Apply Apple Open Directory (OD) authentication services to StorNext NAS by using the native Kerberos features of OD, without changing the existing authentication methods.
Important
Keep in mind that the ONLY StorNext NAS-supported authentication method for Apple OD services is Kerberos.
Note: For a list of all the commands, see the Command Index.
Review the following terminology to assist you with the kadmin shell commands.
Hostname
The server name, such as nas
.
Fully Qualified Domain Name (fqdn)
The full name of the server including the domain and top-level domain (tld), such as nas.domain.com
.
Kerberos Realm
The domain on which the Kerberos authentication protocol acts, usually expressed as DOMAIN.TLD
or ODMASTER.DOMAIN.TLD
.
You can determine how the Kerberos Realm is expressed by entering the following command from a server bound to the domain:
sso_util info -g
Note: The Kerberos Realm should always be entered in upper case letters.
Step 1: Generate a Kerberos Keytab File on Mac OS X 10.10 and later
Note: Generating Kerberos Keytab Files on Mac OS X 10.10 and earlier are no longer supported.
Note: In the following procedure, make sure to use the indicated case when entering commands.
- Log in to the OD Server as the root user.
- Enter the following to create the service principal in the Kerberos database:
krbservicesetup -x cifs cifs/NASfqdn@REALM
The following output is normal:
ktutil: remove: Key table entry not found
Important
If you are configuring a NAScluster in your environment, you need to create a service principal for each node within the cluster and for the NAS VIP.
See NAS Cluster Overview.
- Enter the following to open the kadmin shell:
kadmin -l
- Enter the following to verify that the service principal has been created:
get cifs/NASfqdn@REALM
- Enter the following to create a keytab that contains the service principal:
ext_keytab -k krb5.keytab.NAS cifs/NASfqdn@REALM
- Enter the following to exit the kadmin program:
quit
-
Confirm that the krb5.keytab.NAS file is present in the working directory.
Step 2: Import the Kerberos Keytab File to the NASController
- Copy the keytab file to the
/var/upgrade
directory on the Appliance Controller.Important
For the Appliance Controllerto recognize and import the keytab file, you must name the file krb5.keytab.
- Log in to the Appliance Controller CLI.
- Enter the following command to import the keytab file in to the Appliance Controller:
auth import keytab
Example:
> auth import keytab
Imported keytab /var/upgrade/krb5.keytab
Step 3: Apply the Kerberos Keytab File to Enable OD Authentication
- After the keytab is imported, Log in to the Appliance Controller CLI.
- Enter the following command to enable OD authentication:
auth config aod <ip_addr|host> <KERBEROS_REALM> [ldap-domain]
The parameters are:
<ip_addr|host>
IP address or hostname for the OD server.
The port is not required and will be set to 636 to ensure encryption. If the Appliance Controllercannot access port 636, it will redirect to port 389.
<
ldap_
domain>
Optional ldap domain when it does not match the Kerberos Realm.
<KERBEROS_REALM>
Your Kerberos Realm.
Example:
> auth config aod 192.168.1.10 AOD.DOMAIN.COM
Configured Apple open directory services authentication
(Optional) Step 4: Enable SIDMapping for Full ACLSupport
If you choose to manage user access to SMB shares with ACLs and OpenLDAP authentication — rather than using SMBoptions such as admin users, valid users, and invalid users — you must enable SID mapping.
Important
You only need to enable SIDmapping if you want to use ACLs with your OpenLDAP server. If you are using local or AD authentication, you do not need to enable SIDmapping.
You can disable SIDmapping if you no longer want to use ACLs with your OpenLDAP server. However, when you disable SIDmapping under these circ*mstances, ACLs that have already been applied to folders and subfolders will remain, and in most cases, will be enforced.
Additional Considerations
Before enabling SIDmapping in StorNext NAS, we recommend performing the following tasks.
Configure ACLs
We recommend configuring ACLs in one of the following ways:
- From Xsan clients, use the
chmod +a | -a| =a
command. See Display and Modification of File Permissions in the StorNext Documentation Center. - From Linux and Unix native StorNext clients, use the
snacl +a | -a| =a
command. See Display and Modification of File Permissions in the StorNext Documentation Center.
Enable SIDmapping
- Log in to the Appliance Controller CLI.
- Enter:
auth map sid enable
Example:
> auth map sid enable
SIDmapping enabled and domain-sid has been set to S-1-5-21-2321498199-xxxxxxxxxx-xxxxxxxxxx
You can optionally include the domainsid parameter (if auto-detection does not work):
auth map sid enable <domainsid>
<domainsid>
This parameter is optional and specifies the authentication server's domain security identifier (SID) if auto-detection does not work.
Example:
> auth map sid enable S-1-5-21-2321498199-xxxxxxxxxx-xxxxxxxxxx
SIDmapping enabled and domain-sid has been set to S-1-5-21-2321498199-xxxxxxxxxx-xxxxxxxxxx
Disable SIDmapping
Important
You can disable SIDmapping if you no longer want to use ACLs with your OpenLDAP server. However, when you disable SIDmapping under these circ*mstances, ACLs that have already been applied to folders and subfolders will remain, and in most cases, will be enforced.
- Log in to the Appliance Controller CLI.
- Enter:
auth map sid disable
Example:
> auth map sid disable
SIDmapping disabled
6-68456-07_RevA|Initial publication date: Wednesday, December 20, 2017 | Last updated on Thursday, June 13, 2024.