beautypg.com

Linux static user mapping with active directory, Configuring active directory – HP StoreAll Storage User Manual

Page 104

background image

Best Practices when mapping shares:

A share should always be mapped using the User Virtual Interface (the User VIF) of a file
serving node as that interface will be migrated to the node’s HA partner in event of the first
node failing.

A share should never be mapped using the Admin IP address of a node as that interface
cannot migrate to the node’s HA partner.

A share should never be mapped using the StoreAll Virtual Management Interface.

Where many clients will be mapping shares the most common method of directing mapping requests
to file serving nodes is to set up a round robin DNS entry for all of the cluster’s User VIFs.

Linux static user mapping with Active Directory

Linux static user mapping can be enabled when you configure Active Directory for user
authentication (see

“Configuring authentication for SMB, FTP, and HTTP” (page 64)

).

If you configure LDAP ID mapping as the secondary authentication service, authentication uses the
IDs assigned in AD if they exist. If an ID is not found in an AD entry, authentication looks in LDAP
for a user or group of the same name and uses the corresponding ID assigned in LDAP. The primary
group and all supplemental groups are still determined by the AD configuration.

You can also assign UIDs, GIDs, and other POSIX attributes such as the home directory, primary
group and shell to users and groups in Active Directory. To add static entries to Active Directory,
complete these steps:

Configure Active Directory.

Assign POSIX attributes to users and groups in Active Directory.

NOTE:

Mapping UID 0 and GID 0 to any AD user or group is not compatible with SMB static

mapping.

Configuring Active Directory

Your Windows Domain Controller machines must be running Windows Server 2003 R2 or Windows
Server 2008 R2. Configure the Active Directory domain as follows:

Install Identity Management for UNIX.

Activate the Active Directory Schema MMC snap-in.

Add the uidNumber and gidNumber attributes to the partial-attribute-set of the AD global
catalog.

You can perform these procedures from any domain controller. However, the account used to add
attributes to the partial-attribute-set must be a member of the Schema Admins group.

Installing Identity Management for UNIX

To install Identity Management for UNIX on a domain controller running Windows Server 2003
R2, see the following Microsoft TechNet Article:

http://technet.microsoft.com/en-us/library/cc778455(WS.10).aspx

To install Identity Management for UNIX on a domain controller running Windows Server 2008
R2, see the following Microsoft TechNet article:

http://technet.microsoft.com/en-us/library/cc731178.aspx

Activating the Active Directory Schema MMC snap-in

Use the Active Directory Schema MMC snap-in to add the attributes. To activate the snap-in,
complete the following steps:

104 Using SMB