You need 2 access zones each with it's own static smartconnect zone to this to work, but let's take a step back. What is the goal here? To have 2 separate sets of data each shared within their own unique AD domain and to only those users?
If so, then great, keep in mind that OneFS 7.1.1.x and later have firm requirements that each access zone must have it's own access zone root path, so one way that this is frequently laid out is like this:
/ifs/ /
so if my cluster was called isi01, and the accesszones were prod and dev, I would end up with
prod access zone --root-path=/ifs/isi01/prod/ (all shares and exports must be under this path)
subnet0:pool1 (static for stateful protocols in prod access zone)
isi01-s1.proddomain.com-zone name
authentication:
lsa-activedirctoryprovider-proddomain.com
dev access zone --root-path=/ifs/isi01/dev/ (all shares and exports must be under this path)
subnet0:pool1 (static for stateful protocols in the dev access zone)
isi01-s2.devdomain.com --zone name
authentication:
lsa-activedirectoryprovider-devdomain.com
Does that make sense? It sounds like by your description that you're trying to give users in 2 untrusted forests access to the same data, which is the opposite of what I just described and not a supported configuration. This isn't something that is possible on a Windows file server either. Of course the key word here is 'untrusted'.
I too am trying to add a second authentication (AD) source, and I'm getting the same error message as the OP. I am not wanting to add two authentication domains as they are, but simply want to be able to authenticate against domain where my share needs to live.
I have multiple access zones configured, of course all are using the single domain that exists in my cluster.
What am I doing wrong that I can't add the 2nd domain to my cluster such that I can authenticate one of my new access zones against it? (I need this in that the existing AD does NOT have two-way trust with the domain i'm trying to add)
If that is the error message you get getting, then you need to set your first domain to not use all authentication source, but to specify exactly one AD domain so that it doesn't try to join the new domain when it's added. An access zone can only belong to a single AD domain even though the cluster can join many.
Once your primary domain (even if it's System) is set to only be in a specific domain, then it will be possible to add another domain to the cluster, and your new access zone can use it (as long as it is set to not use all of them as well).
This was definitely the issue. I needed to go to each existing Access Zone and explicitly choose my AD domain for authentication. At this point I can add my new domain in and then assign to the Access Zone!! Thank you Adam!!!
crklosterman
450 Posts
0
February 5th, 2015 11:00
Kgadowski,
You need 2 access zones each with it's own static smartconnect zone to this to work, but let's take a step back. What is the goal here? To have 2 separate sets of data each shared within their own unique AD domain and to only those users?
If so, then great, keep in mind that OneFS 7.1.1.x and later have firm requirements that each access zone must have it's own access zone root path, so one way that this is frequently laid out is like this:
/ifs/ /
so if my cluster was called isi01, and the accesszones were prod and dev, I would end up with
prod access zone --root-path=/ifs/isi01/prod/ (all shares and exports must be under this path)
subnet0:pool1 (static for stateful protocols in prod access zone)
isi01-s1.proddomain.com-zone name
authentication:
lsa-activedirctoryprovider-proddomain.com
dev access zone --root-path=/ifs/isi01/dev/ (all shares and exports must be under this path)
subnet0:pool1 (static for stateful protocols in the dev access zone)
isi01-s2.devdomain.com --zone name
authentication:
lsa-activedirectoryprovider-devdomain.com
Does that make sense? It sounds like by your description that you're trying to give users in 2 untrusted forests access to the same data, which is the opposite of what I just described and not a supported configuration. This isn't something that is possible on a Windows file server either. Of course the key word here is 'untrusted'.
Hope this helps clarify it:
Chris Klosterman
Senior Solution Architect
EMC Isilon Offer & Enablement Team
email: chris.klosterman@emc.com
twitter: @croaking
chughh
122 Posts
0
February 5th, 2015 09:00
Hello,
You need to have 2 way trust for users to be able to access shares. create 2 zones and add 1 auth provider in each zone.
Thanks
kgadowski
3 Posts
0
February 5th, 2015 09:00
Do you mean Access Zones in the Access Management section?
I created a second access zone there but I'm still getting the same error when I'm trying to join the second ADS provider.
dynamox
9 Legend
•
20.4K Posts
1
February 5th, 2015 14:00
it is possible on a VNX with VDM (mentioning just in case you have that available in your shop)
kgadowski
3 Posts
0
February 6th, 2015 04:00
Thank you Chris.
Yes, we want to have two separate sets of data accessible from two separate AD domains.
I will pass that to my storage colleagues who should be able to implement that.
Kamil
JuiceDidit2
5 Posts
0
March 7th, 2016 12:00
Hi Chris,
I too am trying to add a second authentication (AD) source, and I'm getting the same error message as the OP. I am not wanting to add two authentication domains as they are, but simply want to be able to authenticate against domain where my share needs to live.
I have multiple access zones configured, of course all are using the single domain that exists in my cluster.
What am I doing wrong that I can't add the 2nd domain to my cluster such that I can authenticate one of my new access zones against it? (I need this in that the existing AD does NOT have two-way trust with the domain i'm trying to add)
Does that make sense?
thank you!
Todd
AdamFox
254 Posts
0
March 7th, 2016 14:00
If that is the error message you get getting, then you need to set your first domain to not use all authentication source, but to specify exactly one AD domain so that it doesn't try to join the new domain when it's added. An access zone can only belong to a single AD domain even though the cluster can join many.
Once your primary domain (even if it's System) is set to only be in a specific domain, then it will be possible to add another domain to the cluster, and your new access zone can use it (as long as it is set to not use all of them as well).
JuiceDidit2
5 Posts
0
March 8th, 2016 08:00
This was definitely the issue. I needed to go to each existing Access Zone and explicitly choose my AD domain for authentication. At this point I can add my new domain in and then assign to the Access Zone!! Thank you Adam!!!
KuntjoroIPNET
5 Posts
0
October 10th, 2019 00:00
Hi Chris,
Can we use this solution for two domain has trusted?
I would like configure the application server to accessing the SMB share that create in Isilon (in another domain).
For example:
Application server in domain abc.com and the Isilon in bcd.com
Regards,
Kuntjoro