SP3, March 2012 patches.

    • By:psahukar

      Please check if the following commands work fine on the DSfW server

      1. kinit administrator
      # Replace lib64 with lib on 32 bit systems
      2. SASL_PATH=/opt/novell/xad/lib64/sasl2 /usr/bin/ldapsearch -Y GSSAPI -b “” -s base dn

      If the second command fails then the GSSAPI method has some problem, possibly a configuration problem. I would need the ndstrace with TIME TAGS NMAS DBG and MISC tags enabled, lan trace and ndsd.log and syslog to troubleshoot this issue. Can you please raise an SR. That way it will be easy to troubleshoot.

  4. By:djbrightman

    Further info related to above question from itwr
    LDAP trace on DSFW server gives

    >>
    :/var/opt/novell/eDirectory/log # grep .241 ndstrace.log
    3055983520 LDAP: [2012/06/13 14:34:51.658] New cleartext connection 0x15800c80 from 192.168.20.241:26129, monitor = 0xabbecba0, index = 85
    3059141536 LDAP: [2012/06/13 14:34:51.838] (192.168.20.241:26129)(0×0001:0×60) DoBind on connection 0x15800c80
    3059141536 LDAP: [2012/06/13 14:34:51.838] (192.168.20.241:26129)(0×0001:0×60) Bind name:NULL, version:3, authentication:GSSAPI
    3059141536 LDAP: [2012/06/13 14:34:51.839] (192.168.20.241:26129)(0×0001:0×60) Failed to authenticate full context on connection 0x15800c80, err = -1647 (0xfffff991)
    3059141536 LDAP: [2012/06/13 14:34:51.839] (192.168.20.241:26129)(0×0001:0×60) Sending operation result 49:””:”” to connection 0x15800c80
    2805574560 LDAP: [2012/06/13 14:34:51.840] (192.168.20.241:26129)(0×0002:0×42) DoUnbind on connection 0x15800c80
    <<

    (our novell portal/support entitlement is currently broken(though valid!), so can’t raise sr!)

    Regards

Comment

RSS