Highlighted
r_spiess
1 Nickel

OneFS 7.0.3 Multiprotocol user to group mapping

Hello everybody,

how is ist possible to satisfy the following multiprotocol requirements with an Isilon OneFS 7.1.0.3 cluster?

Windows Users should get access to a share then they are in the corresponding AD group and Unix Users should get access to the same NFS export then they have the same name as a windows user that is in a corresponding AD group. Permissions on files & folders are configured with windows AD group permissions only.

Setup:

One FS 7.1.0.3

Isilon is connected to Windows AD and Unnix NIS.

Permissions are set as ACLs on folders/files using windows AD group permissions. There are only permission configured for groups, not for users.

Unix NIS user names and Windows AD user names are identical. Unix NIS groups and Windows AD groups are different (e.g. windows group "Domain Users" does not exist in NIS).

Isilon Disk format is set to native.

Example:

/ifs/test is shared as an SMB share and NFS export.

On /ifs/test are Windows AD ACLs used for file/folder permissions. The only permission set is "Domain Users" with full control.

Now an AD user /mydomain/robert gets access to that SMB share because the user is member of the AD group "Domain Users" and this group has full control on files and folders.

Now, Unix NIS user robert needs to get access to the same folder using NFS.

In my case I always and up in access denied. If I put the Windows AD user /mydomain/robert directly into the folder ACL access is granted. Of course I do not want to put in hundreds of users to the ACLs.

How is it possible to get the Isilon look into AD groups to see if there are users in it that have the same name as Unix NIS users?

Do I need to activate the NFS map-lookup-uid option to solve this? Is there anything else to setup regarding user mapping rules?

Bye

Robert

Labels (2)
0 Kudos
1 Reply
Peter_Sero
3 Zinc

Re: OneFS 7.0.3 Multiprotocol user to group mapping

Within the Isilon you can replace NFS identities by corresponding AD identities with a single mapping rule as simple as:

* => DOMAIN\* [break]

Alternatively you can augment NFS identities with groups from AD, and do many more things...

Check this out:

https://support.emc.com/docu50075_Identities,-Access-Tokens,-and-the-Isilon-OneFS-User-Mapping-Servi...

0 Kudos