Scribd Logo
Upload

Welcome to Scribd!

  • Centrify An006 Celerra PDF

    Uploaded by

    Yousuff Karim
    18 views11 pages
    centrify

    Original Title

    centrify_an006_celerra.pdf

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    centrify

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views11 pages

    Centrify An006 Celerra PDF

    Uploaded by

    Yousuff Karim
    centrify

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    APPLICATION NOTE

    Using DirectControl with EMC Celerra Network Server


    Published: October 2006

    Abstract
    This Application Note describes how to use Centrify DirectControl to manage the mapping of Windows users of EMC Celerra Network Servers to a UNIX identity that can then be used for access control to the files managed on that server. DirectControls method for managing these user account mappings between Windows and UNIX leverages Active Directory as the central repository without the need extend the schema of Active Directory in order to store and manage this additional information.

    Contents
    1 2 3 Introduction ...........................................................................................1 The User Mapping Challenge.................................................................. 2 User Name Mapping with Centrify DirectControl................................... 3 3.1 DirectControl NIS Service Installation and Setup Overview ............................... 4 3.2 Set Up a DirectControl Zone Using the Administrator Console .......................... 4 3.3 Install the DirectControl NIS Service ....................................................................7 3.4 Set Up the Celerra Data Mover to Use NIS for User Mapping............................. 9 3.5 Testing the Solution .............................................................................................10 4 Legal Notices......................................................................................... 11

    Introduction
    EMC Celerra Network Servers enable enterprises to provide a highly available and scalable data storage service that simultaneously supports multiple client access protocols, including NFS, CIFS and iSCSI. Although multiprotocol support makes it easy for these servers to support different operating systems, it also means that the same user may be logged in to these different operating systems while trying to gain access to files. The challenge in these multiprotocol environments is to maintain the security of the files stored in the system and to ensure that the users identity is mapped correctly among the systems to ensure proper file permissions are granted regardless of how the user accesses the files.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    To ensure that the user is granted proper access to files stored within the Celerra Network Server, the users identity must be consistently defined from both UNIX and Windows operating systems from the Celerra Network Servers point of view. The users identity on the host UNIX system is typically shared between the Celerra Network Server and the UNIX system by using either NIS or LDAP as a common repository. However, when a Windows user is trying to access files on the Celerra Network Server, the users Windows account must be mapped to an appropriate UNIX identity in order to grant access.

    The User Mapping Challenge


    Celerra Network Servers are configured with one or more Data Movers that provide client access to files stored within the system. In a multiprotocol environment, a user may have both Windows and UNIX accounts. Each account needs to be mapped to the other account so that permissions granted to a file from one of the accounts on one platform can be accessed by the corresponding account on the other platform. This account mapping and access control mechanism needs to work silently in the background so that the user is never challenged to re-enter a user name or password. The Celerra Network Server provides several user mapping mechanisms for use in these multiprotocol environments. These user mapping mechanisms support mapping from a Windows credential as represented by a Windows SID or User Principal Name to a UNIX UID and GID identity for the user. The methods supported for multiprotocol environments include: Local user and group files for the specific Data Mover Network Information Service (NIS) Active Directory (using a Celerra-supplied Microsoft Management Console snap-in)

    These user mapping mechanisms have their unique advantages for specific customer environments. However, a few challenges in the typical enterprise environment can prevent normal usage of these mapping mechanisms. Users will usually have more than one UNIX identity depending on which Celerra Network Server they are accessing since there will most likely be multiple NIS domains within a given enterprise environment. Windows login names typically do not match UNIX login names, preventing the automatic lookup of the Active Directory users UNIX account from the normal NIS server infrastructure. NIS services running on UNIX are typically configured with UNIX login names. Local user and group mapping files cannot be centrally managed or shared across more than one Data Mover or Celerra Network Server.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    LDAP lookup-based systems are typically not Active Directory site-aware or able to search across multiple Active Directory domains since normal LDAP does not understand the concept of a Global Catalog. An Active Directory solution requires a) schema modifications to store the additional UNIX information for an Active Directory account and b) there is no flexibility in the data storage location of the mapping data.

    Centrify provides a user mapping mechanism that addresses these issues and provides a method to centrally manage the mapping data. This document describes the various ways to integrate the Celerra Network Servers with the mapping data that DirectControl maintains for users and groups.

    User Name Mapping with Centrify DirectControl


    Centrify DirectControl provides an identity mapping mechanism that is centrally managed within Active Directory. It links a users Windows account to one or more UNIX profiles containing the users UNIX account attributes. This mapping, which is central to DirectControl Zones, can be used by the Celerra Network Server to provide consistent ownership and access rights to files and directories accessed by the user. DirectControl stores this mapping data within Active Directory and uses this information to manage an Active Directory users access to UNIX systems. This mapping information ensures that a users identity is consistently maintained so that access to UNIX-hosted resources can be properly protected regardless of the way the user accesses the resource. In an organization where UNIX systems use DirectControl to manage UNIX identities, it is desirable that the Celerra Network Server use this same information to map Windows users to their assigned UNIX identities. Additionally, multidomain environments that contain both Active Directory and UNIX will benefit from using DirectControl as the primary mechanism to manage user mapping information. There are two ways that a Celerra Network Server can access and use the DirectControl-managed user mapping information: The DirectControl NIS service runs on a UNIX system that has been joined to Active Directory with DirectControl and simply makes the Active Directory-hosted user mapping information available via the NIS protocol. The DirectControl-managed user mapping information can also be accessed directly using LDAP queries as long as the Zone data is stored using a RFC 2307-based data schema.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    The remainder of this document focuses on how to configure the Celerra Server to use the DirectControl NIS service. There are several key advantages to using this mapping over other methods: Redundancy. As a NIS client, the Celerra Network Server can find NIS servers by broadcasting on the local subnet; in other words, a subnet that hosts more than one NIS server will enable the Celerra Network Server to fail over from one NIS server to another NIS server on that subnet, thus enabling multiple paths via NIS to the same data held within Active Directory. Multidomain Support. DirectControls NIS service can provide UNIX user mapping data to NIS clients such as the Celerra Server for Active Directory users who may have an account anywhere within an Active Directory forest, including multidomain environments where the user may be a member of a remote or child domain. DirectControl is able to provide this support through its native support for advanced Active Directory features, such as being site-aware as well as being able to leverage the Global Catalog to find user mapping information for users anywhere across the forest.

    3.1

    DirectControl NIS Service Installation and Setup Overview


    The Celerra Network Server natively supports NIS as a user mapping lookup mechanism and simply needs to be configured to use NIS for user mapping information lookup. Setting up NIS is a simple process that requires the following high-level installation and setup steps. This steps are described in more detail later. Install the DirectControl Administrator Console, create a Zone, and add users to the Zone. Install DirectControl on a UNIX or Linux computer and join this computer to the Active Directory infrastructure. Install the DirectControl NIS service on the UNIX or Linux computer and start the service, checking to ensure proper operation. Set up the Celerra Network Server to use the DirectControl NIS service. Test the solution for proper end-to-end operation.

    3.2

    Set Up a DirectControl Zone Using the Administrator Console


    In order to configure the NIS service to present the required information to the Celerra Network Server, you need to install the DirectControl Administrators Console on a Windows computer and then create a DirectControl Zone. A Zone is simply a container in Active Directory that is used to store the user mapping information for each UNIXenabled Active Directory account.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    First you must create a new DirectControl Zone to store the user mapping information. DirectControl supports storing this information within Active Directory in two ways. In a Windows 2000 or 2003 environment, you can store it without modifying the Active Directory schema. In a Windows 2003 R2 environment, you can store it using the Unix attributes that are provided with the R2 schema extensions.

    Figure 1. Create a new Zone.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    Next you will need to define the name of the Zone and specify the type of Zone: either a standard Zone that does not require schema extensions, or an RFC 2307 Zone using the R2 schema extensions.

    Figure 2. Give the Zone a name.

    Figure 3. Specify the Zone type.

    The remaining properties for the Zone can be set using the defaults, since we only need to define the Active Directory users that are authorized to gain access to the Celerra Network Server and to set their UNIX identities appropriately. Configuring the users UNIX identities is as simple as adding them to the DirectControl Zone and defining their UNIX login name and UID that the Celerra will use to grant or deny access to shared files.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    A users UNIX login name needs to be defined to match his Active Directory user login name as defined on the Account tab of the users properties. This ensures that, when the Celerra Network Server performs a search in NIS for the user, it will be able to find the proper UNIX account that matches the Active Directory user trying to access the share. If it cannot find the users UNIX identity, then it will reject the user and deny access to the share.

    Figure 4. Adding a user to the Zone

    Now that the Zone is defined and a user has been added to the Zone, the next step is to setup a UNIX computer to run the DirectControl NIS service.

    3.3

    Install the DirectControl NIS Service


    The DirectControl NIS service runs as a daemon on a UNIX computer that has been joined to Active Directory using DirectControl. For this example, it is assumed that the UNIX or Linux server has already had DirectControl installed and the computer is joined to Active Directory.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    DirectControl NIS is run as a service on the UNIX or Linux system and, because all the data is maintained in Active Directory within the Zone that the computer is joined to, there is no need to perform any additional configuration steps other than to configure the clients that it will accept NIS requests from, install the adnisd service, and start the daemon. Configuring the NIS service to accept requests from any network host requires editing the /etc/centrifydc/centrifydc.conf file and adding the following line to the config file.
    nisd.securenets: 0/0

    Install the DirectControl NIS service on a Red Hat system with the following command.
    rpm Uvh centrifydc-nis-3.0.1-rh9-i386.rpm

    Start the NIS daemon service with the following command.


    service adnisd start

    Now that the NIS service is running, you can test the service for proper operation by configuring your UNIX system that is running the NIS service to query the NIS service for Active Directory-hosted data. Set the NIS domain name to match the name of the Zone that the computer was joined since that will also be used as the name of the NIS domain. Note that these domain names are case sensitive.
    domainname CelerraZone

    Bind the computer to the NIS service using the ypbind command.
    ypbind

    Perform a NIS search to ensure that Active Directory-based information is being returned to the client. The yptest command can be used to run a set of tests and return the results of a search of the passwd map, which contains the set of users that are enabled to access the CelerraZone. Alternatively, ypcat will tell the NIS service to cat a specific NIS map to the standard output.
    yptest or ypcat passwd

    Now that the NIS service is operating properly, the Celerra Network Server needs to be configured to use this service to gain access to the NIS map data as described in the following section.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    3.4

    Set Up the Celerra Data Mover to Use NIS for User Mapping
    The simple and easiest method to integrate Centrify DirectControl into the Celerra Data Mover User Mapper is via Celerras Data Mover NIS client support. Additional detailed information can be found in the Configuring Celerra User Mapping guide. The Celerra Data Mover should have already been joined to the Windows 2000/2003 Active Directory domain, and CIFS should also be properly configured in order to grant Windows users access to Celerra-managed shares. Before starting the configuration, make sure that the Celerra Network Server is not configured as either a NIS server or a NIS client. If it is configured for either of these, just turn the NIS server off or remove the NIS client configuration. The first step in configuring the Celerra Server is to set up its search preference for the NIS service. The Celerra Network Server by default will search for user names in the form of username.domain, which will not interoperate with the DirectControl NIS service, adnisd, since the UNIX username will be configured to match the users Active Directory login name. To configure the Celerra Network Server to use the simpler username search, execute the following command:
    server_param server_2 facility cifs modify resolver value 1

    The User Mapping that was running previously will need to have its User Mapper cache removed using the following procedure: Run server_export server_2 and ascertain that / is exported. For example,
    [root@cencelcons nasadmin]# server_export server_2 server_2 : export "/win-fs" name="/nfsdisk" export "/" anon=0 access=192.168.1.100:192.168.2.100:192.168.1.101:192.168.2.101 share "cifsdisk" "/win-fs" umask=022 maxusr=4294967295

    su to root and look for the local network IP address of server_2 on interface el130.

    For example,
    server_ifconfig server_2 -all el30 protocol=IP device=el30 inet=192.168.1.2 netmask=255.255.255.0 broadcast=192.168.1.255 UP, ethernet, mtu=1500, vlan=0, macaddr=44:41:52:54:0:5 netname=localhos

    Do a mkdir /mnt/dm and execute mount <server_2-el130-ip>:/ /mnt/dm. For example,


    mount 192.168.1.2:/ /mnt/dm

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    Remove the secmap cache. For example,


    cd /mnt/dm/.etc rm r f secmap

    Reboot the Data Mover.

    The final step is to configure the Celerra Network Server to become a NIS client to the DirectControl NIS server. This procedure can be performed using the web interface or via the command line. The Celerra Network Server will need to configure the NIS domain name using the name of the DirectControl Zone as well as the IP address of the DirectControl NIS servers supporting this Zone or NIS domain. Use the following command to configure the Data Mover Server 2 to use a pair or NIS servers (at 192.168.1.11 and .12 addresses) supporting the Zone CelerraZone.
    server_nis server_2 CelerraZone 192.168.1.11, 192.168.1.12

    Now that the Celerra Network Server is set up to use NIS as the naming service, it can be tested by a Windows user accessing a CIFS share on the Celerra Network Server.

    3.5

    Testing the Solution


    Now, verify that files created by a Windows user has the correct UID/GID. In this example, a Windows user John Rambo is configured by DirectControl and assigned a UNIX name of rambo with UID 10000 and GID 10000. To do so, follow these steps. Log on to a Windows workstation with an Active Directory user account that is configured for the Zone CelerraZone; in the example used in this document, Fred Thomas was configured earlier for this Zone using his user ID fred.thomas. Map a Windows drive to a CIFS share on the Celerra Network Server. In the example above, cifsdisk is a share that resides on /win-fs filesystem which can be used. Create a file such as test.txt. On the Celerra console, mount the /win-fs filesystem.
    [root@cencelcons nasadmin]# mount 192.168.1.2:/win-fs /mnt/dm cd /mnt/dm ls ln -rw-r--r-1 10000 10000 0 Sep 19 11:35 test.txt

    In this example, the file was properly assigned the UID 10000 and GID 10000, which is exactly as was assigned to the users UNIX profile for this Zone.

    It is also important to note that if the Data Mover is configured with NIS being the only User Mapping service, then the user will be able to access files in the share only if he has been properly configured with a UNIX profile within the Zone that the Celerra Server belongs to. Otherwise, if the user does not have a profile within this Zone, he will not be able to gain access to the share.

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    10

    USING DIRECTCONTROL WITH EMC CELERRA NETWORK SERVER

    Legal Notices
    Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2006 Centrify Corporation. All rights reserved. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. AN006-2006-10-26

    CENTRIFY CORPORATION 2006. ALL RIGHTS RESERVED.

    11

    You might also like