This post is more than 5 years old
7 Posts
0
3087
February 8th, 2017 08:00
Isilon - Active Directory Auto-assign UIDs and GIDs : "No" is not working.
Hello,
We are using Isilon with Active Directory for Windows and UNIX (rfc2307) systems as Authentication Providers.
As part of Advance Active Directory Settings following options available and set.
If no UID is present in Active Directory :
Lookup User : Yes
Match Users with lowercase : Yes
Auto-assign UIDs : No
If no GID is present in Active Directory :
Lookup Group : Yes
Match Groups with lowercase : Yes
Auto-assign GIDs : No
Issue: When we add new user to active directory without UID/GID and new user try to access Isilon home SMB share (directory: /ifs/data/home/%0/%U) and user is able to login to Isilon and home drive gets created automatically and assign auto UID/GID by Isilon even though Advance Active Directory Settings have Auto-assign UIDs : No and Auto-assign GIDs : No.
We expect new user should get denial access to Isilon since lack of UID and GID in active directory.
Please advise for this permission issue.
Thank you,
0 events found
Rutgers_Storage
7 Posts
0
February 8th, 2017 11:00
Hi Chris,
I was able to change the value of uid-range-enabled and gid-range-enabled to "No" then we tried to create new user in active directory without UID and GID but Isilon is still allowing to create home directory even though active directory user does not have UID/GID. We are expecting to denial access but it is not happening. Do you have any idea how can we prevent user login (without UID/GID) to Isilon ?
Thank you,
crklosterman
450 Posts
0
February 8th, 2017 10:00
In 7.x this syntax would do it (just turns off the default UID range of 1-2 million):
isi auth settings global --uid-range-enabled no
Likely something similar would work in 8.x.
Hope it helps,
Chris Klosterman
Principal SE, Datadobi
chris.klosterman@datadobi.com
crklosterman
450 Posts
0
February 8th, 2017 11:00
For anyone else interested, the syntax is a bit different in 8.x, I looked it up:
isi auth settings mapping modify
[--uid-range-enabled {yes | no}]
~Chris
Rutgers_Storage
7 Posts
0
February 8th, 2017 11:00
Hello Chris,
Thank you for your reply.
I ran the following commands to list current settings for global UID and GID but I don’t see “uid-range-enabled” parameter in result. Do you know which parameter I should use to change default UID/GID value to no?
Isilon OneFS version is 7.2.1.3.
I really appreciate for your feedback.
isi auth settings global view
Send NTLMv2: No
Space Replacement:
Workgroup: WORKGROUP
Provider Hostname Lookup: -
Alloc Retries: 5
Cache Cred Lifetime: 15m
Cache ID Lifetime: 15m
On Disk Identity: native
RPC Block Time: Now
RPC Max Requests: 64
RPC Timeout: 30s
System GID Threshold: 80
System UID Threshold: 80
Min Mapped Rid: 2147483648
Group UID: 4294967292
Null GID: 4294967293
Null UID: 4294967293
Unknown GID: 4294967294
Unknown UID: 4294967294
isi auth settings global modify
Command requires at least one argument.
Usage:
isi auth settings global modify
[--send-ntlmv2 ]
[--revert-send-ntlmv2]
[--space-replacement ]
[--revert-space-replacement]
[--workgroup ]
[--revert-workgroup]
[--provider-hostname-lookup ]
[--cache-cred-lifetime | --revert-cache-cred-lifetime]
[--cache-id-lifetime | --revert-cache-id-lifetime]
[--on-disk-identity {native | unix | sid} | --revert-on-disk-identity]
[--rpc-max-requests ]
[--revert-rpc-max-requests]
[--unknown-gid ]
[--revert-unknown-gid]
[--unknown-uid ]
[--revert-unknown-uid]
[{--verbose | -v}]
[{--help | -h}]
thank you
Rutgers_Storage
7 Posts
0
February 8th, 2017 13:00
Hi Chris,
Thank you for your time and help.
Phil.Lam
3 Apprentice
•
637 Posts
0
February 8th, 2017 13:00
It's the same command for both version @ 7.2.+, the "isi auth settings mapping view".
# isi auth settings mapping view
GID Range Enabled: Yes
GID Range Min: 1000000
GID Range Max: 2000000
UID Range Enabled: Yes
UID Range Min: 1000000
UID Range Max: 2000000