OneFS not working smoothly with samba AD

Question

Hi there. I'm having some problems setting up OneFS to work with active directory.

We have configured X410 cluster of 5 nodes ready for usage. Also, we got samba active directory running with bind9_dlz backend.

So far everything is alright, but even after I've succesfully joined the AD via OneFS web interface, the cluster doesnt really authenticate with AD. The users and groups are visible in the web interface, but the samba share created in OneFS wont work with them. It authenticates only the local root, and thats not needed. On the other hand, workstations with Windows 10 are having no issues and are working as intented, logging users created in the AD.

philippspohr · Answer

Maybe it is a client issue if Win10 clients can authenticate successfully. What OS is running on the other clients? Win7?

I think the first step is to have a look at the EMC document "Troubleshoot Windows Active Directory Authentication".

If you have done and the issue still occurs there are some other things to check.

Anonymous User · Answer

Samba is not Active Directory. They give their product the same name as Microsoft Active Directory, but they're not the same thing.

We tried to get Isilon to play nice with Samba. We got it to join the domain but couldn't see any users. Our NetApp filers were also unsuccessful. Our Windows clients and servers (and Linux) do authenticate successfully against Samba.

We have no problem at all for either Isilon or NetApp when we point them at Microsoft Active Directory.

Working with SEs at both vendors, neither have found reference sites for anybody doing this successfully.

I believe the right answer is to replace Samba...

umichklewis · Answer

You'll have to spend a bit of time troubleshooting Samba. Win10 and later default to Kerberos-style authentication, where Win7 defaults to NTLMv2. There are ways to allow Samba authentication to offer Kerberos by default, then negotiate various levels of NTLM. Windows AD does this natively (depending on which version AD Forest you have in place, and your security settings) often without your knowledge. Isilon, NetApp and other storage appliances take a good understanding of Samba configuration, if you wish to use it for AD authentication, because the configuration of the necessary fall-through rules is anything but trivial.

I think you should take a look at the document Phil provided, and see what you can find. You might discover that Isilon is unable to communicate as expected, and the troubleshooting steps should point that out. Or as ed.wilts stated, replacing Samba with true Microsoft AD is the way to go.

Let us know if that helps!

excessive1 · Answer

Alright.

Here's what happened. For some reason the Windows 10 clients now are working as intended - they are browsing succesfully the storage, according to their permissions.

The issue that I'm having now is that our linux desktop machines aren't working that well. They are CentOS workstations. Joining succesfully the domain and logging AD users, but thats all. I cannot get them to browse the storage. Via SMB there's permission error. I prefer NFS, so I made an NFS export which it's succesfully mounted but from there nothing is okay. The user/group are just numbers (uid and guid i guess) and a domain user can't do anything. The local root of the machine is working good though.

Peter_Sero · Answer

Does your  Samba 'AD' provide UNIX numeric UIDs and GIDs?

ErikNielsen93021 · Answer

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

Peter_Sero · Answer

Sure, RFC2307 is where things are aiming at... The usual document, also covering the Isilon side when using Microsoft AD, is OneFS: How to configure OneFS and Active Directory for RFC2307 compliance

Isilon

OneFS not working smoothly with samba AD

Was this post helpful?