There are two best practices for configuring access zones:
1. You should create a separate /ifs subdirectory tree for each Access Zone. This process enables overlapping directory structures to exit without conflict and a level of autonomous behaviour without risk of unintentionally conflicting with other access zone structures.
2. For the customer using SMB only, you should consider the system zone exclusively an administration zone. To do this, you should remove all but the required shares from the system zone, and limit authentication into the system zone only to administrators. Each access zone works with exclusive access to its own shares, providing another level of access control and data access isolation.
Chughh, much appreciated for sharing the doc. I have gone through the doc previously and user mapping rules are something that i dont understand from that.
I realized that trust relationship is established between all the AD to which Isilon cluster is to be
joined and so i need to join cluster to only 1 AD. We are going with smb only now, but we do have nfs data as well. When we migrate nfs to what would be recommended user mapping rules.
The user mapper is one of several discrete OneFS mechanisms that take part in creating and manipulating an access token. Let me explain how a user's token is built by considering the following example.
Let's say that in zone1, you have AD,LDAP, and local user defined. User "Rdamal" comes in over SMB to zone1. The provider list determines the order of lookup. lsassd finds"Rdamal" in whichever provider answers the lookup successfully. Depending on the provider, lsassd may now have SIDs or UID/GID information. lsassd keeps doing lookups as long as there are providers in the list, in order to map all ID informaiton. Once lsassd creates the initial user token, the user mapping process is complete, and whatever rules are in the OneFS user mapper are applied to the token. Access checks are then possible using that user token.
EMC recommends the best practices to simplify user mapping at page 34 of the document "Identities, access tokens and the Isilon OneFS user mapping service". If you feel my answer is helpful, please help to mark it. Thanks.
Jeffey1
4 Operator
•
2.8K Posts
1
January 2nd, 2014 01:00
Hi Rdamal,
There are two best practices for configuring access zones:
1. You should create a separate /ifs subdirectory tree for each Access Zone. This process enables overlapping directory structures to exit without conflict and a level of autonomous behaviour without risk of unintentionally conflicting with other access zone structures.
2. For the customer using SMB only, you should consider the system zone exclusively an administration zone. To do this, you should remove all but the required shares from the system zone, and limit authentication into the system zone only to administrators. Each access zone works with exclusive access to its own shares, providing another level of access control and data access isolation.
chughh
122 Posts
1
January 2nd, 2014 02:00
Hello Damal,
I have attached document which will explain you about user mapping rules please go through it and let me know if you have any more questions.
1 Attachment
docu50075_Identities,-Access-Tokens,-and-the-Isilon-OneFS-User-Mapping-Service.pdf
Rdamal
2 Intern
•
165 Posts
0
January 2nd, 2014 06:00
Thank you for the recommendations jeffey.
Chughh, much appreciated for sharing the doc. I have gone through the doc previously and user mapping rules are something that i dont understand from that.
I realized that trust relationship is established between all the AD to which Isilon cluster is to be
joined and so i need to join cluster to only 1 AD. We are going with smb only now, but we do have nfs data as well. When we migrate nfs to what would be recommended user mapping rules.
Someone please help me with this
Damal.
Jeffey1
4 Operator
•
2.8K Posts
1
January 3rd, 2014 04:00
Hi Rdamal,
The user mapper is one of several discrete OneFS mechanisms that take part in creating and manipulating an access token. Let me explain how a user's token is built by considering the following example.
Let's say that in zone1, you have AD,LDAP, and local user defined. User "Rdamal" comes in over SMB to zone1. The provider list determines the order of lookup. lsassd finds"Rdamal" in whichever provider answers the lookup successfully. Depending on the provider, lsassd may now have SIDs or UID/GID information. lsassd keeps doing lookups as long as there are providers in the list, in order to map all ID informaiton. Once lsassd creates the initial user token, the user mapping process is complete, and whatever rules are in the OneFS user mapper are applied to the token. Access checks are then possible using that user token.
EMC recommends the best practices to simplify user mapping at page 34 of the document "Identities, access tokens and the Isilon OneFS user mapping service". If you feel my answer is helpful, please help to mark it. Thanks.
Rdamal
2 Intern
•
165 Posts
0
January 3rd, 2014 06:00
That's much helpful Jeffey. Thank you for your response and time.